Interception : Data that is being transmitted over the network is vulnerable to being intercepted by an unintended third party who could put the data to harmful use.
Availability : Networks have become wide-spanning, crossing hundreds or thousands of miles which many rely on to access company information, and lost connectivity could cause business interruption.
Access/Entry Point : Networks are vulnerable to unwanted access. A weak point in the network can make that information available to intruders. It can also provide an entry point for viruses and Trojan horses.
Controls
1) Interception Controls : Interception can be partially deterred by physical access controls at data centers and officers, including where communication links terminate and where the network wiring and distributions are located. Encryption also helps to secure wireless networks.
2) Availability Controls : The best control for this is to have excellent network architecture and monitoring. The network should have redundant paths between every resource and an access point and automatic routing to switch the traffic to the available path without loss of data or time.
3) Access/Entry Point Controls : Most network controls are put at the point where the network connects with external network. These controls limit the traffic that pass through the network. These can include firewalls, intrusion detection systems, and antivirus software.
The auditors should ask certain questions to better understand the network and its vulnerabilities. The auditor should first access what the extent of the network is and how it is structured. A network diagram can assist the auditor in this process. The next question an auditor should ask is what critical information this network must protect. Things such as enterprise systems, mail servers, web servers, and host applications accessed by customers are typically areas of focus. It is also important to know who has access and to what parts. Do customers and vendors have access to systems on the network? Can employees access information from home? Lastly the auditor should access how the network is connected to external networks and how it is protected. Most networks are at least connected to the internet, which could be a point of vulnerability. These are critical questions in protecting network.
AUDIT PLANNING & PREPARATION
The auditor should be adequately educated about the company and its critical business activities before conducting a data center review. The objective of the data center is to align data center activities with the goals of the business while maintaining the security and integrity of critical information and processes. To adequately determine if whether or not the client's goal is being achieved, the auditor should perform the following before conducting the review:
Meet with IT management to determine possible areas of concern
Review the current IT organization chart
Review job descriptions of data center employees
Research all operating systems, software applications and data center equipment operating within the data center
Review the company's IT policies and procedures
Evaluate the company's IT budget and systems planning documentation
0 Comments