As auditors, we presume that no data produced on a computer is 100 percent secure regardless of whether it’s a stand-alone device or connected to a local area network (LAN) or a wide area network (WAN). Organizations develop and implement controls based on regulations and best security practices. Security is implemented throughout an organization’s enterprise—from the host on which the user works to each device data traverses or is stored. Here’s an example of a basic enterprise and the security controls that may be implemented. Remember, controls can be physical or logical devices, software or encryption.
- Host. A host is a computer, tablet, or other device that a user interfaces with to perform a function. The device you’re reading this on is a host. The security controls that could be implemented on a host include a host-based intrusion detection system (HIDS), host-based intrusion prevention system (HIPS), a software firewall, and antivirus protection. Policy controls implemented on a host include role-based access control (RBAC), discretionary access control (DAC), mandatory access control (MAC), login requirements, lockout settings, and others that restrict what a user can and can’t do while logged in to a host and software to manage (allow and deny) policies electronically (ePo).
- Local area network. Think of a LAN as an internal network used by an organization that allows users to execute functions using various applications and storage while having the ability to connect to other organizations using the Internet or virtual private networks (VPNs). A host connects to a switch and data is routed to a router, where it accesses systems on the LAN or to a router where it’s going to exchange data with another LAN or WAN. The devices that comprise a LAN and WAN are similar, but a WAN is built to a much larger scale. As stated, in a network there are many devices, servers, switches, routers, storage, Call Managers (for VoIP communications), firewalls, Web content filters, security appliances that manage network intrusion detection systems (NIDS), network intrusion prevention systems (NIPS) and other unique systems.
Service-Level Agreements (SLA)
Often as a cost savings measure, services such as security, Web content filtering, storage, IP telephony, software licensing (SaaS) and others can be outsourced to a third-party vendor. An agreement is made between the organization and the vendor on the expected requirements and documented in the contract.
These requirements are known as service-level agreements (SLAs). At no point does an organization relieve itself of regulatory requirements for data protection by contracting it out to a third-party or external organization. Regulatory controls must be incorporated into the SLAs and audited by the company contracting out services to ensure compliance. Repercussions for failure to meet SLA requirements should also be included in the SLA.
Tidewater LLC is an organization that produces and sells apparel for men, women, and children online. The company has grown 70 percent over the past two years and is building a new 2000-square-foot facility to support the continued growth. Various third-party vendors provide all their IT services except website maintenance, which is managed by an internal CIO and a Web developer.
Because of the growth, the leadership within the organization has been unable to validate compliance of the SLAs and feels that the vendors do not have the best interest of Tidewater LLC in mind.
Tidewater LLC is in the process of recovering all IT services into the server facility housed in their new space. Tidewater LLC wishes to establish and staff an IT department with a system administrator, network administrator, two general technicians, cybersecurity specialist, and a full-time systems auditor.
The new space is an open office with an adjacent server room. Hardware supporting the organization’s IT services includes 100 staff desktop computers; network switches; routers; a firewall; McAfee Security Appliance to provide intrusion detection, prevention, and antivirus protection; network attached storage (NAS) for users to have a home drive as well as a shared networked drive for collaboration and sharing; an IIS server for website management; and a call manager for VoIP. Wi-Fi access points will be added as the network installation progresses. E-mail will be managed by an exchange server. The only service outsourced is a 100 mbps connection for Internet and VPNs between the organization and its suppliers.