The confidentiality integrity and availability of

Info icon This preview shows pages 10–12. Sign up to view the full content.

View Full Document Right Arrow Icon
The confidentiality, integrity, and availability of data may be compromised by ineffective controls (physical, logical, operational). Disaster recovery and business continuity planning may be inadequate to ensure prompt and appropriate crisis response. B. Based on the information obtained during the information systems overview, evaluate whether any operations should be evaluated further via detailed testing. For example, the following testing should be considered: Firewalls and Border Routers 1. Test analog line use. a.If possible, and with IT’s cooperation, war dial the campus phone exchange and gather the analog lines and results of which ones have fax/modems attached. b.Compare this with the inventory list IT maintains. 2. Uniform resource locator ( URL) filtering Page 10 of 13
Image of page 10

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full Document Right Arrow Icon
UC Core Audit Program Audit Program and Internal Control Questionnaire Network Management a.If a URL filtering server is used, ensure that it is appropriately defined in the firewall software. If the filtering server is external to the organization, ensure that it is a trusted source. b.If the URL is from a file, ensure that there is adequate protection for this file to ensure no unauthorized modifications. 3. Ensure that logging is enabled, the logs are saved preventing any gaps, and the logs are regularly reviewed to identify any potential patterns that could indicate an attack. 4. Ensure that the latest patches and updates relating to your firewall are tested and installed. If patches and updates are automatically downloaded from the vendors’ websites, ensure that the update is received from a trusted site. In the event that patches and updates are e-mailed to the systems administrator, ensure that digital signatures are used to verify the vendor and ensure that the information has not been modified en-route. 5. Review the configuration of the demilitarized zone (DMZ). Examine configuration of the external and internal firewalls, and determine if proper inbound and outbound traffic to the DMZ is properly filtered. 6. Review the servers placed in the DMZ. Are any web or file transfer protocol (FTP) servers inside the trusted portion of the network? Determine the need for this. 7. Review firewall hardware/software/configuration change control procedures. Ensure testing is thorough enough to prevent failure of the firewall. 8. Ensure that the following spoofed, private (request for comments [RFC] 1918) and illegal addresses are blocked: a.Standard unroutables i. 255.255.255.255 ii. 127.0.0.0 b.Private (RFC 1918) addresses i. 10.0.0.0 – 10.255.255.255 ii. 172.16.0.0 – 172.31.255.255 c.- 192.168.255.255 d. Reserved addresses i. 240.0.0.0 e.Illegal addresses i. 0.0.0.0 ii. iii. User datagram protocol (UDP) echo iv. Internet control message protocol ( ICMP) broadcast (RFC 2644) f. Ensure that traffic from the above addresses is not transmitted by the interface. 9. Review open ports. Ports should be blocked unless there is a documented exception (policy, approved exception document). Determine if open ports are reasonable based on policy and common vulnerabilities. Determine if port blocking differs from inbound to outbound traffic. Review exceptions. Ensure traffic to/from blocked ports is logged and passed to the intrusion detection system ( IDS) if appropriate.
Image of page 11
Image of page 12
This is the end of the preview. Sign up to access the rest of the document.

{[ snackBarMessage ]}

What students are saying

  • Left Quote Icon

    As a current student on this bumpy collegiate pathway, I stumbled upon Course Hero, where I can find study resources for nearly all my courses, get online help from tutors 24/7, and even share my old projects, papers, and lecture notes with other students.

    Student Picture

    Kiran Temple University Fox School of Business ‘17, Course Hero Intern

  • Left Quote Icon

    I cannot even describe how much Course Hero helped me this summer. It’s truly become something I can always rely on and help me. In the end, I was not only able to survive summer classes, but I was able to thrive thanks to Course Hero.

    Student Picture

    Dana University of Pennsylvania ‘17, Course Hero Intern

  • Left Quote Icon

    The ability to access any university’s resources through Course Hero proved invaluable in my case. I was behind on Tulane coursework and actually used UCLA’s materials to help me move forward and get everything together on time.

    Student Picture

    Jill Tulane University ‘16, Course Hero Intern