Today we live in a connected world. Communication is a key requirement for all systems. Increased integration of systems requires a compulsive need to establish fast and reliable communication that is as widespread as the organization and its business dealings. Information systems need to reach out to users, vendors, customers and partners (irrespective of their location); everything is connected to nearly everything else.

All this brings us to the issue that looking at any system as something that is inside one box or in one enclosed space is not enough to gain assurance about its security. The reality is that nearly every computer in the world could be, and in most cases is, connected to every other computer through the Internet. The worldwide propagation of the (in)famous Nimda, Code Red and Lovebug viruses and worms are proof of this connectivity. Such connectivity has the propensity to provide access or communication paths for anyone to any system in the absence of any measures to prevent such access. Fortunately, a plethora of technical solutions, many of which have become standards, keeps most networks and systems segregated and protected.

Therefore, let us look at how we fashion an approach to auditing networks and ensuring that they are secure. The auditor needs to obtain certain information and understanding of the network that is under review to proceed with the audit of network security. This information gathering can be done in the following steps and sequence:

1. What is the network?—The first step is determining the extent of the network. This is generally done by examining the network diagram. The network diagram is basically a map that shows all the routes available on the network. The key factor that the auditor has to worry about in the diagram is its accuracy. Large networks evolve and change constantly with changing business needs and a diagram that is not updated is useless. The IS auditor should ascertain what processes exist in the organization to update and maintain the network diagram accurately. The use of a software tool to generate this diagram ensures some degree of accuracy. In any network, there will be locations where there is a concentration of resources, such as a data center where ERP servers, mail servers, etc., are hosted and many points such as manufacturing plants, sales offices etc., from which these resources are accessed. While smaller networks may have only one such location, complex networks may have many hosting points where critical resources are located. The network diagram could also provide input on the type of devices and protocols used on the network. The network diagram and its details provide the most important input for the audit, and the auditor should keep referring to it throughout the audit.
2. What are the critical information assets in the network?—The fundamental principle of information security and audit is that protection is related to the risks associated with the assets as determined by a systematic risk assessment. The auditor needs to have a good idea of the critical assets, systems and services that need to be secured. Typically, one would want to protect enterprise systems including ERPs, mail servers and other internal applications, web servers that host applications that are accessed by customers and vendors, and the network and its components. In this context, the security and access mechanisms surrounding the applications and the servers (the OS and database) also need to be robust.
3. Who has access?—The next step is to determine the persons who have access to the systems on the network and how. Is the system accessed only by employees? Do customers and vendors also access the systems? Do employees access the system from outside the office? Do customers access only the web server via the Internet or do they perform remote logins to the enterprise systems? The answers to these questions will have significant impact on security.
4. What are the connections to the external networks?—Although this is actually a part of step 1 and is determined by a study of the network diagram, it is an important step and should be dealt with separately. At a minimum level, every network today is connected to the Internet through an Internet service provider. The primary reason for connecting to the Internet is to enable receipt and dispatch of mail and to enable browsing by employees. Enterprises may also have other reasons to connect to the Internet, such as e-commerce web sites through which the company's vendors, customers and partners collaborate, place orders or exchange other information. Dedicated connections to the networks of other partners may also exist. The gateways through which each of these connections is made are potential entry points for the external world. The auditor could at this point try to identify the demarcation between the internal network and the external network. Based on step 2, the IS auditor would already know which systems are accessed only by internal users, which are accessed from the external world or the Internet and which are accessed only by the external users. Such categorization would also help an auditor determine the effectiveness of the design of the demilitarized zone and the positioning of security products like firewalls and intrusion detection systems. A major effort would be to secure the internal network from the external world at the gateways. This is not to say threats come only from the outside. Threats from inside are as serious as the ones from outside. The auditor needs to evaluate whether both are adequately handled. To secure systems from internal threats, all host- based security such as application and OS-level security needs to be evaluated.
5. What are protection mechanisms?—Once the basic understanding of the network, the resources and the risks has been obtained, the auditor is ready to look at the protection mechanisms. The auditor can then evaluate them for effectiveness and adequacy.