CHAPTER TWENTY-EIGHT

Applied Information Technology Security

THIS CHAPTER looks at the application of Information Technology (IT) security including communications and network security. The principles of network security, client-server, Internet and web-based services, and firewall security systems are all detailed together with connectivity protection resources such as cryptography, digital signatures, digital certificates, and key management policies. IT security also encompasses the use of intrusion-detection systems and the proper implementation of mainframe security facilities.

COMMUNICATIONS AND NETWORK SECURITY

In considering how network security should be implemented, one of the most difficult areas to establish is exactly where the network starts and ends. For many organizations, this is where primary security is established with a “peripheral” defense. In the same manner as a peripheral defense over the physical building, network peripheral defenses work on the basis of having a limited number of entry points, each securely guarded. Unfortunately not all networks work in the same manner and most have considerably more entry points than a normal building. In addition, this form of defense suffers from the same deficiencies as a peripheral defense around a building in that, once inside the building, it is assumed that the intruder has a right to be there and, in many cases, no further security checks are done. Another parallel can be found between the security checkpoint ...

Get Auditor's Guide to IT Auditing, Second Edition now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.