ISC S2

What are the components involved in IT Infrastructure?

IT Infrastructure includes multiple, interconnected technological components such as on-premise and outsourced hardware, software, and specialized personnel.

How do organizations manage IT Infrastructure, and what has this led to?

While some organizations manage IT Infrastructure internally, many rely on third-party IT providers. This has driven significant growth in System and Organization Controls (SOC) engagements.

What are SOC 2® engagements?

are examinations in which a third-party evaluates and reports on a service organization’s system controls.

What are the AICPA’s Five Trust Services Criteria and how does it relate to SOC 2®?

Security, Availability, Processing Integrity, Confidentiality, and Privacy—are the standards used in SOC 2® engagements to evaluate a service organization’s system controls.

SOC 2 Engagements require auditors to:

to have an advanced understanding of information technology terminology, technical expertise in how key components of the modern IT landscape function, and specialized skills including being conversant in a variety of operating systems, network infrastructure topologies, end-user devices, and the hardware used across all of these domains.

Computer Hardware and examples

Computer hardware includes the physical components that comprise computers, computer-related equipment, and external peripheral devices. Examples include laptops, desktops, servers, routers, and other equipment used to conduct business.

Computers and End-User Devices (EUDs) and examples

machines that directly interact with employees or consumers at the “edge” of a network. Examples include company-issued laptops, desktops, tablets, and wearables. They differ from devices used by IT staff such as servers, routers, and switches.

Internal Computer Hardware and examples

refers to components located inside a computer. Examples include microprocessors, graphics cards, sound cards, hard drives, RAM, and the motherboard.

External Computer Hardware and examples

consists of peripheral devices not integrated into the machine itself. Examples include mice, keyboards, speakers, microphones, disk drives, memory devices, network cards, and monitors. These may connect wirelessly or via wired connection.

Infrastructure Housing and examples

facilities and safeguards that house hardware, such as data centers and offices. It includes security systems, access controls, ventilation, and climate control to prevent overheating of equipment.

Network Infrastructure Hardware and examples

refers to the hardware, software, layout, and topology that enable connectivity and communication between devices on a computer network.

Network Infrastructure Hardware; traditional hardware found in most network is as follows:

1. Modems

2. Routers

3. Switches

4. Gateways

5. Edge-enabled Devices

6. Servers

7. Firewalls

Firewalls

a software or hardware security device that filters network traffic using predefined rules. It prevents unauthorized access, blocks malicious programs, and restricts access to certain sites, based on company policies or security settings.

Modems

connects a network to an internet service provider’s network, usually via a cable connection. It receives analog signals from the ISP and translates them into digital signals, bringing internet into a home or office.

Routers

manages network traffic by connecting devices to form a network. It reads packet headers to determine the most efficient path for data and links a modem to an organization's switches—or directly to user devices if no switches are present. Each router has a public IP address.

Switches

connects and divides devices within a network, similar to a power strip for internet connections. It does not perform advanced functions like assigning IP addresses, but allows multiple devices to connect to a single network jack.

Gateways

a computer/device that acts as an intermediary between different networks. It converts data between different protocols (like TCP/IP) so that communication between networks is possible.

Edge-enabled Devices

perform computing, storage, and networking closer to where data originates. This reduces latency and allows faster network response times by avoiding delays from distant central systems.

Servers

physical or virtual machine that coordinates computers, programs, and networks. It responds to client requests. Types of servers include web servers, file servers, print servers, and database servers.

What are the types of Firewalls?

• Packet-Filtering Firewalls: Analyze traffic packets and allow/block based on rules.

• Circuit-Level Gateways: Check packet sources against security policies (slower).

• Application-Level Gateways: Inspect the content of packets (resource-intensive).

• Network Address Translation (NAT) Firewalls: Map internal addresses to approved external sources.

• Stateful Multilayer Inspection Firewalls: Combine packet filtering, NAT, and more.

• Next-Gen Firewalls: Apply different rules based on applications and users’ risk levels.

Network Infrastructure Physical Layout (Topology)

refers to the physical arrangement of equipment or nodes in a network. It determines cable length/type, transmission rates, and node positioning based on network size, performance needs, and environment.

Most Common types of Network Topologies

1. Bus Topology

2. Mesh Topology

3. Ring Topology

4. Star Topology

Bus Topology

All nodes connect to a single central cable. If the central cable fails, the entire network goes down. Termination is required at both ends to prevent signal interference.

Mesh Topology

Each node connects to multiple other nodes, creating numerous pathways for data transmission. While this enhances traffic flow and network reliability, the extensive wiring and configuration can become complex and resource-intensive.

Ring Topology

Nodes are arranged in a circular path, and data must travel through each device between the source and destination. This structure helps minimize data collisions, but performance can slow down if data must pass through many nodes. In a unidirectional ring, data flows in only one direction, while a multidirectional ring allows data to move in both directions for greater flexibility.

Star Topology

All data passes through a central hub before reaching connected devices. This setup simplifies cable management and makes it easier to identify damaged cables. However, if the central hub encounters an issue, any devices connected to it may lose network access.

Network Infrastructure Protocols

Devices in a network communicate with other devices using protocols. The type of protocol governs the way data is transmitted based on the method used, such as: cable, port, or wireless transmission mechanism.

The Open Systems Interconnection (OSI) Model

The OSI model was developed by the International Organization for Standardization (ISO) to explain how network protocols work and how devices communicate. It separates networking functions into seven layers, each with a specific role in data transmission.

OSI Model Layers and Its purpose

divides network functions into seven layers, each responsible for a specific data exchange task. As data moves down the layers, encapsulation adds headers or footers. When the data reaches its destination, decapsulation removes these headers in reverse order. Each layer plays a unique role, from establishing communication to physically transmitting data.

7th layer: Application

6th layer: Presentation

5th layer: Session

4th layer: Transport

3rd layer: Network

2nd layer: Data Link

1st layer: Physical

Application (Layer 7) and common protocol

Serves as the interface between applications that a person uses and the network protocol needed to transmit a message. Does not represent the actual application being used. Some of the common and most well-known protocols used at this layer include: Hypertext Transfer Protocol (HTTP), File Transfer Protocol (FTP), Simple Mail Transfer Protocol (SMTP), Electronic Data Interchange (EDI)

 Presentation (Layer 6)

Transforms data received from the Application layer into a format that other devices using the OSI model can interpret, such as standard formats for videos, images, and web pages.
Encryption also occurs at this layer.
Common formats used include:
American Standard Code for Information Interchange (ASCII), Joint Photographic Experts Group (JPEG), Moving Picture Experts Group (MPEG).

 Session (Layer 5) (Think Chat-Room)

Allows sessions between communicating devices to be established and maintained.
Sessions allow networking devices to have dialogue with each other.
Common protocols at this layer are:
Structured Query Language (SQL), Remote Procedure Call (RPC), Network File System (NFS).

Transport (Layer 4)

Supports and controls the communication connections between devices.
It involves setting the rules for how devices are referenced, the amount of data that can be transmitted, validating the data's integrity, and determining whether data has been lost.
Common protocols include:
Transmission Control Protocol (TCP), User Datagram Protocol (UDP).

Network (Layer 3)

Adds routing and address headers/footers to the data, such as source and destination IP addresses, so the message reaches the correct devices.
It detects errors.
Common protocols include:
Internet Protocol (IP), Internet Protocol Security (IPSec), Network Address Translation (NAT), Internet Group Management Protocol (IGMP).

Data Link (Layer 2)

Data packets are formatted for transmission.
It is determined by the hardware and networking technology, usually Ethernet.
It adds MAC addresses, which are device identifiers that act as source and destination reference numbers to route messages to the correct device.
Protocols include:
Integrated Services Digital Network (ISDN), Point-to-Point Tunneling Protocol (PPTP), Layer 2 Tunneling Protocol (L2TP), Address Resolution Protocol (ARP).

 Physical (Layer 1)

Converts the message sent from the data link layer into bits so it can be transmitted to other physical devices.
Receives messages from other physical devices and converts those bits back to a format that can be interpreted by the data link layer.
Protocols used in this layer include:
High-Speed Serial Interface (HSSI), Synchronous Optical Networking (SONET)

Network Infrastructure Architecture

Refers to how an organization structures its network from a holistic design standpoint, considering factors like geographical layout, physical & logical layout, and network protocols. Networks can be wired, wireless, on-premises, or virtual.

Examples of Network Infrastructure Architecture

1. Local-Area Networks (LAN)

2. Wide-Area Networks (WAN)

3. Software-Defined WAN (SD-WAN)

4. Virtual Private Networks (VPNs)

Local-Area Networks (LAN)

Provide access to a limited geographic area such as a home or single-location office, enabling connectivity within a small region.

Wide-Area Networks (WAN)

Provide access to larger geographic areas, such as cities, regions, or countries, by connecting LANs together. The Internet is the largest example of a WAN.

Software-Defined WAN (SD-WAN)

WAN performance and manages traffic to optimize connectivity. In an SD-WAN, control and management are handled by software, separate from hardware.

Virtual Private Networks (VPNs)

Provide secure, remote access to an existing network through virtual connections, often referred to as remote desktop connections (RDCs).

Software

Consists of applications, programs, or procedures that instruct a computer's operating system to execute specific tasks. It can be standalone or manage multiple applications, like operating systems.

Operating Systems (OS)

Software that manages applications, hardware, memory, processes, and user interfaces, acting as an intermediary between resources and users.

Firmware

Software embedded in hardware that instructs it on how to operate. Unlike typical software, firmware is rarely updated and operates locally on physical components like motherboards and microprocessors.

Mobile Technology

Refers to wireless devices (laptops, tablets, phones) that connect to private networks or the internet using technologies like Wi-Fi, 4G, or 5G. Can be end-user devices (EUDs) or non-EUDs like routers and switches.

Internet of Things (IoT) devices

Devices that extend mobile technology, typically requiring Bluetooth or an internet connection to access larger networks. Examples include AI personal assistants, smartwatches, and Bluetooth devices.

Cloud Computing Models

A model that uses shared resources over the internet. Customers rent storage, processing power, or software on remote servers, reducing the need for infrastructure management, maintenance, and tech support.

For outsourcing Cloud Computing:

Cloud computing services offered by companies with large computing infrastructure to either host cloud services themselves or lease out their excess computing capacity during off-peak times.

Cloud Computing services offered by companies with large computing infrastructure to either:

(1) Host services themselves using purpose-built infrastructure or (2) lease excess computing capacity during off-peak times.

Benefits of Cloud service providers offer distributed redundancy among many data centers:

Distributed redundancy helps reduce risk and improves the availability of services by spreading resources across multiple data centers.

Three primary cloud computing models, in addition to a fully on-site or on-premise solution:

• On premise

• Iaas

• Paas

• Saas

Iaas (infrastructure as a service)

The CSP provides an entire virtual data center of resources. Organizations can outsource servers, storage, hardware, networking services, and components, which are generally billed on a per-use basis. The company is responsible for maintaining the virtual environment, while the CSP manages the physical infrastructure.

PaaS (Platform-as-a-Service)

The CSP provides proprietary tools/solutions remotely that are used to fulfill a specific business purpose, such as building websites or selling merchandise. The CSP maintains the back-end infrastructure and ensures the application’s uptime.

SaaS (Software-as-a-Service)

The CSP provides a business application/software that organizations use to perform specific functions. The CSP is responsible for recurring upgrades, security, and support, while customers access the service via the internet through licensing.

Four Common types of Cloud Computing Deployment Models:

1. Public

2. Private

3. Hybrid

4. Community

Cloud Computing Deployment Models - Public

Owned and managed by a CSP. The cloud services are made available to people or organizations who want to use or purchase them.

Cloud Computing Deployment Models - Private

Created for a single organization and managed by the organization or a CSP. The infrastructure can exist on or off the organization’s premises.

Cloud Computing Deployment Models - Hybrid

Made up of two or more clouds, including at least one private cloud. These remain separate but are linked to allow portability of data and applications.

Cloud Computing Deployment Models - Community

A cloud environment shared by multiple organizations to support a common interest or mission.

Cloud Service Providers (CSP)

Third parties that provide cloud services like application delivery, hosting, or monitoring. CSPs handle all hardware maintenance and tech support and often serve multiple clients using shared infrastructure (multi-tenant).

Cloud Controls Matrix

A framework designed by the Cloud Security Alliance for best practices in cloud security, data protection, and compliance. Helps evaluate CSPs, often referenced in SOC 2® reports.

Cloud Service Providers (CSPs) – Expertise and Models

CSPs often have advanced skills and experience managing cloud infrastructure and environments, and cloud computing takes advantage of this expertise. A CSP may use purpose-built infrastructure to support customers or lease excess capacity during off-peak times. Multi-tenant CSPs serve multiple cloud customers at once using shared resources and technology.

Committee of Sponsoring Organizations (COSO)

Created by the Treadway Commission, COSO developed guidance and best practices for internal control, enterprise risk management, governance, and fraud deterrence.

The set of 20 principles were designed:

Categorizes methods for addressing an organization’s risk into 5 components and 20 supporting principles, which are practical and customizable for organizations of any size, type, or industry.

1.) Governance and Culture:

Sets the company’s tone and reinforces oversight of risk management. Culture involves understanding risk and shaping target behaviors and values.

2.) Strategy and Objective-Setting:

Risk appetite should align with strategy during planning, and objectives should help achieve that appetite level.

3.) Performance:

Organizations prioritize risks based on appetite to assess, meet, and report on business objectives. Includes identifying, assessing, and responding to risk.

4.) Review and Revision:

Involves reviewing performance over time and making necessary adjustments to functions.

5.) Information, Communication, and Reporting:

Calls for a continual process that supports sharing internal and external information across the organization.

COSO Enterprise Risk Management for Cloud Computing

Provides guidance for applying COSO to cloud computing. Organizations must integrate cloud governance into overall risk strategy and retain ownership of risk even when using CSPs.

Applying the COSO Framework to Establish Computing Governance

The COSO ERM framework can help tailor cloud solutions based on risk appetite by applying eight components to establish ideal cloud configurations.

COSO ERM Cloud – Cloud Governance Responsibilities

How a CSP affects risk profile, impacts performance, what responsibilities belong to the CSP, and whether CSP controls adequately address risk.

COSO’S Supporting Principles - Governance and Culture

1. Exercises Board Risk Oversight

2. Establishes Operating Structures

3. Defines Desired Cultures

4. Demonstrates Commitment to Core Values

5. Attracts, Develops, and Retains Capable Individuals

COSO’S Supporting Principles - Strategy and Objective-Setting

6. Analyzes Business Context

7. Defines Risk Appetite

8. Evaluates Alternative Strategies

9. Formulates Business Objectives

COSO’S Supporting Principles - Performance

10. Identifies risk

11. Assesses Severity of Risk

12. Prioritizes Risks

13. Implements Risk Responses

14. Develops Portfolio View

COSO’S Supporting Principles - Review and Revision

15. Assesses Substantial Change

16. Reviews Risk and Performance

17. Pursues Improvement in Enterprise Risk Management

COSO’S Supporting Principles - Information, Communication, and Reporting

18. Leverages Information and Technology

19. Communicates Risk Information

20. Reports on Risk, Culture, and Performance

COSO Framework Component

1. Internal Environment

2. Objective Setting

3. Event Identification

4. Risk Assessment

5. Risk Response

6. Control Activities

7. Information and Communication

8. Monitoring

Applicability to Orgs Consideration of Cloud Computing - Internal Environment

This serves as the foundation for a company’s risk appetite helping a company understand the level at which it wants to outsource technology functions.

Applicability to Orgs Consideration of Cloud Computing -

Objective-Setting

Management should understand how outsourcing technology functions will help it reach, or potentially hinder, its objectives.

Applicability to Orgs Consideration of Cloud Computing - Event Identification

Management must understand how adopting a CSP could make event identification more complex, or easier

Applicability to Orgs Consideration of Cloud Computing - Risk Assessment

Management should understand the risks of its cloud strategy, understanding the impact to its risk profile, inherent and residual risk, and likelihood of the impact of all risks.

Applicability to Orgs Consideration of Cloud Computing - Risk Response

Management should determine whether its risk response will be to avoid a risk, reduces its likelihood share the risk by transferring a portion of it to another entity, or accept the risk.

Applicability to Orgs Consideration of Cloud Computing - Control Activities

The organization should understand how traditional controls - such as detective, preventative, automated, and manual - as well as entity-level controls are modified in a cloud environment.

Applicability to Orgs Consideration of Cloud Computing - Information and Communication

Management should understand how operating in the cloud will affect the timeliness, availability, and dissemination of information and communciation

Applicability to Orgs Consideration of Cloud Computing - Monitoring

Management should modify its monitoring mechanisms to accommodate new complexities introduced by adopting a cloud solution.

Cloud risks to consider when evaluating Cloud Service Providers (CSPs). and their Service:

1.  The rate of competitor adoption.

2. Being in the same risk ecosystem as the CPS and other tenants.

3. Transparency.

4. Reliability and performance.

5. Lack of application portability (vendor lock-in).

6. Security and compliance.

7. Cyberattacks.

8. Data leakage.

9. IT organizational change.

10. CSP long-term viability.

COSO also recognizes

• that risk increases when moving from a private model to a public deployment model.

• Risk also increases with less control when moving from a SaaS model to an IaaS model.

Cloud Evaluation and Adoption

Before adopting cloud computing, companies should thoroughly understand how it aligns with their business needs and objectives. Management should evaluate potential cloud solutions to ensure they meet the organization’s security, compliance, and performance requirements.

Role of Management in Cloud Adoption

Management should lead the evaluation process by assessing risk, aligning cloud adoption with strategy, and ensuring adequate governance is in place to oversee cloud operations and service provider relationships.

Recommended Risk Responses

Risk responses may include avoiding, accepting, reducing, or sharing the risk. Organizations should implement controls, select trusted CSPs, and maintain oversight to mitigate identified risks in cloud adoption.

Key Considerations Before Cloud Adoption

Companies should consider data sensitivity, regulatory requirements, vendor reliability, and integration with existing systems when evaluating cloud options, ensuring decisions are risk-informed and support long-term goals.

Business Process-as-a-Service (BPaaS)

BPaaS providers deliver outsourced business processes via the cloud, such as revenue cycle management

COSO ERM – Performance Component

This component emphasizes prioritizing risk based on an organization’s risk appetite while meeting business objectives. Its five principles include:
10) Identifying risk
11) Assessing severity of risk
12) Prioritizing risk
13) Implementing risk responses
14) Developing a portfolio view of risk

Event Identification – COSO ERM Application

When evaluating a CSP, management must assess how the change affects the detection of incidents. This aligns with COSO’s Event Identification concept, which involves understanding how adopting a CSP may impact threat and incident detection capabilities.

CSP Strategy and Deployment Models

A CSP should align its corporate and IT strategies to ensure strong governance. However, relying on a community cloud model is not ideal for CSPs, as it reduces control. Instead, private cloud models allow for greater customization, control, and disaster recovery flexibility using internal skilled staff.