The auditor could at this point try to identify the
demarcation between the internal network and the external
network. Based on step 2, the IS auditor would already
know which systems are accessed only by internal users,
which are accessed from the external world or the Internet and which are accessed only by the external users. Such
categorization would also help an auditor determine the
effectiveness of the design of the demilitarized zone and the
positioning of security products like firewalls and intrusion
detection systems. A major effort would be to secure the
internal network from the external world at the gateways.
This is not to say threats come only from the outside.
Threats from inside are as serious as the ones from outside.
The auditor needs to evaluate whether both are adequately
handled. To secure systems from internal threats, all hostbased
security such as application and OS-level security
needs to be evaluated.