Infrastructure components, virtualization, and cloud models in ISC.
This chapter covers the infrastructure components that support modern information systems. The key is to understand enough about the environment to judge control implications, operational risk, and reliability of system output.
Infrastructure questions ask what the architecture implies for access, processing, availability, logging, and responsibility. Hardware, operating systems, virtualization, and cloud models each move the control boundary in different ways.
| Infrastructure layer | Control implication | Common ISC trap |
|---|---|---|
| Hardware and networks | Physical security, connectivity, redundancy, and device control affect availability and integrity. | Treating endpoint, server, and network controls as interchangeable. |
| Operating system | User privileges, patching, logging, and resource management support application reliability. | Looking only at the application while ignoring the platform it depends on. |
| Virtualization | Multiple logical systems may share physical resources and administrative layers. | Missing hypervisor or host-level risks. |
| Cloud model | IaaS, PaaS, and SaaS allocate control responsibilities differently. | Assuming the provider owns every control because the system is cloud-based. |
| Step | What to identify | Control implication |
|---|---|---|
| Locate the system boundary | On-premises, hosted, cloud, hybrid, or outsourced components. | Boundary clarity determines who owns each control. |
| Identify critical dependencies | Network, server, database, identity, endpoint, and service-provider dependencies. | Dependencies affect availability and reliability of system output. |
| Evaluate access layers | Physical access, operating-system access, administrator rights, and remote access. | Infrastructure access can bypass application controls. |
| Check resilience controls | Backups, redundancy, monitoring, patching, and recovery procedures. | Availability assertions depend on tested infrastructure controls. |
| Match cloud responsibility | IaaS, PaaS, SaaS, and deployment model responsibilities. | Shared responsibility must be mapped before evaluating control gaps. |
| Checkpoint | What to test | Common assurance effect |
|---|---|---|
| Identity and privileged access | Administrator accounts, service accounts, remote access, and authentication controls. | Weak privileged access can override otherwise strong application controls. |
| Network segmentation | Firewalls, routing, wireless access, VPNs, and separation of sensitive environments. | Poor segmentation can expand the effect of one compromised component. |
| Patch and configuration management | Operating-system versions, hardening baselines, vulnerability remediation, and change approvals. | Unmanaged infrastructure changes increase processing and availability risk. |
| Backup and recovery evidence | Backup frequency, restoration testing, retention, and offsite or immutable copies. | A backup plan is weak evidence without restoration testing. |
| Service-provider reliance | Contract terms, SOC reports, complementary user controls, and incident communication. | Outsourcing shifts some work but does not remove management’s control responsibility. |