Section: Protection of Information Assets
Explanation:
An application-level gateway is the best way to protect against hacking because it can define with detail
rules that describe the type of user or connection that is or is not permitted, it analyzes in detail each
package, not only in layers one through four of the OSI model but also layers five through seven, which
means that it reviews the commands of each higher-level protocol (HTTP, FTP, SNMP, etc.). For a remote
access server, there is a device (server) that asks for a username and password before entering the
network. This is good when accessing private networks, but it can be mapped or scanned from the Internet
creating security exposure. Proxy servers can provide protection based on the IP address and ports.
However, an individual is needed who really knows how to do this, and applications can use different ports
for the different sections of the program. Port scanning works when there is a very specific task to
complete, but not when trying to control what comes from the Internet, or when all the ports available need
to be controlled. For example, the port for Ping (echo request) could be blocked and the IP addresses
would be available for the application and browsing, but would not respond to Ping.

Explanation/Reference:
Explanation:
From an IS auditor's perspective, the primary objective of auditing the management of service providers should be to determine if the services that were requested were provided in a way that is acceptable, seamless and in line with contractual agreements. Minimizing costs, if applicable and achievable (depending on the customer's need) is traditionally not part of an IS auditor's job. This would normally be done by a line management function within the IT department.
Furthermore, during an audit, it is too late to minimize the costs for existing provider arrangements.
Subcontracting providers could be a concern, but it would not be the primary concern. Transferring knowledge to the internal IT department might be desirable under certain circumstances, but should not be the primary concern of an IS auditor when auditing IT service providers and the management thereof.

Explanation/Reference:
Explanation:
When auditing third-party service providers, an auditor should be concerned with ownership of programs and files, a statement of due care and confidentiality, and the capability for continued service of the service provider in the event of a disaster.

Section: Information System Acquisition, Development and Implementation

Section: Governance and Management of IT