Security's Everyman

Security's Everyman

Friday, July 20, 2007

Out of control network

Like most IT people I've always disliked documentation. At least having to be the one to actually do the documentation. I know it's important and that it can save you and others lots of time when push comes to shove. This has hit me in the face hard since starting my new job. The company uses lots of contractors in the IT department and the network has been built and modified over the years by lots of different people. Documentation has been sporadic at best. So therefore knowing what is going on and why can be a challenge. Almost everyday someone on the team gets a "surprise". They either discover something new, different, unexpected, unexplained, or just plain unnecessary. It's almost comical at times, but when you think about it there are potential serious ramifications.

This has made my job quiet a challenge. It's hard to design a security program when the environment isn't well understood by those who have been there for a while and especially when I'm still learning new things about it. The good news is that we have managements blessing and understanding of how things are and how they need to change. We also have a good team assembled to make this work. I'm amazed at the level of knowledge and understanding that they guys I work with have. They are much smarter than most of the guys I've worked with in the past. These guys are passionate about what they do and they don't like doing shoddy work.

All that said the real purpose of this post is to emphasize the importance of documenting and understanding your network. Not only is it good for daily understanding of what you have and how it works it will come in handy in troubleshooting, DR situations, personnel changes and compliance. Many of the regulations that most of us have to comply with require you to have a well documented environment.

Technology will help you in your information security endeavors but it has to be complemented with documentation, policies, procedures and a well designed User Awareness program. Most of us focus on the technology part but if we want to expand our horizons and ensure that our environments are as secure as they can be it is a good idea to get familiar with the other areas.

  • Look over your documentation and update it. This needs to be done at least yearly and especially anytime you introduce a change in the environment.
  • Read your policies. Ask questions if you don't understand something or if you think something is incorrect. Remember, if your policy says you do it you better do it and be able to prove that you do. The Auditors will want to see the checklist, the archived logs, etc.. Don't be afraid to bring up inconsistencies to Management and to make suggestions.
  • Review the procedures and guidelines that are published within your company. Again many regulations require you to have written procedures for how you deploy systems, handle new users and users that leave. They want to know that you know what is going on and again if your procedures say that you do something they will want to see proof that you do it.
  • Sit in on a UA session or ask to see the material that is used. Make suggestions on ways to make it better and more understandable for the average user. Suggest new things that could be done to make the information easier to retain. People learn in different ways and maybe you have an idea on how to present something in a different format. You may even have the talent to make it happen. You could help put together podcast, videos, RSS feeds, email blasts, or whatever sounds good and works.
As I've said before security goes beyond the server room. It requires that the IT and IS groups work together along with Management, HR, Training and even the end users. We have the knowledge and skills to really make a difference beyond the technology side of things. We just have to get out there and make it happen. I don't think you will regret making the effort.


Rebecca said...

Great points and reminder about the importance of documentation, Andy.

It is also important for organizations to know that when regulatory audits are performed, their documentation will be scrutinized, so it needs to be accurate and up-to-date.

I've done a lot of work helping companies with documenting their policies and procedures. Something that makes documentation clearer and better is putting flowcharts into the procedures documents. I really like how flowcharts clarify the steps and decisions, but it seems too few organizations use them any more compared to a decade ago.


Nick said...

I actually did a post recently about documenting our employee on-boarding processes... with flow-charts included. I've been working across HR, IT, and the department leads because our recent growth has resulted in quite a jumble of who does what, when, and how (or doesnt do). It's linked here.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NC-SA 3.0.