Page 740 - StudyBook.pdf
P. 740

724    Chapter 12 • Operational and Organizational Security: Policies and Disaster Recovery

             ticular problem. Finally, the document should provide a step-by-step list of instruc-
             tions on how to perform a task or fix a problem.Without these attributes, the pro-
             cedures may be less than useful to anyone using the document.

             Systems Architecture

             Documentation about a system’s architecture should be created to provide informa-
             tion on the system, its layout and design, and any of the subsystems used to create
             it.This is important because it provides a reference that can be used in the future
             when problems occur and/or changes are made. Even if the administrator has a
             secure knowledge of these factors, it is still important to document the system’s
             architecture.
                 Documentation dealing with systems architecture should include a variety of
             components such as an overview and specifications of software, hardware, protocols,
             and any other technologies that make up the system. It should also provide dia-
             grams of the network, and components that make up the design.This should
             include information about routers, servers, and security measures (such as firewalls)
             that have been implemented.


           Damage & Defense…  the company’s IT staff, you should only provide minimal information.
                External Architecture Documentation
                When creating systems architecture documentation for parties outside of

                Users of an outside organization do not need to see the technical speci-
                fications of a network or other system in an organization, as it would be
                confusing and a potential major security risk. If third parties require secu-
                rity architecture documentation for work they are performing, or
                approval for some other purpose (such as certification), they should only
                be issued the information they require. System architecture documenta-
                tion can provide sensitive information about network specifications and
                topology, which can be used to exploit a network if it falls into the wrong
                hands. Sanitizing system architecture documentation before releasing it
                to certain parties helps avoid this information from becoming a tool for
                hackers.


                 Documentation should include data that was gathered when inventorying indi-
             vidual components of a network (discussed later in this chapter), as well as how
             every server, router, and major component of a network is configured. Such docu-
             mentation makes management of a system easier, and is vital to restoring the system
             to a previous state after a disaster occurs (also discussed later in this chapter).




          www.syngress.com
   735   736   737   738   739   740   741   742   743   744   745