Compiling the Needed Documentation

With knowledge of the organization's critical systems, you can now turn your attention to directing the team to draw up lists of required documents for review. Several standards clearly define and delineate required security policies. These include ISO 17799, NIST 800-26, and the NSA IAM. Our favorite of the three is the NSA IAM. The NSA revised this list in 2003 to closely match NIST documentation. Unlike the NIST standards, which separate policies into 17 classes of information, the NSA has expanded this to 18. These are divided into the same three categories as used by NIST: management, technical, and operational. All 18 categories are shown in Table 5.1.

Table 5.1. Documentation Classes and Categories




INFOSEC documentation

Identification and authentication

Media controls

INFOSEC roles and responsibilities


Account management

Contingency planning

Session controls

Physical environment

Configuration management


Personal security

Malicious code protection

Education training and awareness


System assurance

Networking connectivity

Communications security

This doesn't mean that all the policies you will want to review will fit into one of these 18 categories, but don't be surprised to find out how well these 18 work in most cases. Although we will spend a considerable amount of time discussing these categories of policies in Chapter 7, "Performing the Assessment," there are a few things worth mentioning here, such as policy documents that can be broadly divided into the following three:

  • Advisory The job of an advisory policy is to assure that employees know the consequences of certain behavior and actions. A sample advisory policy follows:

    Illegal copyingEmployees should never download or install any commercial software, shareware, or freeware onto any network drives or disks, unless they have written permission from the Network Administrator. BE PREPARED to be held accountable for your actions including: the loss of network privileges, written reprimand, probation, or employment termination if the Rules of Appropriate Use are violated.

  • Informative This type of policy isn't designed with enforcement in mind; it is developed for education. Its goal is to inform and enlighten employees. A sample informative policy follows:

    In partnership with the Product Management Team, Instructor Resources job is to serve as advocates for all Security Evolution instructors, providing superior service in recruitment and career development, scheduling services, and fulfillment of administrative needs for our instructors.

  • Regulatory These policies are used to make certain the organization complies with local, state, provincial, and federal laws. A sample regulatory policy might state the following:

    Because of recent changes to Virginia state law, the company will now retain records of employee inventions and patents for 10 years; all email messages and any backup of such email associated with patents and inventions will be stored for one year.

Because of potential regulatory requirements, you will also want to review any applicable state, provincial, and federal laws affecting your organization. You will want to make sure that the organization's policies meet these requirements; if not, this will need to be noted.

You will also want to gather all infrastructure documentation. If diagrams don't exist, you have two options: You can ask that they be created or you can provide assistance to get it done. Keep in mind that there are two types of system diagrams needed:

  • Logical diagrams From the owners' and users' perspective, these depict the system(s) of information utilization and data flow.
  • Physical diagrams Depict the system(s) from the physical component perspective of connectivity and interfaces.

Now you may be wondering how you are going to keep track of all these incoming documents. The best way is to develop a system to track the following:

  • Date requested
  • Date reviewed
  • Date returned/disposed

It is best to appoint one person to collect and distribute all policies and documents requested. A simple form as shown in Table 5.2 can make your life much easier.

Table 5.2. Document Control Form


Date Requested

Date Received


Date Destroyed, Archived, or Returned

Password Policy



David Kim

Returned 11/2/2005

Acceptable Use Policy



Guy Bruneau

In use

Introduction to Assessing Network Vulnerabilities

Foundations and Principles of Security

Why Risk Assessment

Risk-Assessment Methodologies

Scoping the Project

Understanding the Attacker

Performing the Assessment

Tools Used for Assessments and Evaluations

Preparing the Final Report

Post-Assessment Activities

Appendix A. Security Assessment Resources

Appendix B. Security Assessment Forms

Appendix C. Security Assessment Sample Report

Appendix D. Dealing with Consultants and Outside Vendors

Appendix E. SIRT Team Report Format Template

Inside Network Security Assessment. Guarding your IT Infrastructure
Inside Network Security Assessment: Guarding Your IT Infrastructure
ISBN: 0672328097
EAN: 2147483647
Year: 2003
Pages: 138 © 2008-2020.
If you may any questions please contact us: