Welcome once again to the risk rack. This time on the risk rack we will be reviewing how to assess your organization’s network perimeter. The assessment of a network perimeter has six major steps:
- Define the functions and purposes of your network perimeter.
- Assess the technology used along the perimeter of your network.
- Assess the Processes used to support your network perimeter.
- Assess the People that support your network perimeter.
- Review all the information gathered in steps 1- 4 and establish conclusions and findings.
- Report conclusions and findings and determine action plans.
In Part I of “assessing your perimeter” we will be reviewing tips and tricks for step 1 defining your perimeter’s functions and purposes. Clearly an assessment can not begin without first understanding what you are assessing but, in more cases than not this step is either taken for granted, hurried through, done poorly, or not done at all. If you are serious about doing an effective network perimeter assessment you most do this step carefully and effectively.
The first place to start might be to make sure the stakeholders and the assessment team have a common definition to the term network perimeter. Although this may seem trivial or a simple exercise at first once you truly start comparing notes with others you will quickly realize that very few people define the perimeter in the same way. Some of the more common definitions include the following:
- A network perimeter is the boundary between the locally managed-and-owned side of a network and non-locally managed side of a network.
- A network perimeter is the boundary between the private and locally managed-and-owned side of a network and the public facing, vendor facing, and contractor facing segments.
- A network perimeter is the boundary between the private Business Unit managed-and-owned side of a network and anything outside that boundary including other areas of your organization as well as public facing, vendor facing and contractor facing segments.
All three of these definitions can be used or you can come up with one that fits your organization’s vision of a network perimeter.
Once you have established what the term perimeter means in your environment you must then determine the function and purpose of the perimeter. Every network perimeter can be used to support a number of functions, in this column I will attempt to give you a good list of those potential functions. When performing this step yourself feel free to augment the list as needed. In this step we don’t care what technology is used to meet the need only that there is one. Although every organization is different to obtain this information you may wish to start by touching base with the business liaisons in your organization and the technical team which supports networking.
The purpose and function of your network perimeter is to support at least some of the following needs:
- Protect the internal data on the network
- Ensure that nothing interferes with the availability of the internal network
- Provide IP telephony services
- Provide electronic mail capabilities.
- Provide file transfer capabilities.
- Allow private business to business communication
- Allow customer and consumers to view marketing material regarding your organization.
- Allow employees, vendors, contractors, consultants, customer, and/or consumers to access the public internet from your network using a web browser.
- Allow employees vendors, contractors, consultants, customer, and/or consumers to access the public internet from your network using a client interface.
- Provide remote access to your network for vendors, contractors, consultants, customers, and/or consumers.
- Provide remote access to vendors, contractors, consultants, customers, and/or consumers over a secure channel.
Using this list as the starting point you should create a spreadsheet with these needs as your first column (feel free to split out needs 8, 9, 10 and 11). In the second column you should create a brief description of the need. The third column should list the business owner (department name), the fourth column should list a contact person in the department, and the fifth column should list the technical group who owns the delivery of the need.
Believe it or not you have completed the first step in your perimeter assessment in the next column we will address step 2 “Assess the technology used along the perimeter of your network.”