What I Know It’s About Experience

27Nov/08Off

The Importance of Network & Data Flow Diagrams

Hello there :) I never blogged anything about my work in my life but this time I felt that I have to write something because it really annoys me so I'm going to talk about the importance of network & data flow diagrams in any organization that's uses technology.

In order to understand why it's annoying, let me first explain to you what I do. As a Senior Security Engineer I visit clients as a Technical Consultant to review or test anything in their network. Before I can do the review or test, I have to take a look at their network & data flow diagrams which 99% of the time when I ask for them, the admins just look at me and say we have a network diagram which is not updated but we don't have data flow diagrams and why is it needed? My reply to this is that they will help me to understand the network before I test or review anything. So, if your network diagrams are not accurate then my report won't be accurate. This results in the ‘Oh' look... so what do you want us to do? Easy, just ask your network admin to update the diagram and create a data flow diagram if it does not exist then I can be productive.

As you can see, this is what happens every time I meet a customer. I'm amazed how some network administrators ignore documenting their own network. Right, it is easy for them to understand the network because they are working on it but what if your network administrator resigned? Usually, no one is able to operate the network properly because nothing has been documented and only your previous network administrator knows (owns?) the network :)

So, the big question; what are the benefits of keeping your network & data flow diagrams updated?

  • 1- It's the most important part of your network documentation.
  • 2- Trouble shooting your network will be easier.
  • 3- Whenever you want to expand or improve your network you need them.
  • 4- Reduce loss of important network information when your admin resign.

Your question should be then, what should the documentation have? Your network documentation should answer these questions :) (These questions relate to the systems/service and not to a person)

  • 1- Who is doing it?
  • 2- What is being done?
  • 3- Where is it done?
  • 4- When is it done?
  • 5- How is it done?

That's it :) Enjoy your weekend :) and keep your work documented :) .

Tagged as: 1 Comment
8Nov/08Off

Documentation and Auditors

I was involved in a dicussion with a few close friends and collegues of mine last week where the subject of 'documentation'  came up. Just to give you an indication of what business disciplines were around the table; 1 x lawyer, 3 x IT gurus, 2 x project managers (IT and Civil), 1 x business analyst, 1 x business process consultant (BPC) and myself (GRC). The subject came up due to 2 IT guys being hammered by an external audit performed on their division. The term 'Auditors, what do they know? It is not a perfect world!'.

To my surprise, everyone agreed except for myself and the lawyer. When we asked for more information which they saw as 'the spanish inquisition', it turned out that the auditors requested documentation. Needless to say, there was 'some', not 'much' but 'some'. When pressed for the meaning of 'not much' it turned out that the documention was a visio diagram. You have it, a 'picture'. When asked what the picture showed, it came out that there were pictures showing how the systems were placed or located on the network including all network devices. When asked 'Do you know what the systems do? Does your subordinate? Does your manager?' the answer was "yes, should hope so, will ask if they don't know".

From an auditing perspective this is foolish, why? Simply put, documentation saves you from all types of unpleasant experiences in life. Lets take two examples;

  1. You have a contractual problem with a person, you go to a shark, oops lawyer, what does he ask for first (other than money), yep you got it, paperwork, proof so to say.
  2. You need a loan, you go to the bank, what do they ask for? Yep, your salary advice slip and your monthly expenses (unless they are loan sharks then they ask you if you have insurance just incase you default).

Simply put, no documentation results in nothing.

Back to Auditing, simply put, if it is not written down it does not exist! Auditors work with proof, evidence or better still 'show me the money' and yes, while a picture is better than a 1000 words it does not show 'Who, What, Where, When, Why and How'. 

So, when thinking about documentation, think about what you will need to prove you did your job!

Tagged as: , No Comments
   

Calendar

September 2010
S S M T W T F
« Aug    
 123
45678910
11121314151617
18192021222324
252627282930  

RSS Free Softwares

Tag Cloud

Announcement Antivirus Apple auditors benchmark Beta1 Browser Business Risk Information Security Debug documentation Editions Education Certification Knowledge Experience Federated Search Forensic Hacked Hardware HITB 2008 I'M A PC Internet Broken Live MacBook Micorosft Microsoft Microsoft ads Microsoft ICE nVidia Defective Oracle PDC 2008 Projects Recorder Security Security Awareness Security Talk Snow Leopard Sun SuperFetch UAC USB 3.0 video Wave3 Windows Windows7 Windows 2008 R2 Windows Vista WP-RTL

Posts Archives

Friends