What are the generally accepted standards and level of detail for
documenting a comany's computer network, particularly with an eye
towards security?

Hi, 

Documenting a network, in system administration terms, means writing
down the outcomes of internal audits on the system, and daily checks.
The practice of the audits and other system administration duties are
what defines the documentation and the need for it.

For instance, you have a backup system. Documenting that is writing
down what it does, when, what the limits are of the tapes and so
forth. Obviously you wouldn't need the documentation if you didn't
have the system or if everyone who works there knows how it functions
and what to do if it breaks down.

The best method of getting a system documentation project started then
is to have an audit plan and a check list of what it takes to keep
your network running. This is the "deployment" plan, which you may or
may not have. Once deployment is done and you have  a list of all the
pieces of your network, and some references to how those work, or at
least who to call, then you look at an audit for that system. HP
published a network audit paper and I've linked to that below. Going
through that paper and addressing it to your system will give you an
idea of what you may or may not need in your network goals. Not all
networks are the same, and the goals or needs for those networks vary
even more.

Once you have decided on an audit scheme, then you look to see what it
takes to verify that this is being done, and then the documentation
for that will be pretty obvious to you. Trying to do it without an
audit plan is generally a practice in deception. The links below are
good practices in documentation and in security and network auditing.

Links, 

HP-UX Audit Program.txt
http://www.auditnet.org/docs/HP-UX%20Audit%20Program.txt

How to conduct a security audit
http://www.techsupportalert.com/search/t04123.pdf 

HITTING THE BULL'S EYE
http://www.infosecuritymag.com/articles/august00/columns5_logoff.shtml

Linux Security Auditing
http://rr.sans.org/audit/linux_sec.php


The SANS Security Policy Project 
http://www.sans.org/newlook/resources/policies/policies.htm 

The Internet Security Guidebook: from planning to deployment by
Juanita Ellis and Timothy Speed
http://downloads.securityfocus.com/library 

Site Security Handbook
http://www.ietf.org/rfc/rfc2196.txt?number=2196 

Computer and Information Security Policy
http://secinf.net/info/policy/hk_polic.html
http://www.cis.ohio-state.edu/cgi-bin/rfc/rfc2196.html

How to Develop a Network Security Policy
http://www.sun.com/software/white-papers/wp-security-devsecpolicy 



thanks, 

webadept-ga

---

Request for Answer Clarification by gbgc-ga on 08 Nov 2002 05:03 PST

I should have mentioned that we run a Windows based system

---

Clarification of Answer by webadept-ga on 08 Nov 2002 11:11 PST

Hi again, 

Here are some more documents that will focus on the Microsoft side of
things. Really the principles are the same for any server, but some of
the details are different. Once you get through these papers, you
should have a very clear view of what is needed and what is not.

Documenting your Windows System
http://windows.about.com/library/weekly/aa001015a.htm

Microsoft TechNet --- Conducting a Detailed Audit of the Current
System
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/itsolutions/idc/oag/oagc08.asp

Microsoft TechNet ---Security Strategies
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bestprac/bpent/sec1/secstrat.asp

Microsoft TechNet --- Capacity Management Operations Guide
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windows2000serv/maintain/opsguide/capmgtog.asp

Windows 2000 and Network Security
http://rr.sans.org/win2000/netsec.php



Thanks, 

webadept-ga