Asesor de servicios

A network plan (for example in the form of a network topology plan) can be a useful starting point for the further technical analyses. A network plan is a graphical representation of the components used in the IT and communications technology under consideration and of the manner in which they are networked together. Network plans and similar graphical overviews are usually available in most organisations since they are needed for operations. The plan should present a minimum of the following objects in terms of information security:

 IT systems, i.e. client and server computers, active network components (such as switches, routers, and WLAN access points), network printers, etc.

 Network connections between these systems, i.e. LAN connections (such as Ethernet or token ring), WLANs, backbone technologies (such as FDDI, ATM), etc.

 Connections between the area being examined and the outside world, i.e. dial-in access over ISDN or modem, Internet connections using analogue technologies or routers, radio links or leased lines to remote buildings or property, etc.

For each of the objects represented, there should also be a minimum set of information available which can be obtained from an assigned catalogue. As a minimum, the following information should be noted for each IT system:

 A unique name (for example the full host name or an identification number)  The type and function (e.g. database server for application X)

 The underlying platform (i.e. hardware platform and operating system)  The location (e.g. building and room number)

 The administrator responsible

 The available communication interfaces (e.g. Internet connection, Bluetooth, WLAN adapter)  The type of network connection and the network address

Certain information is needed not only for the IT systems themselves but also for the network connections between the systems and for connections to the outside world, including:

 The type of cabling or communication link (e.g. fibre optic cables or WLAN based on IEEE 802.11)

 The network protocols used on the lower layers (e.g. Ethernet, TCP/IP)

 For external connections, details of the external network (e.g. Internet, name of provider) Virtual IT systems and virtual network connections, for example Virtual LANs (VLANs) or Virtual Private Networks (VPNs) should also be represented in a network plan when the logical (virtual) structures implemented differ significantly from the actual physical structures. It may be appropriate for reasons of clarity to diagram the logical (virtual) structures in a separate network plan.

It is recommended to indicate areas with different protection requirements.

The network plan should be created and maintained in electronic form whenever possible. If the amount of information technology in the organisation has extended a certain limit, it may be appropriate to use a suitable utility program to document and maintain the network plan since this document can be very complex and is subject to constant change.

Updating the network plan

Since the IT structure is generally adapted to the specific requirements of the organisation and maintenance of the network plan binds the corresponding resources, the network plan for the organisation may not always be up-to-date. In practice, the plan is usually only updated after major changes to the IT structure of specific areas have been made.

With regard to using the network plan for the IT structure analysis, the next step consists of

comparing the existing network plan (or partial plans, if the overall plan has been divided into smaller sections to make it easier to read) to the actual IT structure present and updating it to reflect the current state, if necessary. When updating the plan, those responsible for IT and any administrators of individual applications and networks should be consulted. If any programs are used for centralised network and system management, it should always be checked if these programs provide any support for the creation of network plans. However, it should be noted that functions for the automatic or semi-automatic detection of components will temporarily generate additional network traffic. Steps must be taken to ensure that this network traffic does not impair IT operations. In addition, the results of automatic or semi-automatic detections must always be checked to ensure that all relevant

components were actually detected.

Example: Bundesamt für Organisation und Verwaltung (Federal Agency for Organisation and Administration, BOV) - Part 2

Figure 6: Example of a network plan created during the structure analysis

In the network plan shown, the IT systems are indicated by a number (i.e. Sn, Cn, and Nn for servers, clients, and active network components, respectively) together with its function.

The clients have been combined into suitable groups in Berlin and in Bonn. All 130 clients have virtually the same configuration, but there are differences between them in terms of the information they process, the applications, how they are integrated into the network, and their underlying infrastructure. Group C1 represents the 5 clients in the Personnel Department. They have access to Server S1 in the Personnel Department in Bonn. C2 and C3 represent the 10 clients in the

Administration Department and the 75 clients in the specialised departments in Bonn. The only differences between them are the application programs they use. Finally, group C4 represents the clients in the specialised departments in Berlin. These differ from groups C1 to C3 in terms of their surrounding infrastructure and their integration into the overall network.

Action Points for 4.2.3 Preparing a network plan:

 Examine any existing graphic diagrams of the network, for example the network topology plans  If necessary, update the existing network plans or create new ones

 Examine the additional information available on the IT systems contained and update and complete, if necessary

 Examine the additional information available on the communication links contained and update and complete, if necessary