5-04-45 Operating Standards and Practices for LANs Leo Wrobel



Similar documents
Adding Communications Network Support to Existing Disaster Recovery Plans Leo A. Wrobel

HIPAA Security Alert

Guidelines for Distributed Computing Administration and Security

IT Checklist. for Small Business INFORMATION TECHNOLOGY & MANAGEMENT INTRODUCTION CHECKLIST

Why cloud backup? Top 10 reasons

MAXIMUM PROTECTION, MINIMUM DOWNTIME

Making the leap to the cloud: IS my data private and secure?

Enterprise Data Protection

WHY CLOUD BACKUP: TOP 10 REASONS

Customer Guide Helpdesk & Product Support. [Customer Name] Page 1 of 13

CPI Customer Success Story Sawyer Savings Bank

Information Resources Security Guidelines

HIPAA Security COMPLIANCE Checklist For Employers

Healthcare IT Compliance Service. Services > Overview MaaS360 Healthcare IT Compliance Service

COMPONENTS OF A SUCCESSFUL LAN DISASTER RECOVERY PLAN

How To Get Ready For Business

NCS 330. Information Assurance Policies, Ethics and Disaster Recovery. NYC University Polices and Standards 4/15/15.

DETAIL AUDIT PROGRAM Information Systems General Controls Review

IT - General Controls Questionnaire

Stable and Secure Network Infrastructure Benchmarks

IT Service Management

Patch Management. Rich Bowen

White Paper FASTFILE / Page 1

White Paper AN INTRODUCTION TO BUSINESS CONTINUITY PLANNING AND SOLUTIONS FOR IT AND TELECOM DECISION MAKERS. Executive Summary

What are the benefits of Cloud Computing for Small Business?

The 9 Ugliest Mistakes Made with Data Backup and How to Avoid Them

The Commonwealth of Massachusetts

The Essential Guide for Protecting Your Legal Practice From IT Downtime

Top 10 Reasons for Using Disk-based Online Server Backup and Recovery

Neverfail Solutions for VMware: Continuous Availability for Mission-Critical Applications throughout the Virtual Lifecycle

16 Common Backup Problems & Mistakes

Getting a Secure Intranet

Moving Network Management from OnSite to SaaS. Key Challenges and How NMSaaS Helps Solve Them

Defining the Data Center Market. Data Center Market Size. and. Applied Computer Research, Inc. Prepared by: Applied Computer Research, Inc.

'Namgis Information Technology Policies

DPS HOSTED SOLUTIONS

Private Cloud. One solution managed by Applied

Preparing for a Computer System. In a Wholesale Fruit and Vegetable Company

HIPAA Security. assistance with implementation of the. security standards. This series aims to

Resource Ordering and Status System. User Business Resumption Plan

Enterprise Single Sign-On SOS. The Critical Questions Every Company Needs to Ask

How to save money with Document Control software

Hosted Desktop Model vs. SBC, VDI and Traditional Desktop Position Document

Estate Agents Authority

The Effects of Outsourcing on Information Security Marie Alner Payoff

Business Virtualization

Supplier Security Assessment Questionnaire

User Authentication: A Secure Networking Environment Ellen Bonsall Payoff

Top 5 Cloud Computing Questions Answered!

DISASTER RECOVERY PLANNING GUIDE

TUFTS HEALTH PLAN CORPORATE CONTINUITY STRATEGY FREQUENTLY ASKED QUESTIONS OVERVIEW CORPORATE CONTINUITY PROGRAM.

OFFICE OF THE STATE AUDITOR General Controls Review Questionnaire

Is online backup right for your business? Eight reasons to consider protecting your data with a hybrid backup solution

Managing business risk

Backup and Redundancy

How VDI Reduces the Risks of BYOD

The 10 Disaster Planning Essentials For A Small Business Network

THE GOOD, THE BAD, & THE UGLY

How To Manage A Disaster Recovery Plan

The 7 Disaster Planning Essentials

Audit of Security Controls for DHS Information Technology Systems at San Francisco International Airport

The Power Of Managed Services. Features

ZCorum s Ask a Broadband Expert Series:

The Perfect Host How Hosted Services can save you time and money

Tufts Health Plan Corporate Continuity Strategy

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

Why Managed Hosted Hosted Solutions in the Cloud Are Critical to Their Survival

Cyber Security: Guidelines for Backing Up Information. A Non-Technical Guide

Your complete guide to Cloud Computing

The Second National HIPAA Summit

Employing Best Practices for Mainframe Tape Encryption

Cloud computing is a way of delivering IT services to users without the need to buy, install or manage any infrastructure.

FINAL May Guideline on Security Systems for Safeguarding Customer Information

Successful EHR Change Management

Call us today Managed IT Services. Proactive, flexible and affordable

Chief Information Officer

Internet Content Provider Safeguards Customer Networks and Services

Ten Warning Signs Your ERP System Is Killing Your Business

WHITE PAPER. HIPAA-Compliant Data Backup and Disaster Recovery

Cloud Computing in Vermont State Government

A Guide to Information Technology Security in Trinity College Dublin

Created By: 2009 Windows Server Security Best Practices Committee. Revised By: 2014 Windows Server Security Best Practices Committee

Information Technology General Controls Review (ITGC) Audit Program Prepared by:

Reducing Total Cost of Ownership through Outsourced Hosted Virtual Desktops

Top Three POS System Vulnerabilities Identified to Promote Data Security Awareness

How Cisco IT Reduced Costs Through PC Asset Management

OVERVIEW. In all, this report makes recommendations in 14 areas, such as. Page iii

If You re a Lawyer Headed to the Cloud, Read This First By Reid F. Trautz, Director, AILA Practice & Professionalism Center


WHITEPAPER. Addressing Them with Adaptive Network Security. Executive Summary... An Evolving Network Environment Adaptive Network Security...

GETTING THE MOST FROM THE CLOUD. A White Paper presented by

Your guide to choosing an IT support provider

1 Purpose Scope Roles and Responsibilities Physical & Environmental Security Access Control to the Network...

Birkenhead Sixth Form College IT Disaster Recovery Plan

Glossary of Telco Terms

15 questions to ask before signing an electronic medical record or electronic health record agreement

Finally, An Easy Way To Never Have To Deal with Computer Problems Again!

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

Mapping Your Path to the Cloud. A Guide to Getting your Dental Practice Set to Transition to Cloud-Based Practice Management Software.

Transcription:

5-04-45 Operating Standards and Practices for LANs Leo Wrobel Payoff Operating standards for LANs offer certain advantages for keeping expenses for procurement, maintenance, and support under control At the same time, any standards must enhance, not stifle, the productivity of users of local area networks. This article reviews the basics to include in a LAN standards document. Problems Addressed The following scenario is common in many organizations: There are 200 local area networks (LANs) located across the country, in everything from small sales offices with a handful of people to regional distribution centers. The company does not know if these outlying locations handle mission-critical data or not. The company does not know with certainty who is running these LANs, because it ranges from office managers and clerical employees right up to seasoned IS professionals. A site that once had 10 salespeople now has 9 salespeople and a LAN administrator. The company does not know how these sites are buying equipment, yet it is reasonably sure that they are paying too much, because they are not buying in bulk or enjoying any economies of scale in equipment purchases. Locations are beginning to lean on IS for help desk support because there is no way they can keep up with the rapid proliferation of hardware, platforms, software, and special equipment being installed in the field. The telecommunications department is worried about connecting all of these locations together. Although some attempts at standardization of these locations may be made, invariably, LAN managers in the field consider standards to be an attempt by the IS department to regain control of the LAN administrators' environment. Because LAN managers seldom have had any input into what these standards would be, they were soundly rejected. Today, there are literally thousands of companies fighting this same battle. This article gives some solutions to these problems. First, however, it is important to understand why standards are required and how IS can implement standards without stifling productivity or adversely affecting the organization. Why LANs Require Standards Exhibit 1 compares two distinctly different operating environments: mainframes and LANs. To illustrate a point, Exhibit 1 uses the same adjectives that LAN and mainframe people use to describe each other. Operational and Maintenance Characteristics

Operational Characteristics <-----------------------------> MAINFRAME LAN "Stodgy" "Seat-of-Pants Approach" "Stoic" "Close to Business" "Regimented" "Happy, Productive Users" "Inflexible" "Stifles Productively" Maintenance Characteristics <-----------------------------> MAINFRAME LAN "Highly Advanced Support Systems" "Evolving Support Systems" "High-Level Help Desk Support" "Difficult Help Desk Support" "Reliable and Well-Proven" "High User Involvement in Routine Problems" "High Support-to-Device-Ratio" "Low Support-to-Device Ratio" "High Maintenance" In an ideal environment, the LAN administrator can select exactly the type of equipment best tailored to do the job. LAN managers are historically close to the core business. For example, if the company is involved in trading stock, the LAN operations department can go out and buy equipment tailored exactly to trading stock. If the organization is engaged in engineering, the LAN administrator can buy equipment exactly tailored to engineering. From the standpoint of operational characteristics, LANs are far more desirable than mainframes because they are closer to the business, they empower people, and they make people enormously productive by being close to the core business. This is not the whole story, however. It is equally important to support LANs once they are in place. This is where the trade-offs come in. Lessons From Mainframe Experience Because mainframes have been around so long, there is a high degree of support available. When users in the mainframe environment call the help desk with a hardware or a software problem, the help desk knows what they are talking about. Help desk staff are well trained in the hardware and the software packages and can quickly solve the users' problems. As another example, in an IBM 3070 terminal environment, 100 terminals or more could be supported by a single technician. When those terminals became PCs, the ratio perhaps dropped to 50 PCs per technician. When those PCs became high-end workstations, the ratio dropped even further. The value of a mainframe level of technical support cannot be underestimated. Mainframe professionals had 20 years to write effective operating and security standards. These standards cover a number of preventive safeguards that should be taken in the operational environment to assure smooth operation. These range from: How often to change passwords. How often to make backups. What equipment should be locked up. Who is responsible for change control.

Defining the standards for interconnecting between environments. In the mainframe world it was also easy to make very large bulk purchases. Because the mainframe has been around for so long, many advanced network management systems exist that provide a high degree of support and fault isolation. Balancing Productivity and Support Requirements for LANs To the LAN administrator, the perfect environment, productivity-wise, is one which any LAN administrator anywhere in a large company can go out and buy anything at any time flexibility to buy equipment that is exactly tailored to the core business and that has the maximum effect in the way of enhancing productivity is highly desired in LAN environments. However, if someone calls the help desk, the help desk staff will not really be sure what they have out there, let alone how to troubleshoot it. In many ways, if the users buy an oddball piece of equipment, no matter how productive it makes them, they are on their own as far as supporting that equipment. LANs have a characteristically high ratio of technologists required to support the environment. Today, sophisticated boxes sit on the desktop that demand a much higher level of maintenance. Because people are such a valuable commodity and so difficult to justify because of downsizing or rightsizing, LAN administration is usually relegated to a firefighting mode, without a lot of emphasis on long-range planning. Because LAN platforms are relatively new, in comparison to mainframes, there has not been as much time to develop operating and security standards. This is especially irritating to auditors when mission-critical applications move from the traditional mainframe environment onto LANs and the protective safeguards around them do not follow. Something as simple as transporting a tape backup copy of a file between LAN departments can be extremely complicated without standards. What if everyone buys a different type of tape backup unit? Without standards on what type of equipment to use, bulk purchases of equipment become difficult or impossible. Even though major improvements have been made in network management systems over the past five years, the management systems associated with LANs often lag behind those associated with mainframe computers. Again, this causes the company to pay penalties in the area of maintenance and ease of use. One answer, of course, is to force users into rigid standards. While this pays a handsome dividend in the area of support, it stifles the users' productivity. They need equipment well suited to their core business purpose. An alternative is to let users install whatever they want. This may increase productivity greatly, though it is doubtful that a company could ever hire and support enough people to maintain this type of configuration. Worse, mission-critical applications could be damaged or lost altogether is users are not expected to take reasonable and prudent safeguards for their protection. It is the responsibility of both users and technologists to find the middle ground between the regimented mainframe environment and the seat-of-the-pants LAN environment. Through careful preplanning, it is possible to configure a set of standards that offers the advantage of greater productivity that is afforded by LANs, but also the advantages learned through 20 years of mainframe operations in the areas of support, bulk purchases, and network management. The remainder of this article concentrates on exactly what constitutes reasonable operating and security procedures for both LANs and telecommunications.

Standards Committees One method is through the formation of a communications and LAN operating and security standards committee. An ideal size for a standards committee would be 10 to 12 people, with representatives from sales, marketing, engineering, support, technical services, including LANs, IS and telecommunications, and other departments. It is important to broaden this committee to include not only technologists, but also people engaged in the core business, since enhancement of productivity would be a key concern. The actual standards document that this committee produces must deal with issues for both the operation and protection of a company's automated platforms (the Appendix provides a working table of contents from which to begin to write a document). Subjects include: Basic physical standards, including access to equipment rooms, where Private Branch exchange equipment is kept, what type of fire protection should be employed, standards for new construction, standards for housekeeping, and standards for electrical power. Software security, change control, which people are authorized to make changes, and how these changes are documented. The security of information, such as identifying who is allowed to dial into a system, determining how to dispose of confidential materials, determining which telephone conversations should be considered private, and the company's policy on telecommunications privacy. Weighing options with regard to technical support of equipment. Resolving issues regarding interconnection standards for the telecommunications network. Disaster backup and recovery for both LANs and telecommunications, including defining what users must do to ensure protection of mission-critical company applications. Defining Mission Critical" Before all of this, however, the committee is expected to define and understand what a mission-critical application is. Because standards are designed to cover both operational and security issues, the business processes themselves must be defined, in order to avoid imposing a heavy burden with regard to security on users who are not engaged in missioncritical applications, or by not imposing a high enough level of security on users who are. Standards for equipment that is not mission critical are relatively easy. Basically, a statement such as, The company bought it, the shareholders paid for it, the company will protect it, will suffice. In practice, this means securing the area in which the equipment resides from unauthorized access by outside persons when there is danger of tampering or theft. It also includes avoiding needless exposures to factors which could damage the equipment, such as water and combustibles, and controlling food items around the equipment, such as soft drinks and coffee. The most one would expect from a user

engaged in non-mission-critical applications would be something that protects the equipment itself, such as a maintenance contract. Mission-critical equipment, however, has a value to the company that far exceeds the value of the equipment itself, because of the type of functions it supports. Determination of what constitutes a mission-critical system should be made at a senior management level. It cannot be automatically assumed that technical services will be privy to the organization's financial data. LAN and telecommunication equipment that supports an in-bound call center for companies such as the Home Shopping Club, would definitely be mission-critical equipment, because disruption of the equipment, for whatever cause, would cause a financial hit to the company that far exceeds the value of the equipment. Therefore, mission-critical equipment should be defined as equipment that, if lost, would result in significant loss to the organization, measured in terms of lost sales, lost market share, lost customer confidence, or lost employee productivity. Monetary cost is not the only measurement with regard to mission-critical. If an organization supports a poison-control line, for example, and loss of equipment means a mother cannot get through when a child is in danger, it has other implications. Because financial cost is a meaningful criteria to probably 90% of the companies, it is the measurement used for purposes of this discussion. There is not necessarily a correlation between physical size and mission criticality. It is easy to look at a LAN of 100 people and say that it is more mission-critical than another LAN that has only 4 people. However, the LAN with 100 people on it may provide purely an administrative function. The LAN with four people on it may have an important financial function. Writing the Operating and Security Standards Document In the following approach, it is recommended that two distinct sets of standards are created for mission-critical versus non-mission-critical equipment. Network Software Security and Change Control Management One item that should be considered in this section is, Who is authorized to make major changes to LAN or telecommunications equipment? There is a good reason to consider this question. If everyone is making major changes to a system haphazardly, a company is inviting disaster, because there is little communication concerning who changed what and whether these changes are compatible with changes made by another person. Standards should therefore include a list of persons authorized to make major changes to a mission-critical technical system. It should also have procedures for changing passwords on a regular basis, both for the maintenance and operation functions of LANs and telecommunications. Procedures should be defined that mandate a backup before major changes in order to have something to fall back on in case something goes wrong. Procedures should be established to include Direct Inward System Access (direct inward system access). Unauthorized use of Direct Inward System Access lines is a major cause of telecommunication fraud or theft of long-distance services. Automated attendants, for example, should also be secured and telephone credit cards properly managed. As a minimum, establish a procedure that cancels remote access and telephone credit to employees who leave the company, especially under adverse conditions.

Physical and Environmental Security There should be a set of basic, physical standards for all installations, regardless of their mission-critical status. These might include use of a UPS (uninterruptible power supply) on any LAN server. A UPS not only guards against loss of productivity when the lights flicker, but also cleans up the power somewhat and protects the equipment itself. There should be standards for physically protecting the equipment, because LAN equipment is frequently stolen and because there is a black market for Private Branch exchange cards as well. There should be general housekeeping standards as far as prohibitions against eating and drinking in equipment areas and properly disposing of confidential materials through shredding or other means. No- smoking policies should be included. Standards for storing combustibles or flammables in the vicinity of equipment should also be written. Physical standards for mission-critical applications are more intensive. These might include sign-in logs for visitors requiring access to equipment rooms. They may require additional physical protection, such as sprinkler systems or fire extinguishers. They may require general improvements to the building, such as building fire-resistant walls. They should also include protection against water, since this is a frequent cause of disruption, either from drains, building plumbing, sprinklers, or other sources. Technical Support The standards committee ideally should provide a forum for users to display new technologies and subject them to a technical evaluation. For example, a LAN manager or end user may find a new, innovative use of technology that promises to greatly enhance productivity in their department. They can present this new technology to the standards committee for both productivity and technical evaluations. The technologist on the committee can then advise the user of the feasibility of this technology; whether it will create an undue maintenance burden, for example, or whether it is difficult to support. If it is found that this equipment does indeed increase productivity and that it does not create an undue maintenance burden, it could be accepted by the committee and added to a list of supported services and vendors that is underwritten by the committee. Other issues include what level of support users are required to provide for themselves, what the support level of the help desk should be, and more global issues, such as interconnection standards for a corporate backbone network and policies on virus protection. Conclusion The LAN operating and securities standards document is designed to be an organization's system of government with regard to the conduct and operation of technical platforms supporting the business. A properly written standards document includes input from departments throughout the organization, both the enhance productivity and to keep expenses for procurement, maintenance, and support under control. Standards also ensure that appropriate preventive safeguards are undertaken, especially for mission- critical equipment, to avoid undue loss of productivity, profitability, or equity to the company in the event something goes wrong. In other words, they are designed to prevent disruptions. Use of a LAN operating and security standards committee is advised to ensure that critical issues are decided by a group of people with wide exposure within the company and to increase ownership of the final document across departmental boundaries and throughout the organization. If properly defined, the standards document will

accommodate the advantages of the mainframe environment and needs of LAN administrators by finding the middle ground between these operating environments. By writing and adopting effective standards, an organization can enjoy the productivity afforded by modern LAN environments while at the same time enjoying a high level of support afforded through more traditional environments. The appendix lists examples of typical standards for these types of installations. Readers are recommended to use them as a baseline in developing standards and begin building a standards committee now. Author Biographies Leo Wrobel Leo Wrobel is president of Premier Network Services Inc. in Dallas.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information