For example, when you create a security group, the owner should be identified and the members and permissions and rights documented. Every now and then — at least annually, if not more often — the owner should be asked if the group is still needed. The owner should review the members and permissions and actively respond to keep the group. Otherwise, it should be deleted. Preferably, all of this should be automated.
6. What is the "system of trust" for greenfield membership?
What system should be used for determining membership in the greenfield? This is another very important decision. Most companies usually want to use the same system found in the old environment (often involving an HR application). But if your greenfield is going to be green, you must give it a new system of trust. You can't populate a new, more trustworthy environment using a system or application from an untrustworthy environment. Well, you can, and you might even be forced to accept it, but you're creating a built-in weakness.
7. Do a better job of monitoring and drift control
Most compromised environments do a very poor job at monitoring and drift control. Ensure that all assets having event logging turned on with critical events predefined to generate alerts. Document what programs and processes are supposed to be running on each computer, then monitor changes.
Most companies don't have a clue as to what programs should be running on their computers, so when a new Trojan shows up, it goes unnoticed for a long time. Break the cycle! Instead, fully document what is allowed to be running and set up alerts when something new is installed or executed. This is a great place to use application control ("whitelisting") programs. I often recommend that they run in audit mode, so you get all the benefits of their monitoring, without causing undue operational interruption.
Is a greenfield the answer?
Is a greenfield really going to solve your organization's problems? If you've been reading up to this point, you'll realize that none of my advice has been about new designs or structures. Almost all the inherent problems I see in compromised environments involve either poor policies or poorly implemented policies. Most of the benefit you will gain from greenfield environment can be realized in your current one, with much less time and expense.
The biggest problems in today's networks aren't technical. They're political and human. That won't change as long as politics and humans remain the same.
Sign up for MIS Asia eNewsletters.