TMS zl Module Planning and Implementation Guide 2009-08
Table Of Contents
- Contents
- Glossary of Acronyms and Abbreviations
- 1.0 Purpose
- 2.0 Intended Audience
- 3.0 Objectives
- 4.0 Prerequisites
- 5.0 Skills
- 6.0 The HP ProCurve Threat Management Services zl Module
- 7.0 Common TMS Security Control Points
- 8.0 Deployment Considerations
- 9.0 Installation and Preparation of the TMS zl Module
- 10.0 Configuration of the TMS zl Module
- 11.0 Using multiple HP ProCurve Threat Management Services zl Modules
- Appendix A – Additional References
- Appendix B – Sample Company Information Assets Spreadsheet
- Sample “Information Assets” tab (See Embedded “Company Information Assets” Microsoft Excel 2003 spreadsheet)
- “Server Network Details” tab (See Embedded “Company Information Assets” Microsoft Excel 2003 spreadsheet)
- “TMS Zones” tab (See Embedded “Company Information Assets” Microsoft Excel 2003 spreadsheet)
- “Firewall Rules” tab (See Embedded “Company Information Assets” Microsoft Excel 2003 spreadsheet)
- /Sample “Company Information Assets” Microsoft Excel 2003 spreadsheet
- Appendix C – Information Gathering Tools
- Appendix D - Updating Switch Software
- Appendix E – Emergency Recovery Process
Page 39
• High Risk – Information assets noted in compliancy legislation (HIPAA, PCI, etc.)
that require prevention of improper disclosure or financial penalties in the event of
such disclosure. Information may also be considered “high risk” if disclosure could
cause severe damage to the organization or if there are other company policies that
deem it to be considered “sensitive” such as payroll, personnel, financial and legal
information.
• Confidential – Information assets that are business critical but may not cause loss to
the organization if externally disclosed but should still be protected from
unauthorized access and disclosure. Some examples would be Sales and Marketing
forecasts or business plans. Other examples could include sensitive IT Information
such as network designs, configurations and user accounts.
• Public – Information assets that can be freely accessible and distributed by any end-
user. A rule-of-thumb for information deemed public is the “Headline rule” – that
you wouldn’t mind reading this information as a front-page newspaper headline.
In the absence of a sufficiently detailed company security policy, a “Company
Information Assets” document must be created listing all “High-risk” and “Confidential”
organizational data to be addressed as part of this project. This should be based on
discussions with company staff and must include the server that hosts each information
asset. Detailed server information also needs to be gathered and should include
hostname, operating system, installed applications, local application and data storage
locations, any local accounts, IP address(es), physical location, physical network
connectivity and interdependencies with other servers on or outside of the network.
As part of your initial discovery, some basic level of research should be performed
focusing on the specific customer industry to identify any regulatory requirements that
may be related to their type of business or market. The areas of data requiring protection
could vary widely depending on the industry supported by the network infrastructure and
may include specific legal compliancy requirements such as PCI, HIPAA, GLBA, FIPS,
etc.
If findings from this research identify areas of potential exposure beyond what can be
addressed through the proposed solution, additional discussions with IT management
may be necessary to ensure a proper solution is implemented.
Based on any existing policies and discussions with company staff, the organizational
information assets should be grouped into the data classifications categories listed above.
Once developed, this initial version of the “Company Information Assets” document
should be reviewed with the appropriate customer contacts for final validation of
accuracy and completeness. HP ProCurve recommends that the professional services
delivery organization have the customer sign-off on this document as having accurately
captured all “High-risk” and “Confidential” information assets that require protection.
See Appendix B “Sample Company Information Assets” for a spreadsheet that can be
used to capture this information. To complete this section all columns should be
completed except the “Application Network Details”
column which will be completed in
later steps of this process.