It sounds nice, but how will that be different? In order to write a better policy for the greenfield environment, you're going to have to understand what went wrong in the old environment and write a better policy that's more specific. The devil is in the details.
3. How will you keep the hackers out?
I've been involved with a few companies that spent tens of millions of dollars to build a new environment: new computers, new network, new applications, new workstations, new servers. Nothing old was allowed to touch the new environment. After spending all that money and time, the old hackers compromised the new environment in days.
You need to learn from the weaknesses of the old environment so that the same old tricks no longer work in the new environment. For example, if the hackers got into the old environment using spearphishing emails containing malicious Adobe Acrobat PDF documents, how are you going to stop that from working in the new environment? I've seen plenty of possible solutions, including making sure that PDF documents are opened in encapsulated virtual environments where they couldn't do further harm. Just make sure those miraculous solutions are tested and implemented from the start. Making them pervasive in a few months isn't going to help you today.
4. The new environment looks great — but will it stay that way?
If you think it's hard to plan something new and near-perfect, that's easy compared to keeping it that way. Remember, those who built your current environment started out with the best of intentions. No one wanted to design insecure crap.
Examine what happened over time to make the current environment one people can't wait to get rid of. Was it due to poor technical decisions or was it more than that? In many cases, political or business pressures force poor security decisions. How can those be avoided in the future?
To me, this is the most important point of all. It's an awful lot of money and effort to build something new if you can't prevent repeating the same mistakes. These sorts of policy decisions are harder than just building a new network. It requires the right senior people agreeing on the right foundational policies.
5. Object lifecycle management
Another key implementation decision is to account for the full lifecycle of each and every object (user, computer, group, printer, OU, application, service account, and so on) in the network or Active Directory forest. Each object must have an owner who is easy for anyone to identify or query. Ownership gives accountability and allows key decisions to be made in a timely manner.
Each object should be tracked from provisioning to de-provisioning. Each object should have specific policies that detail how it comes into creation, how often review takes place, and when and how it should be modified and removed. The documentation should specify who can manipulate the object and how often the object needs to be reviewed for legitimacy.
Sign up for CIO Asia eNewsletters.