Security Basics mailing list archives
Re: CISO/Security Team roles and functions
From: "Sergii Khomenko" <sergey.khomenko () gmail com>
Date: Wed, 6 Feb 2008 13:33:08 +0200
Yes, segregation of duties is a problem. I think to prevent this, the structure should be the following: CISO (chief information security officer) reports to CSO (chief security officer) who takes care of information security and physical security. CSO reports directly to CEO. If there is no CSO and CISO only, then CISO reports to CEO. CTO (chief technical officer) and/or CIO (chief information officer) should be completely separate from the security branch. Security branch creates rules and audits implementation, operational branches implement the rules. This way SoD doesn't take place. In case with firewall, ids, ips, etc, I think security branch should mostly work on policies, procedures, baselines etc and operational branches should implement them, install, tweak, test. And finally when implementation is done, before the final "go!" security comes and do the audit of implementation against created by security rules. Sergey On 4 Feb 2008 21:02:05 -0000, <amatachick () gmail com> wrote:
This is an issue I've run into on every Information Security job. Sometimes Information Security takes care of the firewalls and IDSs and sometimes that job goes to the Network Administrators. I've worked in both environments. I have to say from personal experience the later is much more common, especially when you get to a management level. I am fine with it being either way as long as Information Security can fully, and without the Network Administrator's prior knowledge, audit the Firewall and IDS configurations and logs. I don't believe that separation of duties and responsibilities applies so much in this scenario as in the bigger picture. I've run into the most issue with segregation of duties and responsibilities at the departmental level. The key question being, who does Information Security report to? I, personally, don't think it should be Information Technology. I feel that Information Security should really be its own department or at the least report to compliance or legal departments. To be succinct, I believe it is the job of Information Security to ensure and/or report incidents, non-compliance to policies and procedures, firewalls and IDSs are functioning properly, and conduct audits/assessments.
Current thread:
- CISO/Security Team roles and functions soul (Feb 04)
- Re: CISO/Security Team roles and functions Sergii Khomenko (Feb 04)
- RE: CISO/Security Team roles and functions Worrell, Brian (Feb 05)
- <Possible follow-ups>
- Re: CISO/Security Team roles and functions HITESH PATEL (Feb 04)
- Re: CISO/Security Team roles and functions amatachick (Feb 05)
- Re: CISO/Security Team roles and functions WALI (Feb 06)
- Re: CISO/Security Team roles and functions Sergii Khomenko (Feb 06)