Re: The procedural aspects and work valorization of an IT Security Service, Advice needed

[krymson () gmail com]

I'm going to pull two things out of your post to make sure I understand them correctly.

1. You're in the operations dept and most of your team's (and your) time is devoted to day-to-day operations.

2. Management wants something it can look at and see obvious value. This might not be the right way to do it, but 
sometimes management sees it this way.

Trying to do security on an operations team is hard, especially if the duties and time overlap. Guess which one will 
always take precedence? Yeah, ops.

I would maybe start getting a security slant by tackling the "A" of CIA: Availability. Set up monitoring for uptime and 
service availability. This will get you a lot of exposure and visibility into the network and start to form some value 
to people who care. You could be the uptime stats guy for a while.

Likewise, you can start to tackle change management by pointing out any incidents of downtime (which is typically very 
visible to management!) and how change management or more secure practices could have an impact. Sure, it might slow 
things down a bit, but adds the value of quality.

Any chance you discover insecure settings or practices, be sure to log and point them out and/or even fix them. Make 
sure your manager knows you fixed it and why it was a bad practice. Eventually with enough discussion and positive work 
(even if it is not yet glamorous), you'll be the security go-to guy and may be able to eventually expand your control 
and make suggestions on next steps towards security.

<- snip ->
Hi list,

I need pointing on an issue i have with my new job and I hope to find
some help hereby.

I am occupying an IT Security engineer position within a telecom
operator, this position, and the matter of fact the whole security
service, is considered to be purely belonging to the operations
department having its duties mainly focused on maintaining the
day-to-day supervision and administration of equipments and such like.

There are two issues I would like to have you advice on:

First, due to the fact that maintaining the smooth working of the IT
Systems do not have direct appreciable results intelligible by the
manager?s board, what mechanisms do you guys  use to valorize you work
so it don?t goes overlooked.

Secondly, as a direct result of considering the security as plus or
minus a hardware administration matter, there is almost no procedures
in place relating to security, change management/security issues
logging and analysis etc? hence my question, what framework would you
use to develop the procedural aspect of security and how would you
convince the managers board of its importance. Are there any examples
of documents relating to security incidents reporting, security
project achievement follow-up etc? I could base my work on? ?

Looking forward to reading from you. All inputs are appreciated.

Best regards.