Security Basics mailing list archives
Re: The procedural aspects and work valorization of an IT Security Service, Advice needed
From: krymson () gmail com
Date: Tue, 3 Mar 2009 13:23:11 -0700
I'm going to pull two things out of your post to make sure I understand them correctly. 1. You're in the operations dept and most of your team's (and your) time is devoted to day-to-day operations. 2. Management wants something it can look at and see obvious value. This might not be the right way to do it, but sometimes management sees it this way. Trying to do security on an operations team is hard, especially if the duties and time overlap. Guess which one will always take precedence? Yeah, ops. I would maybe start getting a security slant by tackling the "A" of CIA: Availability. Set up monitoring for uptime and service availability. This will get you a lot of exposure and visibility into the network and start to form some value to people who care. You could be the uptime stats guy for a while. Likewise, you can start to tackle change management by pointing out any incidents of downtime (which is typically very visible to management!) and how change management or more secure practices could have an impact. Sure, it might slow things down a bit, but adds the value of quality. Any chance you discover insecure settings or practices, be sure to log and point them out and/or even fix them. Make sure your manager knows you fixed it and why it was a bad practice. Eventually with enough discussion and positive work (even if it is not yet glamorous), you'll be the security go-to guy and may be able to eventually expand your control and make suggestions on next steps towards security. <- snip -> Hi list, I need pointing on an issue i have with my new job and I hope to find some help hereby. I am occupying an IT Security engineer position within a telecom operator, this position, and the matter of fact the whole security service, is considered to be purely belonging to the operations department having its duties mainly focused on maintaining the day-to-day supervision and administration of equipments and such like. There are two issues I would like to have you advice on: First, due to the fact that maintaining the smooth working of the IT Systems do not have direct appreciable results intelligible by the manager?s board, what mechanisms do you guys use to valorize you work so it don?t goes overlooked. Secondly, as a direct result of considering the security as plus or minus a hardware administration matter, there is almost no procedures in place relating to security, change management/security issues logging and analysis etc? hence my question, what framework would you use to develop the procedural aspect of security and how would you convince the managers board of its importance. Are there any examples of documents relating to security incidents reporting, security project achievement follow-up etc? I could base my work on? ? Looking forward to reading from you. All inputs are appreciated. Best regards.
Current thread:
- Re: The procedural aspects and work valorization of an IT Security Service, Advice needed krymson (Mar 03)