Firewall Wizards mailing list archives

Role of a Security Administrator

From: Maddy <mwlalex () magix com sg>
Date: Sun, 07 Jan 2001 02:42:44 +0800

I read an article some time ago (sorry I can't remember the source at
the moment) that the line between the roles of a security administrator
and a system administrator is becoming blurred. Due to the nature of
both jobs requiring either a superuser ID (UNIX) or administrator rights
(NT), segregating both roles is getting increasingly difficult. For
those who had read my other thread on VAJ, you would see an example of
what I am raising over here. 

Would anyone want to share his/her views on this ?

My second point of discussion is on tasks of a information security
group. I think the popular tasks involve 
1. creating security policies, standards and guidelines
2. administering user and resource controls
3. ensuring security compliance
...etc

Currently I am trying to fine-tune the role of an information security
(IS) group and I wonder if anyone could share with me what is the
industry practice. My questions are 

1. Is it practical for the same group to perform task (2) and (3) ?
Aren't they conflicting ?

2. Some said task (3) belongs to audit group but from my discussion with
my audit folks, they are interested only mainly in accountabilities and
controls (and proper procedures), they do not perform micro-analysis of
systems and networks to ensure security compliance. Are they telling the
right things ?

3. I am thinking of splitting the IS group into 2 teams, a security
implementation team and a policy & compliance team. However, recent
assessment by a contracted consultant recommends that there will be a
conflict of interest in the IS group performing both implementation and
compliance verification tasks.  I see that compliance verification
ensures the quality of the implementation and there is no conflict. What
do you guys think ?

4. Another possibility would be to move the security implementation
responsibilities  to the system administrators and the IS group would
concentrate only on policies and compliance tasks. Is this a common
practice ?

I am sorry for the long mail but the answer to this cannot be found in
any textbooks. :=) I don't have much choice other that to resort to
expert opinions on this. My most sincere appreciation to anybody who can
contribute to this. TIA

Rgds
Maddy

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards

Current thread:

Role of a Security Administrator Maddy (Jan 08)
- Re: Role of a Security Administrator Bennett Todd (Jan 08)
- Re: Role of a Security Administrator Webmaster (Jan 08)
- Re: Role of a Security Administrator Magosányi Árpád (Jan 08)
  - FW-1 and RPC with MSDTC Javier Megias (Jan 10)
    - Re: FW-1 and RPC with MSDTC Michael Nelson (Jan 11)
    - Re: FW-1 and RPC with MSDTC Darren Reed (Jan 12)
    - RE: FW-1 and RPC with MSDTC Andrew Helm-Cowley (Jan 12)
    - Re: FW-1 and RPC with MSDTC Darren Reed (Jan 12)
    - Re: FW-1 and RPC with MSDTC Michael Nelson (Jan 15)
    - Re: FW-1 and RPC with MSDTC Michael Nelson (Jan 15)

(Thread continues...)