Re: Where do firewall Admins Sit in An Company

[Mitch Pirtle <mitchell.pirtle () verizon net>]

On Tue, 2003-06-03 at 06:37, Tony Miedaner wrote:
> Thanks for the reply.
>
> OK.  Security develops policy and does approval of changes but where is 
> oversight?
>
> Since obviously the networking and server folks do not wear a security hat, 
> at least that is not what they get pay raises for.

Taking firewalls for example:

You take your "Firewall administrator technical lead/manager" and have
her jointly responsible with your Security Officer (or CSO, depending on
scale).  If they are both responsible for finding resolution to
conflicts and supporting both strategic and operational interests, you
can be sure your bases will be covered.  Ruleset policies or standards
are issued with full knowledge and acceptance from both organizations.

It also helps to know that they will be under tremendous pressure to
create an environment of cooperation and reconciliation (which certainly
falls under performance metrics somewhere)...

Ditto for all major technologies in use at the organization.  Another
option is to create "Centers of Excellence"  where an
operational/administrative person is assigned the technical lead for
policy and rule processes, working jointly with a corresponding InfoSec
member.  When done this way, you'd be amazed at how far you can go.

-- Mitch

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards