Security Basics mailing list archives
Re: Security Approval Process
From: Dustin Howard <dwhoward () cableaz com>
Date: Sat, 16 Aug 2003 06:46:13 -0700
For what it's worth, here's what I do. I was forunate enough to have consulted for several years before taking an Enterprise position, so I saw a lot of ways that worked, and a lot that didn't. At my organization, my team(s) run the operations and management of security devices (FW, VPN, IDS, Virus, etc). Standard, routine changes, I allow my staff to just implement. An example of this would be a web service being offered...my customer (in my org) needs to add another server, same TCP port as the others. That has already been engineered so they enter the change management request and I or the manager who reports to me approves it. But that's just the approval record. New firewall entries are run through an engineering review board that is all comprised of the Sr. Engineers in my organization (this probably works because they all report in my team, so I can "endorse" (read: mandate) it). New firewall entries are usually services we have not had in the past...it's not the approval of the firewall that gets the nod, it's "what is the best way to implement this so the service and security are both properly served?" Once my engineering team makes the recommendation, if I agree with it, I will approve it. When we do this process, members of the Information Security team are also on the engineering review board to approve and make recommendations. (NOTE: WHile I serve as the Director of Communicaitons, my very good friend is the Director of Information Security. This could also be why the two groups are sol collaborative). This concept helps us from the engineering in the silo concept... Sincerely, Dustin Howard, CISSP Out in Arizona At 02:10 PM 3/25/2003 -0900, Debbie Torri wrote:
Hi, I currently approve of all production changes to our firewalls (internet and dmz) and also approve all VPN request for for external companies that want access into our network. We have 12 firewalls and about 700 production servers (Unix and Windows). This is my question: Do you do this as part of your job? I have no clue if this a normal task done by other security professionals. What are the pro's and con's of doing this. --- Debbie Torri CISSP Norwest Industries Denver, Colorado --- Debbie Torri CISSP Norwest Industries Denver, Colorado Need a new email address that people can remember Check out the new EudoraMail at http://www.eudoramail.com ------------------------------------------------------------------- SurfControl E-mail Filter puts the brakes on spam, viruses and malicious code. Safeguard your business critical communications. Download a free 30-day trial: http://www.surfcontrol.com/go/zsfsbl1
--------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Re: Security Approval Process Dustin Howard (Aug 16)