Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Security Approval Process

From: Dustin Howard <dwhoward () cableaz com>
Date: Sat, 16 Aug 2003 06:46:13 -0700
For what it's worth, here's what I do.  I was forunate enough to have
consulted for several years before taking an Enterprise position, so I saw
a lot of ways that worked, and a lot that didn't.

At my organization, my team(s) run the operations and management of
security devices (FW, VPN, IDS, Virus, etc).  

Standard, routine changes, I allow my staff to just implement.  An example
of this would be a web service being offered...my customer (in my org)
needs to add another server, same TCP port as the others.  That has already
been engineered so they enter the change management request and I or the
manager who reports to me approves it.  But that's just the approval record.

New firewall entries are run through an engineering review board that is
all comprised of the Sr. Engineers in my organization (this probably works
because they all report in my team, so I can "endorse" (read:  mandate)
it).  New firewall entries are usually services we have not had in the
past...it's not the approval of the firewall that gets the nod, it's "what
is the best way to implement this so the service and security are both
properly served?"  Once my engineering team makes the recommendation, if I
agree with it, I will approve it.  When we do this process, members of the
Information Security team are also on the engineering review board to
approve and make recommendations.  (NOTE:  WHile I serve as the Director of
Communicaitons, my very good friend is the Director of Information
Security.  This could also be why the two groups are sol collaborative).

This concept helps us from the engineering in the silo concept...


Sincerely,

Dustin Howard, CISSP
Out in Arizona



At 02:10 PM 3/25/2003 -0900, Debbie Torri wrote:

Hi, 

I currently approve of all production changes to our firewalls (internet and 
dmz) and also approve all VPN request for for external companies that want 
access into our network. We have 12 firewalls and about 700 production 
servers (Unix and Windows).  

This is my question: Do you do this as part of your job?  I have no clue if 
this a normal task done by other security professionals. What are the pro's 
and con's of doing this. 

---
Debbie Torri CISSP
Norwest Industries
Denver, Colorado
---
Debbie Torri CISSP
Norwest Industries
Denver, Colorado


Need a new email address that people can remember
Check out the new EudoraMail at
http://www.eudoramail.com

-------------------------------------------------------------------
SurfControl E-mail Filter puts the brakes on spam,
viruses and malicious code. Safeguard your business
critical communications. Download a free 30-day trial:
http://www.surfcontrol.com/go/zsfsbl1



---------------------------------------------------------------------------
----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: