Security Basics mailing list archives

Re: Security Approval Process

From: James Taylor <james_n_taylor () yahoo com>
Date: Wed, 26 Mar 2003 16:45:23 -0800 (PST)

Debbie,

Sorry not trying to teach you to suck eggs. Re: "Separation
of Duties". From the CISSP prep guide (krutz). The 'IS
security professional' should only not be the person who
authorises access, but 'are delegated the responsibility
for implementing and maintaining security by senior level
management. Their duties include design, implementation,
management, and review of the org. sec policy, standards,
guidelines and procedures'.

The 'data owner' authorises the information classification
level.

Therefore executive or senior management are 'assigned the
overall responsibility for the security of information.
They may delegate the function of security but they are
viewed as the end of the food chain when liability is
concerned'. If they are liable, they must be the ones who
authorise access. I would suggest, in a large organisation,
this should be the CIO/CTO or IT director who represents IT
at the board level.

I would resist all attempts to sign your name against
giving access. I suspect, internal/external auditors would
also find it unacceptable.

Regards
James

--- Debbie Torri <debbietorri () eudoramail com> wrote:

Hi, 

I currently approve of all production changes to our
firewalls (internet and dmz) and also approve all VPN
request for for external companies that want access into
our network. We have 12 firewalls and about 700
production servers (Unix and Windows).  

This is my question: Do you do this as part of your job? 
I have no clue if this a normal task done by other
security professionals. What are the pro's and con's of
doing this. 

---
Debbie Torri CISSP
Norwest Industries
Denver, Colorado
---
Debbie Torri CISSP
Norwest Industries
Denver, Colorado


Need a new email address that people can remember
Check out the new EudoraMail at
http://www.eudoramail.com

-------------------------------------------------------------------

SurfControl E-mail Filter puts the brakes on spam,
viruses and malicious code. Safeguard your business
critical communications. Download a free 30-day trial:
http://www.surfcontrol.com/go/zsfsbl1



__________________________________________________
Do you Yahoo!?
Yahoo! Platinum - Watch CBS' NCAA March Madness, live on your desktop!
http://platinum.yahoo.com

-------------------------------------------------------------------
SurfControl E-mail Filter puts the brakes on spam,
viruses and malicious code. Safeguard your business
critical communications. Download a free 30-day trial:
http://www.surfcontrol.com/go/zsfsbl1

Current thread:

Security Approval Process Debbie Torri (Mar 26)
- Managing Multiple OpenBSD-IP Filter firewalls Tim Heagarty (Mar 27)
  - Re: Managing Multiple OpenBSD-IP Filter firewalls Brian Shaw (Mar 28)
    - Re: Managing Multiple OpenBSD-IP Filter firewalls Ned Fleming (Mar 29)
- Re: Security Approval Process James Taylor (Mar 27)
- Re: Security Approval Process tony tony (Mar 28)
- <Possible follow-ups>
- Re: Security Approval Process JohnNicholson (Mar 27)
  - Re: Security Approval Process securityfocus (Mar 28)