Re: best place for IT Security team in the company organisation

[SherpaJoe <sherpajoe () gmail com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

1 - Security roles do not necessarily administer the controls, rather
security establishes (sec specific SOPs (practice & policies)) and they
monitor the controls to tweak and dial as compliance or environmental
wind changes. (e.g. Server administrators apply the "policy", not the
sec. officer)
To answer your question regarding the proposition to move the 'firewall
and vpn' administrators in the telcom data direction; it is not without
merit. It would be the sec team who establishes the policies and ensures
they are maintained(administered) appropriately while the administrators
handle the tactical role of the day to day. Policy should supersede
petty control politics and guide day to day practice. (hee.hee: where I
work our policy has the admins monitoring the controls and reporting as
a sec dss (decision support service)... we keep things honest with
routine audits... again practice as a policy derivative.
2 - Dido Pascal's comments.

.Joe
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFGu4ttpcYWM8lb/XwRAgqqAJ9fVsavbmFSKy1OOyf7koPKh8M6nACeNUW0
srNF5ga/RtDUwXbl6S78VUk=
=/YTC
-----END PGP SIGNATURE-----