Security Basics mailing list archives

Re: CISO/Security Team roles and functions

From: "Sergii Khomenko" <sergey.khomenko () gmail com>
Date: Wed, 6 Feb 2008 13:33:08 +0200

Yes, segregation of duties is a problem.

I think to prevent this, the structure should be the following: CISO
(chief information security officer) reports to CSO (chief security
officer) who takes care of information security and physical security.
CSO reports directly to CEO. If there is no CSO and CISO only, then
CISO reports to CEO. CTO (chief technical officer) and/or CIO (chief
information officer) should be completely separate from the security
branch. Security branch creates rules and audits implementation,
operational branches implement the rules.

This way SoD doesn't take place.

In case with firewall, ids, ips, etc, I think security branch should
mostly work on policies, procedures, baselines etc and operational
branches should implement them, install, tweak, test. And finally when
implementation is done, before the final "go!" security comes and do
the audit of implementation against created by security rules.

Sergey

On 4 Feb 2008 21:02:05 -0000,  <amatachick () gmail com> wrote:

This is an issue I've run into on every Information Security job. Sometimes Information Security takes care of the 
firewalls and IDSs and sometimes that job goes to the Network Administrators. I've worked in both environments. I 
have to say from personal experience the later is much more common, especially when you get to a management level. I 
am fine with it being either way as long as Information Security can fully, and without the Network Administrator's 
prior knowledge, audit the Firewall and IDS configurations and logs. I don't believe that separation of duties and 
responsibilities applies so much in this scenario as in the bigger picture.


I've run into the most issue with segregation of duties and responsibilities at the departmental level. The key 
question being, who does Information Security report to? I, personally, don't think it should be Information 
Technology. I feel that Information Security should really be its own department or at the least report to compliance 
or legal departments.


To be succinct, I believe it is the job of Information Security to ensure and/or report incidents, non-compliance to 
policies and procedures, firewalls and IDSs are functioning properly, and conduct audits/assessments.

Current thread:

CISO/Security Team roles and functions soul (Feb 04)
- Re: CISO/Security Team roles and functions Sergii Khomenko (Feb 04)
- RE: CISO/Security Team roles and functions Worrell, Brian (Feb 05)
- <Possible follow-ups>
- Re: CISO/Security Team roles and functions HITESH PATEL (Feb 04)
- Re: CISO/Security Team roles and functions amatachick (Feb 05)
  - Re: CISO/Security Team roles and functions WALI (Feb 06)
  - Re: CISO/Security Team roles and functions Sergii Khomenko (Feb 06)