RE: Firewalls and IS Network bodies

["Biggerstaff, Craig T" <Craig.T.Biggerstaff () usahq unitedspacealliance com>]

I have a problem with the idea that there can be completely separate
"policy" groups and "operations" groups.

Those who have expertise in networking and security matters generally
gained it through daily exposure to operational hazards, and are better
equipped to recognize a flawed policy than policy makers who doesn't
have to worry about the details.  If policy makers can deflect all
criticisms to the operations group, then even a good policy will become
deformed, over time, from its original intent.  Witness the IS shops who
decide arbitrarily to worship at the altar of Bill and make their
company 100% Microsoft, deferring until later the decisions about
security.  In these situations the operations folks have three choices:
(a) get better jobs elsewhere; (b) become the "bad cop" that others hate
because operations "keeps us from getting our work done"; or (c) duck
and cover.


-- Craig Biggerstaff

> ----------
> From:  Mark Curley[SMTP:mcurley () baf com]
> Sent:  Thursday, December 11, 1997 3:31 PM
> To:    firewall-wizards () nfr net; 'Mike van der Walt'
> Subject:       RE: Firewalls and IS Network bodies
>
> Actually, it should not matter which group handles it, as long
> as they are willing and able to implement the security policy
> of the company.  Even if they don't have the security mindset 
> or know-how, it might work OK if the policy is set by people
> who do and operations does the "administration" work.

[other comments deleted]