Re: Role of a Security Administrator

[Harris Raymond D JR Civ AFAA/MSI <Raymond.Harris () wpafb af mil>]

Maddy (<mwlalex () magix com sg>),
You wrote:

> 1. creating security policies, standards and guidelines
> 2. administering user and resource controls
> 3. ensuring security compliance
>
> 1. Is it practical for the same group to perform task (2) and (3) ?
> 2. Some said task (3) belongs to audit group but from my discussion with
> my audit folks, they are interested only mainly in accountabilities and
> controls (and proper procedures), they do not perform micro-analysis of
> systems and networks to ensure security compliance. Are they telling the
> right things ?

The answer will depend upon who will be the customer.  The head of the IS group? or the CEO?  Any organization can have 
people within the same group who 'check' to ensure workers are complying with policies.  The problem comes with the 
issue of independence.  The IS group may well want to have someone check the work of the system administrators, and 
perhaps at a very technical level.  The auditors are going to be more concerned with ensuring that internal controls 
are in place to ensure policies are implemented.  One such internal control might be a 'self-inspection' by the IS 
group.
Stated another way, the audit function would check whether the IS group has procedures in place to find and mitigate 
vulnerabilities.  It is the IS groups function to actually do the 'find and fix'

I hope this helps,
Ray Harris

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards