In the Enterprise environment it seems there is always a
battle around who should be responsible for what in IT. And there is always some manager or director
that complains (or his people do it for him / her) that Information Security
seems to be over-stepping their bounds.
Where is that boundary and where should it be? The answer to both questions is it depends
based on the organizational structure, expertise on different teams, and the
culture of the organization.
A couple of areas that always seem to come up are email
and network security controls. Let’s
look at email first. No information security
team wants to be responsible for working tickets about emails that weren’t
delivered or restoring mailboxes. These
activities should reside with an email team.
However, who should control the settings on the mail scanner and what is
or isn’t allowed through? I believe
that regardless of who does the actually setting of the security controls on
the mail scanner, the Information Security team should be the final decision
makers of what the controls are set too.
Since the Information Security team is the group that has the knowledge
about the risks, vulnerabilities, and exploits, and they will be the group
driving the Incident Response process, they need have the ability to make ensure
that a defense in depth architecture is implemented.
Network services, specifically firewalls configuration control,
is also an area of concern for many organizations. I am all in favor of a Network team (whether
they report to security or are separate) doing the wrench turning of the
firewalls. The security analyst should
stay out of it if at all possible.
However, I believe that Information Security should be the approval
authority for all firewall changes….rules, file types, even logging
changes.
There are other areas of IT, such as A/V – end point
protection, identity services, workstation and server gold images, etc…. that
also fall into the same category.
Information Security doesn’t need to do the day-to-day work, but they
need insight, and in some cases, approval authority to changes. It
all comes down to one group knowing all aspects of the defense in depth strategy
for and organization.
Until next time…
~Skeeter
~Skeeter
