cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
tscydg
Viewer

Security vs Infrastructure Job Duties

Hello! Just received my CISSP in January and am a first-time poster and glad to be part of the community. I'm fairly new to a mid-size healthcare organization where I manage our security team. Previous to my coming on, security was run out of the IT Infrastructure team and reported up through the CIO. About a year before I started security was segregated out of IT as it's own team reporting up through the CFO. My experience before this job was in IT Infrastructure where all security duties were the responsibility of Infrastructure with no distinct security team. 

 

As I now manage a distinct security team, there are some areas of responsibility that are gray to me. I'm sure that the answer depends on the circumstances of the organization but I'm wondering if there are any best practices around separation of duties between IT (specifically Infrastructure) and security? As some background, our IT team does have a distinct GRC/Audit function and operations function. Some examples that are gray to me are: IDS/IPS on the firewall, firewall rules, Anti-Virus/Malware administration, OS/ISO hardening, GPO administration, and patching. Should security play and advisory/audit function only in these areas or take ownership of some of them? Thanks in advance for the feedback!

1 Reply
rslade
Influencer II

> tscydg (Viewer) posted a new topic in Welcome on 02-06-2019 02:29 PM in the

> I'm wondering if there are any best
> practices around separation of duties between IT (specifically Infrastructure)
> and security? As some background, our IT team does have a distinct GRC/Audit
> function and operations function.

Hopefully the audit function is *really* distinct. That's what separation of duties
is: the process, person, or office that does the function should *NOT* be the one
that *checks* the function. Any function.

To provide an example from a completely different field, as an author I can tell
you that it is *impossible* to edit your own copy. You know what you meant to
say, and you automatically read what you meant, rather than what you actually
said. (Generally you automatically/mentally correct any small errors, as well ...)

In the same way, in protecting IT systems, you know the threats you meant to
protect against, and that the protections are valid (as far as you know). It takes
someone else to look at it and notice that you have completely forgotten a
common threat that you didn't think about ...

====================== (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org
I don't use drugs; my dreams are frightening enough - Escher

victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://is.gd/RotlWB

............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468