Hello! Just received my CISSP in January and am a first-time poster and glad to be part of the community. I'm fairly new to a mid-size healthcare organization where I manage our security team. Previous to my coming on, security was run out of the IT Infrastructure team and reported up through the CIO. About a year before I started security was segregated out of IT as it's own team reporting up through the CFO. My experience before this job was in IT Infrastructure where all security duties were the responsibility of Infrastructure with no distinct security team.
As I now manage a distinct security team, there are some areas of responsibility that are gray to me. I'm sure that the answer depends on the circumstances of the organization but I'm wondering if there are any best practices around separation of duties between IT (specifically Infrastructure) and security? As some background, our IT team does have a distinct GRC/Audit function and operations function. Some examples that are gray to me are: IDS/IPS on the firewall, firewall rules, Anti-Virus/Malware administration, OS/ISO hardening, GPO administration, and patching. Should security play and advisory/audit function only in these areas or take ownership of some of them? Thanks in advance for the feedback!
> tscydg (Viewer) posted a new topic in Welcome on 02-06-2019 02:29 PM in the
> I'm wondering if there are any best > practices around separation of duties between IT (specifically Infrastructure) > and security? As some background, our IT team does have a distinct GRC/Audit > function and operations function.
Hopefully the audit function is *really* distinct. That's what separation of duties is: the process, person, or office that does the function should *NOT* be the one that *checks* the function. Any function.
To provide an example from a completely different field, as an author I can tell you that it is *impossible* to edit your own copy. You know what you meant to say, and you automatically read what you meant, rather than what you actually said. (Generally you automatically/mentally correct any small errors, as well ...)
In the same way, in protecting IT systems, you know the threats you meant to protect against, and that the protections are valid (as far as you know). It takes someone else to look at it and notice that you have completely forgotten a common threat that you didn't think about ...
====================== (quote inserted randomly by Pegasus Mailer) email@example.com firstname.lastname@example.org email@example.com I don't use drugs; my dreams are frightening enough - Escher