Security Basics: Re: CISO/Security Team roles and functions

[amatachick () gmail com]

This is an issue I've run into on every Information Security job. Sometimes Information Security takes care of the 
firewalls and IDSs and sometimes that job goes to the Network Administrators. I've worked in both environments. I have 
to say from personal experience the later is much more common, especially when you get to a management level. I am fine 
with it being either way as long as Information Security can fully, and without the Network Administrator's prior 
knowledge, audit the Firewall and IDS configurations and logs. I don't believe that separation of duties and 
responsibilities applies so much in this scenario as in the bigger picture.

I've run into the most issue with segregation of duties and responsibilities at the departmental level. The key 
question being, who does Information Security report to? I, personally, don't think it should be Information 
Technology. I feel that Information Security should really be its own department or at the least report to compliance 
or legal departments. 

To be succinct, I believe it is the job of Information Security to ensure and/or report incidents, non-compliance to 
policies and procedures, firewalls and IDSs are functioning properly, and conduct audits/assessments.