Firewall Wizards mailing list archives
Re: Role of a Security Administrator
From: "Webmaster" <webmaster () rbfcu org>
Date: Mon, 8 Jan 2001 11:27:57 -0600
Maddy, You wrote:
I read an article some time ago (sorry I can't remember the source at the moment) that the line between the roles of a security administrator and a system administrator is becoming blurred. Due to the nature of both jobs requiring either a superuser ID (UNIX) or administrator rights (NT), segregating both roles is getting increasingly difficult. For those who had read my other thread on VAJ, you would see an example of what I am raising over here. Would anyone want to share his/her views on this ?
Just because two jobs *can* be done by one, doesn't mean that the auditors/inspectors will agree.
1. creating security policies, standards and guidelines 2. administering user and resource controls 3. ensuring security compliance 1. Is it practical for the same group to perform task (2) and (3) ?
See my above comment. IMHO, no they shouldn't.
Aren't they conflicting ?
Yes, see above.
2. Some said task (3) belongs to audit group but from my discussion with my audit folks, they are interested only mainly in accountabilities and controls (and proper procedures), they do not perform micro-analysis of systems and networks to ensure security compliance. Are they telling the right things ?
Sounds like my auditors. I agree that the micro-analysis is not necessary. The sysadmin folks should be doing that, and hopefully there is some amount of trust to the integrity of said individuals.
3. I am thinking of splitting the IS group into 2 teams, a security implementation team and a policy & compliance team. However, recent assessment by a contracted consultant recommends that there will be a conflict of interest in the IS group performing both implementation and compliance verification tasks. I see that compliance verification ensures the quality of the implementation and there is no conflict. What do you guys think ?
Maybe I'm a pessimist, ;) but if you've got the manpower, divide up the tasks.
4. Another possibility would be to move the security implementation responsibilities to the system administrators and the IS group would concentrate only on policies and compliance tasks. Is this a common practice ?
I don't know about common, but it sounds like a plan to me. The sysadmin guys *should* be very knowledgeable about how to change settings (i.e.implement). I hope this helps some. Later, Michael Sorbera _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Role of a Security Administrator Maddy (Jan 08)
- Re: Role of a Security Administrator Bennett Todd (Jan 08)
- Re: Role of a Security Administrator Webmaster (Jan 08)
- Re: Role of a Security Administrator Magosányi Árpád (Jan 08)
- FW-1 and RPC with MSDTC Javier Megias (Jan 10)
- Re: FW-1 and RPC with MSDTC Michael Nelson (Jan 11)
- Re: FW-1 and RPC with MSDTC Darren Reed (Jan 12)
- RE: FW-1 and RPC with MSDTC Andrew Helm-Cowley (Jan 12)
- Re: FW-1 and RPC with MSDTC Darren Reed (Jan 12)
- Re: FW-1 and RPC with MSDTC Michael Nelson (Jan 15)
- Re: FW-1 and RPC with MSDTC Michael Nelson (Jan 15)
- FW-1 and RPC with MSDTC Javier Megias (Jan 10)
- <Possible follow-ups>
- Re: Role of a Security Administrator Harris Raymond D JR Civ AFAA/MSI (Jan 10)