General discussion

  • Creator
    Topic
  • #2257271

    SECURITY Poll: How is it organized where you work?

    Locked

    by compootergeek ·

    I work in the Data Center Operation department, within the IT Division. Our department has just formed a NEW group within my department titled, ?Security?. I have been made part of this group (I?m not in charge). So far, I know they plan to have me help review process and procedures, and document.
    I?ve been encourage to start some high-level research of my own.

    For now I just want to see how other mid-size businesses built their IT Security Group.

    Here?s what I?d like to collect from you (just high-level):

    Job Title
    Role(s)
    Responsibilities

    Thanks ahead for any and all responses!

All Comments

  • Author
    Replies
    • #3231840

      In order to answer sensibly

      by tig2 ·

      In reply to SECURITY Poll: How is it organized where you work?

      Security can be a variety of things- systems access may be an element, ability to read/write to certain documents across job descriptions may be an element and protection of NPI data may be an element. And all of them can be referred to as IT Security.

      Are you a pulically traded company or plan to IPO within the next 12 to 24 mmonths? Do you handle NPI data (Non Public Information)? Do you store this data? Are you a financial services provider or adjunct?

      Depending on your responses, you will need to consider different guidelines.

      While I know that you are looking for a high level overview, there is a vast cache of information available.

      • #3231818

        Yes to all the above….

        by compootergeek ·

        In reply to In order to answer sensibly

        In leiu of this discussion, I am researching and finding some valuable information.
        I can see your point on “vast cache”.
        For now I’m just hoping to view the responses at a high level and identify any consistencies on how a security department may be organized in other businesses, no matter what industry.

        Do you have a security department? I’d love to know what they have organized. Thanks Tigger!

      • #3276844

        Discussion edited….

        by compootergeek ·

        In reply to In order to answer sensibly

        Thanks Tigger

    • #3276667

      Hold on to your socks!

      by tig2 ·

      In reply to SECURITY Poll: How is it organized where you work?

      Alrighty then- here goes nothing…

      You’re Data Centre. That means that your primary focus is IT security and lilkely access authority. So some basics.

      I have watched companies get so stymied by proceedure that they couldn’t do anything at all. You have to consider that your process has to be business integratable. A commmon tool for requestions access should be developed as well as the correct way to fill out the tool. Do it right and youcan implement a good robust process with little pain.

      A role based access plan is a good path- if you can define roles in a manner meaningful to business. I don’t care if someone is in the AR department, I want to know what their functional duties are. I also want to be able to associate their login ID/UID to that job function. Tougher than it sounds but valuable. If you are publically traded, SODs are a major issue and one that needs to be auditable. The information can be managed using a reasonably sized database (maybe a 100 tables where data is normalised)but regardless of tool, the business rules that define SOD have to be discussed and set in concrete.

      Before you ask- SOD = Segmentation of Duties. The people that spend the money can’t write the cheque. If you are not publically traded, you may not have a view to that information or it may not exist. If you are publically traded, that is an audit requirement.

      If you are a financial services provider of sadjunct, your client FIs already have rules. So does the gov. Find out what they are and make them the blueprint.

      An incoming end user should only be given the access that is required to enable thier job. That access must be reviewed regularly. While it is frustrating to need to see something and not have access, an audit trail will only “see” the stuff communicated on “paper” and supported by logs.

      You ARE logging system change?

      I will hunt up a bunch of my favourite sites around foundational security and get them to you. There is a MASS of information out there and little direction outside of what the gov is mandating… and they don’t mandate well. 10 years into HIPPA and we still do a lot of guessing.

      And no- I don’t run a security group. If I did, more companies would have better security. This is a passion of mine and has been for many years.

      Believe me, this isn’t even the tip of the iceberg. Every year the issues around security/privacy/compliance become more comples and there is not enough definitive information- even from the agencies that force the mandates.

      Every dollar you spend on sensible security and compliance keeps you a step away from being a headline. And insures that as the rules get more stringent, you are always ready to absorb the change.

      Hope that all made some sense to you!

Viewing 1 reply thread