Great Circle Associates Firewalls
(November 1996) 		 
Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]
Subject: Re: InfoSec organization
From: Dave Kinchlea <security @ kinch . ark . com>
Date: Thu, 14 Nov 1996 23:32:44 -0800 (PST)
To: Alain Zarinelli <zarinala @ pionet . net>
Cc: firewalls @ GreatCircle . COM
In-reply-to: <328BA19A . 727A @ pionet . net>
Posted-date: Thu, 14 Nov 1996 23:32:45 -0800 
I am not sure that there is that much of a difference between your two
approaches, except of course when it comes time to make the bus
cards/letterheads etc. I don't think it is possible to completely
separate the security aspects from the `running of things'. In order
to do either you must understand (to some degree) both. If you were to
completely separate the security aspects from the ordinary `running of
things' you would either need to duplicate the knowledge base in both
departments (an expensive proposition) OR you would need people to
coopoerate closely on what they do.

Whether you call this two depts or one is a matter for Administration
but in the end, I think you would find that they must work as one unit
(dare I say Information Technology Services?)  or you will find that
you are working at cross purposes. The security folks would find
themselves undoing the work that the `ordinary' folks are doing and
vice-versa. So, I guess I am saying:

	3) all departments have security professionals that work
closely with each other AND with the `ordinary' people. Together they
form a coherent security plan that works for all of the individual
aspects of IT.

Make sense or is this just a cop out?

cheers, kinch


On Thu, 14 Nov 1996, Alain Zarinelli wrote:

> Hi all,
> I have a question concerning the "usual" structure of IT departments in
> bigger organizations:
> 1) Information security is split up between several different
> departments: Database administration does database security, Network
> services does network security, Computing services does host security on
> their systems...
> 2) There is ONE department, let's call it "InforSec Dept." that is in
> charge of ALL the information security aspects for the different
> "sections", i.e.e.g. THEY control host security, database security and
> network security. Of course, there are still Database administration,
> Network services and Computing services departments, but those are
> merely responsible for "running" the things.
> 
> What is more likely to be the structure in bigger organizations? What is
> the opinion of the audience on the 2 "scenarios" above --
> advantages/disadvantages and the like...
> 
> Thanks for your thoughts. Alain.
>
References:
Indexed By Date Previous: Re: Killer Pings: sanity check
From: Geoff Mulligan <geoff @ mulligan . com>
Next: Re: Killer Pings: sanity check
From: peter . maersk-moller @ jrc . it (Peter Maersk-Moller)
Indexed By Thread Previous: InfoSec organization
From: Alain Zarinelli <zarinala @ pionet . net>
Next: Re: InfoSec organization
From: heuman @ mail . cibc . com (R.S. [Bob] Heuman)
Google
 
Search Internet Search www.greatcircle.com