Questions regarding restructuring IT Dept. for room for InfoSec group.
Page 1 of 2 12 LastLast
Results 1 to 10 of 17

Thread: Questions regarding restructuring IT Dept. for room for InfoSec group.

  1. #1
    Senior Member
    Join Date
    Aug 2003
    Posts
    224

    Questions regarding restructuring IT Dept. for room for InfoSec group.

    My company has decided to add two people within our IT dept. to head a security department. Our duties will be to provide checks and balances between groups within the company and be an impartial "auditor" of security actions that arise (employess visiting bad sites, reading each others emails, violating confidentiality agreements). Another dutie that we will uphold is ensuring the security of our web clusters that take customers orders and hold customer information. Lastly we will uphold the responsibility of ensuring MS vulnerabilities are patched and assess new hotfixes and patches offered by MS. Our infrastructure currently consists of two DHCP controllers running win 2k server. We have just migrated to AD and are days away from phasing our exch. 5.5 and being 100% exch. 2000. We have a GNATBox Firewall made by GTA in front and behind our two Data T1's. We have also recently implimented MS ISA server (waiting to be impressed with ISA) that maintains internet security for all end users.
    Currently we know that there are many cracks in our armor, and it will be our job to idenitfy those cracks and patch them up. We know that we also have an issue with Packets that contain customer information being easily picked up within the internal network.
    I have read the FAQ's and they seem to best serve someone on an individual basis. The items that I am looking for advice on contrast greatly.
    1. Is there anyone out there that knows of Guidelines for creating an InfoSec department within an IT dept. within a corporate company. These will obviously be custom policy guidelines, but a template that another company uses will get us off to a good start.
    2. What are some nice tools out there to analyze protocol layers and packets. We need an app (preferably for purchase) that will allow us to capture packets. One thing that we will need in case we run into resistance in creating this group (Long Story. Battle of Director of IT to keep as many techs under him as possible to maintain his current income level) is actual packet data to show the upper management that there is a data security concern.

    I am actually a Telecom Analyst with a degree in Computer Systems/Networking Technology. The other technician that will be heading this group with me is a Sr. Network Engineer. Some of these questions may seem elementary to many of you and some may not have enough age or experience in the corporate world to know the how delicate this chance is. Any help will be greatly appreciated.
    There are many rewarding oppurtunities awaiting composure from like minds and great ideas. It in my objective to interconnect great things.

  2. #2
    Junior Member
    Join Date
    Aug 2003
    Posts
    11
    In my corporate environment I use ethtereal for packet sniffing, and started with ISO17799 (BS7799 in UK) as the starting point for considering what Security Policies I wanted to initially define. I would look around in the SANS Reading Room and at some of the NIST documents.

  3. #3
    I'd rather be fishing DjM's Avatar
    Join Date
    Aug 2001
    Location
    The Great White North
    Posts
    1,867
    The first thing that sticks out in this post is:

    Battle of Director of IT to keep as many techs under him as possible to maintain his current income level
    Without high-level corporate support, the success of this endeavor is already in jeopardy.

    As for looking for good information on Security (structure, policies, etc.) I have always thought SANS was pretty good.

    Good Luck

    Cheers:
    DjM

  4. #4
    Senior Member
    Join Date
    Aug 2003
    Posts
    224
    We currently have the support of the individual that owns the company.
    SANS I will check on.
    There are many rewarding oppurtunities awaiting composure from like minds and great ideas. It in my objective to interconnect great things.

  5. #5
    Senior Member RoadClosed's Avatar
    Join Date
    Jun 2003
    Posts
    3,834
    Why can't the security dept. work under the IT director, after all he is the IT director? SANS was already metioned as a great resource. In fact they have many canned policy templates. Another resource I used when this whole industry was gettting started is "Information Security Policies Made Easy" It was a pre-year2k book that I bought when there was not much info on the subject available. It was expesive because you bought copywrite to use anything in the book within your organization. Meaning you could publish and reproduce anything you wanted.

    One major step I would suggest first is to define operational and security resonsibilities and guidlines. For instance, security administrators should not have access to operational systems and operations administrators should not have access to security systems... etc.

    Meaning a security person shall not have to ability to create, delete or perform transactions on operational systems and vice versa.

    Then break both major areas into smaller funtional groups and set policies based on them, to do that effectivly you must have "in hand" a detailed and accurate organizational chart to structure your policies. Gotta run, hope that helps muddy things a bit
    West of House
    You are standing in an open field west of a white house, with a boarded front door.
    There is a small mailbox here.

  6. #6
    Senior Member
    Join Date
    Mar 2003
    Location
    central il
    Posts
    1,779
    Because the IT directors job is to keep the rest of the company happy with the computer systems regaurdless of securit. Head of network security needs to be on par with director of IT so that the director cannot over rule security decisions. Remember most CIO and CTO's come from programming and not network admin/network security backgrounds and see security as a annoyance that is somewhat nesicary insted of a nesesity of life, they come from a time when computers where not connected 24/7 to the net.

    I would also sugest SANS as a great resource, I will talk to the head of my security department tomarrow.
    Who is more trustworthy then all of the gurus or Buddha’s?

  7. #7
    Senior Member
    Join Date
    Aug 2003
    Posts
    224
    I appreciate all opinions and advice. Obviously I should not have stated the issue with the Director. This guy is in the process of being stripped down and phased out by the owners because of many inter-company issues that need not be discussed here.

    We have our responsiblities broken down into.
    1. operations and support of distributions systems.
    2. operations and support of order processing systems.
    3. operations and support of administration
    4. operations and support of data infrastructure systems.

    We also have a development team that is a completely seperate entity although they are in house.

    I can't say that we are that worried about the trust relationships between the groups. This is in place. We are more worried about the way that many servers and workstations and security impliments are configured.
    There are many rewarding oppurtunities awaiting composure from like minds and great ideas. It in my objective to interconnect great things.

  8. #8
    Senior Member RoadClosed's Avatar
    Join Date
    Jun 2003
    Posts
    3,834
    Because the IT directors job is to keep the rest of the company happy with the computer systems regaurdless of securit.
    If that is the case in a company, I would agree and formulate a different entity. But that may cause more problems in the future because of power stuggles etc. If an IT director can't get the funds to secure a new service he shouldn't approve it. After all it's his ass on the line, not the telecommuter's or whomever. I lose some battles but they know they are in for a fight when they want something.... but they also knoe I am fair and have the company interest in mind. Call me "company man" (pre-happy hour humor)
    West of House
    You are standing in an open field west of a white house, with a boarded front door.
    There is a small mailbox here.

  9. #9
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,192
    Fellow AO subscribers..............please forgive my stupidity, if such, but I feel that we are being dragged into a corporate political battle?...this is NOT about best practice (AO's principles), but "who is in charge", with the motor, expense account etc.......................there are loads of very expensive consultants out there....hire them....................WE SHOULD NOT GET INVOLVED
    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  10. #10
    Senior Member
    Join Date
    Aug 2003
    Posts
    224
    I agree with you on that one road closed. That is on of the biggest reasons for addressing internal security issues at hand because many products have been bought and implimented without being documented or made secure. This seems to be a problem in many companies that grow fast. Always time to buy and impliment, but not time to secure and harden.
    There are many rewarding oppurtunities awaiting composure from like minds and great ideas. It in my objective to interconnect great things.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides