Advice on New Infosec position
My company has finnally decided to creat an infosec department. This group will be headed by a long-term co-worker who has 15+ years experience in networking infrastructure and security. This will be an all new experience for out company however, and a fresh start for a new trail in my career path.
Usually it's best to start things right, (don't give the puppy a chance to poop in the floor and you will not have to rub his nose in anything) so I was wondering, for all of you guys out there who have experienced a newly developed Infosec group, and considering hindsight:
1. What should be requested up front.
a. Test environments
b. Triple head display cards
c. Intrusion detection software
d. etc., etc.,
2. Should there be segregation from the rest of the IT dept.
3. What duties should coincide with the infosec dept.
4. First course of action such as planned projects and immediate tasks.
5. What responsibilities should fall within the group.
These are just the questions that I have on my mind at the moment.
_______________________________________________________
Since there are a lot of you guys out there that have witnessed an infosec dept. at birth, I was hoping that I could learn from your experiences.
Thanks Ahead of Time.
Some recent experience with this myself...
Good advise and guidance from Catch and SoggyBottom :D and I would like to add to that...
About 1+ yrs ago I started a security office too and here's some thoughts from that experience.
(Note: no particular order)
1. Policy Development: Eveyrone else hit on this too; without these you dont have a way of telling your user & admins how to "behave" (re.; what they are allowed to do and not to do) if you will and you wont have anything to enforce.
2. Profile Your Enviornment: You must know what you have in order to know what to assess and protect. Get network diagrams from network engineers, get list of servers (IPs, platform, what they run apps wise) from systems people, PBX info from telecom people, desktop environment from clients services...you get the idea.
3. Risk Assessments: Need vulnerability scanners, tools, tools, tools...and hw to run on (re.; servers, desktops, laptops). PM me and I can send you a list of my favorite tools for vulnerability assessments and such.
4. Money!!! You need some test hardware, vulnerability system(s) (hw, sw) for network, server and client testing, and tools.
5. Oranizational Issues: In general you need the authority granted to you that's high enough so that people (administrators, users) will listen to you. If you tell them to patch and they dont and they dont report to the security office..what are you gonna do. Some sort of executive sponsorship and/or mandate will help you. Everyone has a different opinion on this but most would probably advise to report outside of IT/IS. This helps with avoid the "fox watching the hen house" syndrome. My office actually reports to IT Director and in same office as the network & systems folks. This reporting relationship helps get the patching done on my terms since I manage both. Looking at the posts SoggyBottom tackled this one pretty well.
6. Duties: Remember your assessing, advising, and managing risk. The security office assesses and reports on current vulnerabilities in the infrastructure and asseses new ones but in most cases is the not the entity actually carrying out the remediation activities (re.; patching and upgrading the systems). Remediation belongs to the owners. This is the case mostly with small/mid size to large organizations: small businesses usually do both but try to avoid that - you wont have time!
7. User Education: SoggyBottom covered this and I will reinforce... Users are the weak links, make them the strong ones. Educate on email practices, anti-virus, screen savors/pwd protect, passwords, social engineering, etc etc. We distributed a guide that I can provide you if you PM me.
As you can see lots to do and I'm sure you already know that.
Hoped this helped some, good luck! :)
