Layer 8

Security is fundamentally about people, and everything we know about people is relevant to security. -- B. Schneier

Reporting lines.

The classic discussion came up again recently of where an ISO should report in an organization.  One school of thought says it should be in IT; the other says it should be outside IT and as high up the food chain as possible to achieve objectivity and authority.

I’m pretty clear on where I think it should be:  in IT.  I think the people who believe it should be elsewhere aren’t IT people themselves and think IT security is all about policy.  It isn’t.

You don’t just pronounce policies from on high and wait for them to be implemented.  Often you have to help engineer the solution for the implementation, explain to the sysadmins or developers exactly how to do what you’re requesting, and check their work.  You have to be able to conduct investigations on the ground. 

Most importantly, though, you are extremely dependent upon the goodwill of the sysadmins, network people, and everyone else who actually runs the infrastructure.  They are the first line of defense, and they are your greatest source of intelligence info.  If you don’t have a close working relationship with them, you’ll miss finding out about a lot of security incidents—especially insider activity, where the only reason it’s detected is that someone was very familiar with the normal behaviors and knew something was out of line. 

You won’t have the trust of the IT people if you don’t work with them, among them, and (where possible) for them.  You help come up with tools to make their lives easier, and they’ll help you in return.  Many times I’ve had a first-level technician sidle into my office, close the door, and say, “Um, there’s something I think you should look at.“  You won’t get that if you’re in the C-level wing of the building.

The only time I can see reporting outside of IT is if you don’t have a supportive management chain, and therefore can’t get any policies or work implemented without being right next to the Top Hammer.  But that’s an indication of a bigger problem within the organization, and reporting there shouldn’t be the default.  (And for crissesake, don’t make the ISO report even further out of the organization, say to an external oversight group.  That would just be the Kiss O’ Death for getting anyone to talk to you, much less do you any favors.)

Posted by shrdlu on Monday, November 20, 2006
(3) CommentsPermalink blogmarks Favicon del.icio.us Favicon Digg Favicon Fark Favicon Furl Favicon Google Bookmarks Favicon StumbleUpon Favicon Technorati Favicon TailRank Favicon

Next entry: Thought for the day.

Previous entry: Metrics Revolutions.

Comments

LonerVamp United States on 11/20  at  11:24 AM:

I think you’re spot on! smile

United States on 10/24  at  11:28 AM:

They key to complete desktop security is intrusion prevention.  You should take care to use antivirus programs that come prepackaged with options that allow you to run preventative maintenance because if you’re not trying to keep threats out, you’re taking two steps back every time you try to clean out your drive. 

Unless you’re running Linux you’re going to need additional and strong <a >Windows Protection</a>.  I understand that you are feeling let down by your recent anti-virus purchase but don’t give up and don’t be afraid to spend a few more dollars on something good.  Make sure that your next purchase includes tools that assist in antiphishing, and zero-day protection.

United States on 10/27  at  11:48 PM:

Yep, you’re absolutely correct.  I followed the advice you gave in your blog and found that almost all of my <a >Endpoint Security</a> applications were no longer functioning as they once did.  In many ways I wasn’t to surprised.  With all of the infections I’d been getting lately I figured it was going to be something within those tools that needed fixing or changing. 

The IIS firewall that I run was the only application I had that wasn’t completely outdated and functionless.  I’m already in the process of doing more security research and I’m hoping that I’ll quickly find a suitable replacement for the programs I currently use.  This is not an easy task but one that my computer will thank me for in the end.

Page 1 of 1 pages

Add a comment

Name:

Email:

Location:

URL:

Smileys

Remember my personal information

Notify me of follow-up comments?

Submit the word you see below: