Tip

Reasons why enterprise networking and security roles must stay separate

If you're in charge of installing, configuring and maintaining network resources, it may be unclear where your responsibilities end. Can capable network managers, for example, stretch their duties into the security space, perhaps acting more like a chief security officer?

    Requires Free Membership to View

In this tip from our Ask the Experts section, contributor Shon Harris explains how keeping security and networking functions separate can benefit an organization.

Smaller companies cannot afford to separate network and security obligations, but if your company has a large enough staff to split up networking, lab and security functions, then do not share duties. There needs to be a clear delineation between networking and security because the groups' focuses and goals are different. Networking's responsibilities mainly involve keeping resources up and available. Security is about protection, and compared to networking, this is sometimes considered a less important business priority.

Not only should the networking group and security group have distinct and clearly defined tasks and responsibilities, but they should also have separate chains of command. The security group should not report to the networking group (i.e. network administrator or chief information officer). Many companies do have their security departments reporting to the CIO, but this is only because they do not have a chief security officer (CSO). Problems can occur when sharing the same chain of command. For instance, let's say someone in security informs a network administrator that there is an unsafe rule set on the firewall. This traffic setting, though, may have been implemented by the network administrator to support a business need or a user's particular preference. There is a chance then that the administrator may rank the network concerns more of a priority than the security issue and ignore the information.

Simply put, the networking group should maintain and configure network devices, and the security group should maintain and configure security devices.

A security officer can delegate some tasks, but this is often done incorrectly. The process is usually sloppy, and clear lines of responsibility are frequently not laid out. If a security officer delegates some security tasks to another individual, the decision should be approved by someone in a higher position, and the change in responsibilities should be documented.

Now, your arrangement of responsibilities depends on what type of company you are working in. In a privately held company, there will not be any auditors or regulators forcing your company to do the right thing. If your company is privately held, it should still follow the best practices that I stated earlier. That way, the company is more protected and better able to mitigate potential fraudulent activities.

If your company is publicly traded, auditors (internal and external) will be detecting whether segregation of duties are in place and whether boundaries are being crossed. If the company is publicly traded, compliance with SOX or the Gramm-Leach-Bliley Act (GLBA) is important to the CEO, CFO and other security officers.

The network lab manager and the CSO should perform their duties separately. If the CSO needs help, then a security engineer should be hired to properly arrange the responsibilities.

About the author:
Shon Harris is a CISSP, MCSE and President of Logical Security, a firm specializing in security educational and training tools. Shon is a former engineer in the Air Force's Information Warfare unit, a security consultant and an author. She has authored two best selling CISSP books, including CISSP All-in-One Exam Guide, and was a contributing author to the book Hacker's Challenge. Shon is also the co-author of Gray Hat Hacking: The Ethical Hacker's Handbook.

This was first published in January 2007

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.