In this tip from our Ask the Experts section, contributor Shon Harris explains how keeping security and networking functions separate can benefit an organization.
Smaller companies cannot afford to separate network and security obligations, but if your company has a large enough staff to split up networking, lab and security functions, then do not share duties. There needs to be a clear delineation between networking and security because the groups' focuses and goals are different. Networking's responsibilities mainly involve keeping resources up and available. Security is about protection, and compared to networking, this is sometimes considered a less important business priority.
Not only should the networking group and security group have distinct and clearly defined tasks and responsibilities, but they should also have separate chains of command. The security group should not report to the networking group (i.e. network administrator or chief information officer). Many companies do have their security departments reporting to the CIO, but this is only because they do not have a chief security officer (CSO). Problems can occur when sharing the same chain of command. For instance, let's say someone in security informs a network administrator that there is an unsafe rule set on the firewall. This traffic setting, though, may have been implemented by the network administrator to support a business need or a user's particular preference. There is a chance then that the administrator may rank the network concerns more of a priority than the security issue and ignore the information.
Simply put, the networking group should maintain and configure network devices, and the security group should maintain and configure security devices.
A security officer can delegate some tasks, but this is often done incorrectly. The process is usually sloppy, and clear lines of responsibility are frequently not laid out. If a security officer delegates some security tasks to another individual, the decision should be approved by someone in a higher position, and the change in responsibilities should be documented.
Now, your arrangement of responsibilities depends on what type of company you are working in. In a privately held company, there will not be any auditors or regulators forcing your company to do the right thing. If your company is privately held, it should still follow the best practices that I stated earlier. That way, the company is more protected and better able to mitigate potential fraudulent activities.
If your company is publicly traded, auditors (internal and external) will be detecting whether segregation of duties are in place and whether boundaries are being crossed. If the company is publicly traded, compliance with SOX or the Gramm-Leach-Bliley Act (GLBA) is important to the CEO, CFO and other security officers.
The network lab manager and the CSO should perform their duties separately. If the CSO needs help, then a security engineer should be hired to properly arrange the responsibilities.
About the author:
Shon Harris is a CISSP, MCSE and President of Logical Security, a firm specializing in security educational and training tools. Shon is a former engineer in the Air Force's Information Warfare unit, a security consultant and an author. She has authored two best selling CISSP books, including CISSP All-in-One Exam Guide, and was a contributing author to the book Hacker's Challenge. Shon is also the co-author of Gray Hat Hacking: The Ethical Hacker's Handbook.
This was first published in January 2007