Home > Articles > Security > Network Security

This chapter is from the book

Building the Security Organization

The organization that administers ESP determines the project's success or failure. Two principles are crucial to success:

  • The quality and security of data must be the responsibility of the business unit.

  • The distinction between security management and security administration must be clear.

Today, as in the past, IT organizations often assume responsibility for the quality and security of enterprise data. Because they write the security code into some applications, programmers sometimes have responsibility for devising the security policies that govern access to data. This allocation of responsibility is not appropriate. Business unit managers should understand the rules that apply to their data better than anyone else. However, to express those rules in a usable form, they need guidance from managers who specialize in security.

A "best practice" model for an enterprise's security organization is built on defining four roles associated with security. Three of them are security department positions—security director, security manager, and security administrator. These roles are associated with different skill sets, training, responsibilities, and pay scales. The fourth role—resource owner—typically is not a full-time job. Resource owners are managers within the lines of business who have been assigned responsibility for setting security policy under the guidance of a security manager. These distinctions are important because, when job descriptions are not defined, crucial tasks are often left undone. For example, resource owners typically focus on customer service. As a result, this priority takes precedence over proper policy enforcement. Emphasizing customer service over security concerns can open holes in the security system. On the other hand, if the security staff members lack resource knowledge, they may define weak policies.

The actual staffing levels for the security organization can vary widely by enterprise. Staff size is determined primarily by the value that an enterprise associates with security, ranging from very high for some government installations to very low in noncompetitive industries, and by the level of success of its investment in automation.

Security Leadership

The person who leads the security department usually works at the level of a director or vice president. In addition to coordinating departmental activities, the director of security must perform some key leadership tasks. The marketing programs described later in this chapter are divided into two sections: upward (to executives) and outward (to business unit managers and other nonexecutive staff). The director has primary responsibility for the upward marketing program. The structure of domains created in the next chapter can have significant implications for staffing levels, job assignments, and even the success probability of ESP. The director of security must understand the implications of that structure before committing to it.

Security Management

Security managers work with the resource owners to ensure that technology is applied properly. Security managers understand how resources can be protected and how the lines of business operate. By applying technology to the business problem of resource security, they can design and implement secure systems. Security managers are advisers and trainers. Most resource owners are managers. To be effective, their advisers in the security organization (the security management staff) must be at a similar management level. Security managers develop the strategies and determine the policies that apply to the business units and the enterprise.

Security Administration

All organizations experience change. Keeping security systems synchronized with that change is imperative. Employee transfers and resignations must be reflected rapidly (ideally, within minutes) in enterprise-wide security authorization databases. Security administrators perform administrative tasks that implement policies, such as assigning authorization levels to individual users.

In a role-based authorization scheme, the constant remapping of individuals to their appropriate corporate roles creates a constant work volume as corporations adapt to new business environments.

Security administration systems based on the older, application security models, rather than role-based or data-centered models, are considerably more taxing to security administrators, as they simply cannot keep up with the level of change in the distributed environment.

For example, under the older model, when an employee is fired, the security staff must find every place that employee is defined and delete his permissions. In a company with 4,000 servers, each housing multiple applications, sometimes hundreds at each server, just finding those authorization records can take weeks. The same effort is needed when someone changes jobs or when a new person is hired. Many companies say that it takes them three weeks to add a new employee because of this work overload. Efforts to automate, or at least simplify, this area are a top concern for security product vendors.

Resource Ownership

Resource owners are not in the security organization; they work in the business departments. An enterprise secures resources to protect their business value. The knowledge of that value, and of changes in that value when the resource is used or updated, must come from the responsible business units. Most resource owners understand business value but have little understanding of the technology used to protect it. After security management has defined a resource classification scheme, the resource owners should determine the classification of each resource. Step 2 of this book presents more information on the classification of resources in detail.

Where Security Reports

Most enterprises categorize security organizations as an IT function—ideally as a chief information officer (CIO) staff function. The relationship between security and information technology must be strong, because IT personnel install and maintain the security staff's primary tools.

Most security organizations use existing staff to meet new demands whenever possible; therefore, they grow without an organizational strategy. As a result, job descriptions have expanded and become more heterogeneous and less uniform in the industry.

Consequently, replacing personnel is now more difficult. Selecting and scheduling training for security staff is also affected. The need to move to distributed security architectures has exacerbated the situation, as organizations have tried unsuccessfully to map significant retraining needs to existing job descriptions.

Using the current technology transition from centralized to distributed paradigms as an opportunity to reorganize the security organization offers the best solution. Enterprises can implement new structures and new job descriptions as a part of adopting ESP. This transition can also drive structural changes in IT organizations. The traditional "stovepipe" IT organization shown in Figure 1.1 grew new legs as each new technology was added to enterprise environments. Organizations promoted technical specialists to management above their particular area of technology specialization.

Figure 1.1 Traditional Stovepipe IT Organizational Structure

New application paradigms such as client/server and Web-based design that distribute application components across many of these traditional applications have forced reassessment of this organizational style. In the stovepipe organization, security typically reports within the data center structure only because the data center is the most security-conscious organization in the enterprise.

A more-effective style of organization is shown in Figure 1.2. This function-oriented organizational structure integrates existing as well as new technologies, and the structure provides clear lines of responsibility for the success of business-oriented IT functions.

Figure 1.2 Function-Oriented Organizational Structure

It also shows the security staff reporting directly to the CIO. This design is an important reporting structure. Security should be centralized in a single department that can make sure that policies are applied across the enterprise with no gaps between departments, branches, and user domains. In addition, it should report to the CIO rather than a senior-level IT manager, because the IT department is frequently the source of security compromises, so the security staff must be able to bypass IT staff to speak freely and directly to the CIO.

The ideal time to establish a centralized, technology-independent security department is during the transition to a function-oriented organizational structure.

Building Security Job Descriptions

The rate of technological change will continue to accelerate, and the jobs of today might have relatively short lives. Because of this factor, as many security functions as possible—in fact, all computer-support functions—should be automated.

The functions of a pure security administrator will soon disappear. As enterprises automate these functions, fully distribute them to their business units, and assimilate them into other job functions related to human resources, security administration will no longer be a separate business discipline. This projected change has significant implications for organizations that are now outsourcing their local administration functions. They may be locked into long-term outsourcing contracts at a time when they need to absorb these services into their business units.

Security management will continue as a required business discipline, but the number of practitioners will diminish as resource ownership becomes a more accepted part of management responsibility outside the security organization.

As with jobs, job descriptions developed now will have a shorter life than their predecessors and will continue to change as the technology changes. Thus, management should shorten the time invested in creating these descriptions. The templates that follow provide sample job descriptions.

NOTE

These templates aim to be comprehensive. Most organizations will select portions of the templates; very few will use them in their entirety.

Sample Templates of Security Job Descriptions

Director (or Vice President) of Security

Summary: Leads company in adopting and accepting appropriate security procedures. Manages department that ensures appropriate security controls are in existence and in force throughout the company.

Duties and Responsibilities:

  • Works with executive management to determine acceptable levels of risk for the company.

  • Works with business unit management to ensure that resource owner responsibilities are accepted and appropriately staffed.

  • Consults with Information Technology management to facilitate selection and use of realistic enforcement mechanisms.

  • Helps peer managers understand and respond to security audit failures reported by internal and external auditing departments.

  • Supervises security management staff and security administration staff.

  • Reviews and approves security policies and resource classification scheme.

  • Presents security status and project status to executive management and the Board of Directors.

Required skills, experience, and competencies: Bachelor's degree plus six years of information security experience or a minimum of eight years of information security experience. Ability to relate business requirements and risks to technology implementation for security-related issues. Knowledge of risk assessment procedures, policy formation, role-based authorization methodologies, authentication technologies, and security attack pathologies. Strong communications and public-speaking abilities. Demonstrated skills in budget management, personnel management, and contention management. Knowledge of current company business functions and operations.

Additional desired qualifications: CISSP or CISA preferred. Knowledge of distributed systems technology and client/server application design is beneficial. Second-level management experience strongly preferred.

Security Manager

Summary: Determines methods of implementing and enforcing security policies. Advises resource owners on forming appropriate security policies.

Duties and responsibilities:

  • Identifies existence of securable resources and helps business unit management select appropriate resource owner.

  • Works with resource owners in business units to determine appropriate security policies for securable resources.

  • Consults with Information Technology Technical Services staff to evaluate, select, install, and configure hardware and software systems that provide appropriate security functions.

  • Helps resource owners and Information Technology staff understand and respond to security audit failures reported by internal and external auditing departments. May review operational logs and event console activity to determine cause of security-related events or to identify potential security-related events.

  • Advises security administration staff on normal and exception processing of security authorization requests.

  • Documents security policies; maintains resource classification scheme; and presents information on security status, project status, and security training to audiences from top executive level to field staff as appropriate.

Required skills, experience, and competencies: Bachelor's degree plus three years of information security experience or a minimum of five years of information security experience. Ability to relate business requirements and risks to technology implementation for security-related issues. Knowledge of risk assessment procedures, policy formation, role-based authorization methodologies, authentication technologies, and security attack pathologies. Strong communications and public-speaking abilities.

Additional desired qualifications: CISSP or CISA preferred. Knowledge of distributed systems technology and client/server application design is beneficial. Experience as an IT auditor is highly valuable.

Security Administrator

Summary: Ensures the currency and accuracy of all authentication and authorization management systems.

Duties and responsibilities:

  • Accepts requests for change in authentication and authorization systems. Validates requestor and determines authorization of requestor.

  • Modifies authentication and authorization systems to match change requests.

  • Helps security managers determine "reasonableness" of policies requested by resource owners. Defines process for implementing new policies.

  • Identifies unauthorized changes to authentication and authorization systems and notifies Director of Security.

Required skills, experience, and competencies: Two-year college degree and two years' experience in office administration environment. Ability to see patterns and identify exceptions. Strong telephone and communications skills.

Additional desired qualifications: Knowledge of security procedures and technology. Understanding of audit processes.

Centralizing and Decentralizing Security Functions

Frequently, security administration is centrally managed and located. Many other systems management disciplines are becoming more centralized, as skill shortages and economies of scale dominate organizational decisions. Security administration does not follow this pattern. Instead, the trend is toward further distribution of the responsibility to lines of business. This trend will accelerate as vendors deliver better tools.

The authority exercised by a security administrator in assigning roles and rights to individuals is a direct expression of the policies set by resource owners under the guidance of, and perhaps as executed by, the security manager. Basic security and audit rules require that some degree of separation exist within this triumvirate. As previously stated, the resource owners should be local to—that is, report within—the business units. As long as this condition is met, either but not both security administration or security management can also report within the business unit.

Consistent policy is also an audit requirement. Because security management staff manages policy, the security managers must be centralized. A new generation of tools that provide consistent policy enforcement through a delegation of administration mechanism makes possible the distribution of security administration.

Unfortunately, many organizations have achieved fully distributed security administration without the tools to enforce consistent policy and reduce administrative duplication. As a result, the least-secure system at the least-secure site is the hacker's port of entry into the entire enterprise's computing environment.

Centralized security management maintains effectiveness by controlling tools that provide delegation management and through internal audit procedures. The auditing process comprises three separate activities:

  • Static policy audit
  • Real-time event detection
  • Attack simulation

Chapter 9 describes the tools to support all these activities.

InformIT Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from InformIT and its family of brands. I can unsubscribe at any time.

Overview


Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information


To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.

Surveys

Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites, develop new products and services, conduct educational research and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.

Newsletters

If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information@informit.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information


Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.

Security


Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.

Children


This site is not directed to children under the age of 13.

Marketing


Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information


If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.

Choice/Opt-out


Users can always make an informed choice as to whether they should proceed with certain services offered by InformIT. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.informit.com/u.aspx.

Sale of Personal Information


Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents


California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure


Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.

Links


This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact


Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice


We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020