Corporate vs. technical security
My question is with regards to a more managerial aspect of IT. I was hoping to get your thoughts on the organizational fit of the IT security department. Specifically in a company like mine (Ontario Power Generation) we have both corporate security and IT departments. But a real challenge has been in deciding where the IT security department should reside in. I was hoping you might be able to shed some insights on how other leading companies deal with this issue and any other thoughts you have on this subject.
There is no one "right" way to place your IT security department. In most companies, there are several "levels" to your security policy. Your corporate security department is responsible for your company's general security policy. This is broad in scope and should provide guidance for what your corporate standards are, but will rarely go into technical detail. For example, it may contain things like your backup/retention policy, policies about handling of customer data and privacy, appropriate use policies, etc.
At the opposite end are the "hands on" people who actually have to implement the policy -- run the backups, configure the servers, set security on the database, and so on. Presumably, each of your IT departments will need at least one "hands on" person who is responsible for actually configuring/implementing the security policy.
In between, you may have an additional level of technical policy -- technical and/or management folks who decide what the corporate technical standards will be -- in other words, who decide on the specifics of configuration, etc. Your corporate policy may state that only web and email traffic should be allowed through your firewall. Your "hands on" person is the one who has to make this work. Your technical policy folks are the ones who decide that, in order to implement this policy, this specific ruleset should be configured on your firewall. This establishes a standard configuration that can then be implemented throughout your organization. It will depend on your company's organization, and the individuals involved, whether these 'technical decision makers', so to speak, should reside in your corporate office, or be made up of representatives from your individual departments, and so on.
Policy is the 'abstract' side of security, the other side is the practical day to day issues. What will the scope of your IT security department be? Will they strictly be responsible for developing and implementing security standards (configuring and monitoring the servers, network, etc.)? Will you have an extensive intrusion detection system that will require ongoing monitoring? Will you have an incident response team specifically to respond to and investigate possible problems? If so, from an operational standpoint, will it be better to have these duties centralized, with each IT department forwarding data or reporting to a single group? Or is it more practical for each department to operate independently? Are geographic factors an issue ? is it feasible to have a central incident response team if you have branch offices far from your headquarters?
These are some of the factors that you should consider, but there is no single answer to the question.
This was first published in July 2001