Who is responsible for the firewalls?
In my company our information security department is different from the network group. The network group handles the installation, upgrade, routing and IP address specification on the firewalls, while information security writes the rules. The problem is that almost all trouble shooting involves the two groups. For instance, in a session that involves VPN tunnels, information security will not be able to delete and reestablish a specific VPN tunnel as they would not have the right to. What have you seen in the industry? Should the firewall responsibility be split between two groups? If not, who should be responsible for the firewalls, information security or the LAN/WAN group?
Information security extends beyond networks and has much wider domain coverage. It's always a good practice to have a separate InfoSec department that works with all the business units and departments and helps implement the organization's ISMS. In regards to networks, Infosec works as an architect whereby they create IT security designs, policies, procedures and define IT security controls based on information security standards for network security. Network Team takes these as inputs and helps implement and enforce the same on their network infrastructure. An example of this is controlling inbound/outbound access through firewall rules.
This was first published in March 2007