TO start, I think this is on topic, not off, fwiw.
No one can implement security properly without a security plan. That plan
includes an assessment of what needs to be protected, and of those items,
their relative importance. It also includes an overall analysis of an
organization's weaknesses and the techniques to be used to protect them.
I believe that this plan must be made up by insiders with a lot of security
AND corporate (at that company) experience, or a combination of experienced
consultants and insiders. Once the plan is in place, the insiders should be
responsible for implementation and the outsiders for validation. Much as
authors hire copy editors, those that implement should be different than
those who test.
Finally, the maintenance is the responsibility of the insiders.
Others will disagree, I'm sure.
Steve
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Richard Ginski
Sent: Wednesday, May 24, 2000 10:41 AM
To: [EMAIL PROTECTED]
Subject: Security Professionals: Inside the Org? Outside the Org?
OrBoth?
I apologize for discussing this topic on this list. I felt that this is the
most appropriate list to discuss this subject:
I have been "un-officially" the security professional for our organization
for a few years now. I have began to implement a security infrastructure for
our organization. I soon expect to be officially assigned the title. I will
be making a presentation to our Data Processing board in the next month
regarding security in our organization and plan on addressing the following
issue in my presentation:
I am aware that they want to hire outside consultants to perform the
security tasks in our organization. Due to the size of our organization, the
Data Processing board is not aware of what has already been implemented
regarding security in our organization. I don't intend this to be a
flame-war, however, I am seeking input as to what other organizations are
doing regarding security professionals hired inside the organization versus
hiring outside consultants to perform these tasks. I feel there should be
some combination (balance) of inside security professionals developing and
maintaining a security infrastructure and outside consultants doing period
security audits. I am seeking input from my peers on the list as to how they
feel about inside security professionals versus outside security
professionals or some combination thereof. I am trying to gain a consensus
on this subject. Your input and justification is greatly appreciated.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
