[unisog] looking for a security firm

Jim Dillon Jim.Dillon at cusys.edu
Thu Oct 2 19:08:08 GMT 2003


Am I out of line to infer that not only do you not have a security "engineer" (a title I'm taking as a hands on, architect sort of role), but you don't have a unified policy or security "officer" either?  Neither would surprise me, but I want to be clear about what isn't there...

If you want an architect/hands on security implementer, then Eric's advice seems reasonable.  If you want a security officer and focal point for the development of policy, then I have a few misgivings to warn about.

1. The roles of security policy writer/developer and security execution/operations should be segregated when possible.  Combining those functions is dangerous and not generally recommended.  The combined capability and authority of a policy setter and implementer defeats many security controls, both those intended to protect the institution, and those intended to protect the individual.  (In other words you can foster a supercrook or you can falsely accuse a diligent innocent administrator, and the controls fail to protect against either.)  I've seen both the crook and the scapegoat in my short career.

2. Make sure any admin you might want to move into an "officer" role is a good communicator, comfortable with politics, and able to be hands off.  Many good admins have sense enough to know this isn't for them, but some are attracted by the apparent promotion and then find themselves ill-suited for the political gamesmanship that accompanies policy setting.

If you want someone to help in the policy realm (not server config policy, but institutional security policy - stuff like "least privileges" not router setup), you may find a consulting group like CANAUDIT or Jefferson Wells have folks versed in the "best practice" sort of thing, and if you want the engineering expertise, you may find someone like @Stake will provide a better technical expertise.  Don't know how available such firms are to you there, but they do represent some options.

I'd personally like to see any University have both positions, a policy setter at a high level who doesn't report just through IT, but with dotted line business administration/planning responsibilities or compliance responsibilities, and a security architect to build the guidelines and working procedures in support of the policy.  It is a tough road to try and accomplish both, particularly without the necessary real or referent authority to accomplish the tasks.  Having one role for these duties in IT circles only can result in IT centric risk evaluations, without a good grip on the institutional risk elements that also need to be addressed, and too often without sufficient authority to accomplish the task.

Anyway, I hope this is helpful to you at some level.  In the meantime, if you want some good ideas for security practice and policies, browse the NIST guidelines and pull the gems from the overburden.  There really is some good stuff out there at NIST.  Furthermore, you may find that complying with HIPAA, Gramm-Leach-Bliley, and Sarbanes Oxley like expectations may require official -in house- roles and officers, suggesting that outsourcing may not be a good long-term solution, unless you have these folks already (CPOs and CSOs) and only need a talented security architect.

Best regards,


-----Original Message-----
From: Eric Cartman [mailto:eric at uwo.ca]
Sent: Thursday, October 02, 2003 11:02 AM
To: Scott Genung
Cc: unisog at sans.org
Subject: Re: [unisog] looking for a security firm

I think you would be much farther ahead, both in terms of budget and
future development, if you would promote one of your sysadmins to
the role of security officer. You would have someone who is already
intimate with your network looking at a familiar problem, increasing
his/her knowledge base in house. You could make the case in the next
budget cycle, for another sysadmin.

Scott Genung wrote:

> All,
> Due to the events surrounding the impact of Blaster, Nachi, and their 
> variants this semester, the topic of network security has become a 
> paramount issue here at Illinois State. At this time, the University 
> does not have a security engineer despite an earlier recommendation 
> for hiring such a specialist.
> We are under a hiring freeze due to the current budget situation. As 
> an alternative, I have been asked to seek a list of security firms 
> that could potentially be used to provide these services until such 
> time that this position could be filled. I would greatly appreciate 
> any recommendations that you may have for a security firm that 
> provides these type of services. Thank you in advance for your comments.
> Scott Genung
> Manager of Networking Systems
> Telecommunications and Network Support Services
> 124 Julian Hall
> Illinois State University
> (309)438-8731   http://www.tnss.ilstu.edu  

More information about the unisog mailing list