The dilemma’s common: Someone in security tells the network administrator there’s an unsafe firewall rule. Problem is, the network admin set the rule to support a business need or a user’s preference. Whose opinion takes precedence? And who decides what to do?

Much depends on the kind of company you have – and who’s running the show.

In organizations where IT reports to the CFO, it’s up to finance to oversee how things are arranged. And your decision could be important depending on whether you’re a public or privately-held company.

In a privately held company, the arrangement of responsibilities has fewer hard and fast rules.

There won’t be any auditors or regulators forcing your company do do certain things.

But you’ll still need to be protected from both external and internal threats to your network.

Smaller companies can rarely afford to separate network and security tasks, but if it’s possible, they should be in different hands with a clear separation between the two.

Each should understand its goals:
• Network admins keep the system up and functioning, and
• Security protects the company from threats, which sometimes makes it a poor cousin to business interests.

If your company’s publicly traded, auditors (both internal and external) will be checking to make sure duties are segregated and when boundaries have been crossed.

The CEO, CFO and other security officers will be checking to make sure that the company’s complying with Sarbanes-Oxley or Gramm-Leach-Bliley Act rules.

In this case, there’s no question about the separation of duties.

The important point is that the security and network folks have separate chains of command so that the important decisions can be made by upper managers.

Tags: firewall, IT, public company, security, SOX