What Should Information Security Be Responsible For?

In the Enterprise environment it seems there is always a battle around who should be responsible for what in IT.  And there is always some manager or director that complains (or his people do it for him / her) that Information Security seems to be over-stepping their bounds.   Where is that boundary and where should it be?   The answer to both questions is it depends based on the organizational structure, expertise on different teams, and the culture of the organization.
A couple of areas that always seem to come up are email and network security controls.  Let’s look at email first.  No information security team wants to be responsible for working tickets about emails that weren’t delivered or restoring mailboxes.   These activities should reside with an email team.   However, who should control the settings on the mail scanner and what is or isn’t allowed through?   I believe that regardless of who does the actually setting of the security controls on the mail scanner, the Information Security team should be the final decision makers of what the controls are set too.  Since the Information Security team is the group that has the knowledge about the risks, vulnerabilities, and exploits, and they will be the group driving the Incident Response process, they need have the ability to make ensure that a defense in depth architecture is implemented.
Network services, specifically firewalls configuration control, is also an area of concern for many organizations.   I am all in favor of a Network team (whether they report to security or are separate) doing the wrench turning of the firewalls.   The security analyst should stay out of it if at all possible.   However, I believe that Information Security should be the approval authority for all firewall changes….rules, file types, even logging changes. 
There are other areas of IT, such as A/V – end point protection, identity services, workstation and server gold images, etc…. that also fall into the same category.   Information Security doesn’t need to do the day-to-day work, but they need insight, and in some cases, approval authority to changes.    It all comes down to one group knowing all aspects of the defense in depth strategy for and organization.
Until next time…

*** This is a Security Bloggers Network syndicated blog from Skeeter Spray authored by Skeeter. Read the original post at: http://skeeterspray.blogspot.com/2016/06/what-should-information-security-be.html