Saturday, September 10, 2005

How big is your IT security department?

Recently, I've been asked by some people about the "right size" for an IT department. Here is a list of those questions:

  • Is there a rule of thumb (or best practice) regarding the number of persons in the IT departement?
  • Is there a ratio? (eg. 1 IT support for every 100 users)
  • Is it industry-dependent? (eg. banking, telecommunication, manufactuing, retail, government)
  • Is there a common (organization) structure? eg. help desk, technical support, planning, development, QA, security.

My current interest is finding the right structure for an IT security unit (departement, team).

  • Should security be part of the IT departement? or Audit? or directly under CEO (which means there should be a Chief Security Officer)? or ad hoc?
  • What is the best structure of a security unit? help desk, support, incident handling, etc.?
  • How many people and what are the requirements?
  • Is security certification important?

I need pointers, references, reading materials, and examples.

5 comments:

viga said...

pak mau tanya.. kalo suatu perusahaan terdiri atas banyak pekerja mempengaruhi hasil yah? dibanding yang cuma dikit ?

Anonymous said...

It just take one greatest system administrator and a cup of coffee :)
too many people hold security would be a disaster.

Anonymous said...

One greatest system administrator?
come on..!?
We don't live in ancient world when computer was a monstrous but small amount in computing processing.

Today more and more computing processing with ubiquituous ability is happening. We need an organized team of security people with well-defined level of responsibility. Not to mention the problem when that 'one greatest system administrator' move to other company.. :)

Bud, What do you think?

Anonymous said...

Mas Budi,

Barusan saya liat seminarnya William Caelli (tau khan dia?). Saya lupa gimana awalnya, tapi tiba ke topik security di Mac... walah ketawa terbahak2 dia.. di Mac menurutnya security tidak pernah 'terpikirkan' oleh para penggagas Mac. Security hanya small part compare to that 'smooth' user interface..
Bahkan bisa dibandingkan juga dengan MS product yg masih mementingkan security.

Hehehe.. sorry kalau gak ada hubungannya dengn topik..
Adinoto? gimana komentarnya nih?

Anonymous said...

Saya asumsikan kalau Anda berbicara tentang department,team, etc. maka IT security ini tentunya harus yg benar2 solid dan terstructure.
Saya setuju dgn the first 2 comments from anonymous diatas. Terlalu banyak orang bisa disaster, 1 orang juga disaster. Menurut saya IT security team itu harusnya berfungsi sebagai pelaksana, monitor dan evaluasi IT security policies yg ditetapkan oleh management. Key access to systems (eg. root password) juga seharusnya melalui 2 tahap access, security team and management. Terapkan Change Request system dan pakai TRIPWIRE atau audit trail untuk memonitor changes on systems. Dan juga penting untuk menghadirkan independent 3rd party vendor untuk melakukan vulnerability assessment, penetration test, social engineering, etc.
Dengan mengikutsertakan dan kordinasi dgn management, maka security team bisa dimulai dari 1-2 orang.

Comment?