Skip to main content

How big is your IT security department?

Recently, I've been asked by some people about the "right size" for an IT department. Here is a list of those questions:

  • Is there a rule of thumb (or best practice) regarding the number of persons in the IT departement?
  • Is there a ratio? (eg. 1 IT support for every 100 users)
  • Is it industry-dependent? (eg. banking, telecommunication, manufactuing, retail, government)
  • Is there a common (organization) structure? eg. help desk, technical support, planning, development, QA, security.

My current interest is finding the right structure for an IT security unit (departement, team).

  • Should security be part of the IT departement? or Audit? or directly under CEO (which means there should be a Chief Security Officer)? or ad hoc?
  • What is the best structure of a security unit? help desk, support, incident handling, etc.?
  • How many people and what are the requirements?
  • Is security certification important?

I need pointers, references, reading materials, and examples.

Comments

Anonymous said…
pak mau tanya.. kalo suatu perusahaan terdiri atas banyak pekerja mempengaruhi hasil yah? dibanding yang cuma dikit ?
3:03 PM
Anonymous said…
It just take one greatest system administrator and a cup of coffee :)
too many people hold security would be a disaster.
6:37 PM
Anonymous said…
One greatest system administrator?
come on..!?
We don't live in ancient world when computer was a monstrous but small amount in computing processing.

Today more and more computing processing with ubiquituous ability is happening. We need an organized team of security people with well-defined level of responsibility. Not to mention the problem when that 'one greatest system administrator' move to other company.. :)

Bud, What do you think?
10:53 AM
Anonymous said…
Mas Budi,

Barusan saya liat seminarnya William Caelli (tau khan dia?). Saya lupa gimana awalnya, tapi tiba ke topik security di Mac... walah ketawa terbahak2 dia.. di Mac menurutnya security tidak pernah 'terpikirkan' oleh para penggagas Mac. Security hanya small part compare to that 'smooth' user interface..
Bahkan bisa dibandingkan juga dengan MS product yg masih mementingkan security.

Hehehe.. sorry kalau gak ada hubungannya dengn topik..
Adinoto? gimana komentarnya nih?
12:57 PM
Anonymous said…
Saya asumsikan kalau Anda berbicara tentang department,team, etc. maka IT security ini tentunya harus yg benar2 solid dan terstructure.
Saya setuju dgn the first 2 comments from anonymous diatas. Terlalu banyak orang bisa disaster, 1 orang juga disaster. Menurut saya IT security team itu harusnya berfungsi sebagai pelaksana, monitor dan evaluasi IT security policies yg ditetapkan oleh management. Key access to systems (eg. root password) juga seharusnya melalui 2 tahap access, security team and management. Terapkan Change Request system dan pakai TRIPWIRE atau audit trail untuk memonitor changes on systems. Dan juga penting untuk menghadirkan independent 3rd party vendor untuk melakukan vulnerability assessment, penetration test, social engineering, etc.
Dengan mengikutsertakan dan kordinasi dgn management, maka security team bisa dimulai dari 1-2 orang.

Comment?
1:19 PM
Post a Comment

Popular posts from this blog

Himbauan Kepada Hacker & Cracker Indonesia & Malaysia

Kepada Hacker & Cracker Indonesia & Malaysia, Saya mengharapkan anda tidak melakukan penyerangan atau/dan pengrusakan situs-situs Indonesia dan Malaysia. Saya mengerti bahwa akhir-akhir ini beberapa masalah di dunia nyata membuat kita kesal dan marah. Namun kekesalan tersebut sebaiknya tidak dilimpahkan ke dunia maya (cyberspace). Semestinya sebelum melakukan aksi yang berdampak negatif, kita bisa melakukan langkah-langkah positif seperti melakukan dialog (melalui email, mailing list, bulletin board, blog, dan media elektronik lainnya). Kita harus ingat bahwa kita hidup bertetangga dan bersaudara. Yang namanya hidup bertetangga pasti mengalami perbedaan pendapat. Mari kita belajar bertetangga dengan baik. Saya berharap agar kita yang hidup di dunia maya mencontohkan bagaimana kita menyelesaikan permasalahan dengan kepala dingin dan hati yang lapang, sehingga para pemimpin kita di dunia nyata dapat mencontoh penyelesaian damai. Mudah-mudahan mereka dapat lebih arif dan bijaksana
292 comments
Read more

More bad news with Malaysia - Indonesia

I've got more emails and news about bad news between Indonesia and Malaysia. To be exact, there was a news about RELA (not sure what that is) that goes out after Indonesians in Malaysia. There were incidents where they hit Indonesians, rob, and do horrible things. I cannot even write this is my blog. I am so sad and frustrated. What's going on with Malaysia (and Malaysians)? What did we - Indonesian(s) - do to deserve this? I thought there should be less boundary between Indonesia and Malaysia. But ... What's going on there, bro & sis? You know, more Indonesians now feel that they are offended by Malaysians. I can tell you that this bad feeling is increasing. This is a bad publicity towards Malaysia. People are now creating various calling names, such as "Malingsia" (it's a short of "maling" [thief] "siah" [you, Sundanese]), and worse.
34 comments
Read more

Say NO to APJII!

Prolog At the end of 1997, I went back to Indonesia from my studies and work in Canada. The .ID domain management in Indonesia at that time was in a confusing state. Nobody wanted to manage it. Universitas Indonesia (UI) - the original maintainer - was in a fight with APJII (the Association of Indonesian ISP). In the end, IANA gave me a mandate to manage the .ID domain. Since then, I manage the .ID domain with open management. There are problems, but mostly minors. Until recently, when APJII (again) is trying to take over the .ID domain management from my team. Here's a short info to give you a head start. Short summary APJII (the association of ISP in Indonesia) is trying to takeover the .ID domain management in Indonesia. They have tried and will try everything to take over. Long description I've been managing the .ID domain since the end of 1997. At that time, nobody wanted to run the domain management. First of all, a brief description of how we run things. To run the .ID d
32 comments
Read more