Tuesday, 22 March 2016

Information Security Department: How is it set up?

Now before I start I just want to say that I’m sure there are a thousand ways in which to design an info sec department structure. I’m just going to cover off an example of how it might be set up.

I'm writing this because at one point in my life I assumed that having a single information security manager in a business was enough (or even if it was just bolted on to another job it would do!). This is clearly not the case. I now see some of the complexities involved and I wanted to share it with those who might be equally as oblivious as I was!

None Shall Pass!

First up is the IAM (Identity Access Management) team. The focus on IAM is predominantly about receiving updates from the business to ensure that the appropriate access is available or restricted on key business applications at all times. For example, information about joiners, movers, leavers etc. which typically gets pulled from HR forms to the analyst for review. Equally, this team can be pulled on to new projects which require new access or to help identify any related risks. I’m told that for large organisations it’s totally normal to generate at least tens of thousands of access requests per quarter which sounds like a tremendous amount of work if you ask me. Also, the risk of mistakes and oversight must be incredible. This appears to be one of the many facets of information security which go along quietly in the background unless something is flagged up…or even missed!

What's that coming over hill?

Next up is the threat intelligence team. Again this to me looks like a fairly big task. The team are set up to receive updates on current and potential IT threats from a vast array of internal and external sources. This team must be pretty dynamic! I mean to spend their days constantly risk and impact assessing against the possibility of what is essentially a 24/7 conveyor belt of uncovered threats. The wider business often receive a regular brief on the biggest threats and how it could affect the business which I think is a great awareness raising tool.

Stick to the rules!

Then there was the security governance team. These guys write policy for the entire business to adhere to internal security principles. This covers everything from clear desk policy to security design principles in new technology. The doctrine is crossed reference with best practice and emerging regulations and where appropriate it gets updated and re-circulated. I’m often struck by how difficult this team’s remit must be. I mean to be custodian of a constantly changing rule book and trying to socialise the detail and educate employees every time must be a challenging role. I think most people will agree that more often than not unless something is glaringly different about the policy (or if someone messed up really bad) operators tend not to pay much attention. From my own experience, trying to get them to read a single page can be a real struggle!

The Engine!

The word that gets bounded around a lot is the "SOC" (that’s the Security Operations Centre). These are the guys and girls that run the security control and analysis tools for their business. Firstly you have the incident response guys who take ownership of information security incidents that impact on the organisation and progress any remedial activity e.g. lessons learned. Then you have the guys who build, configure, support and maintain the businesses security infrastructure. These guys and girls are the security guards of the IT world and manage the everyday controls such as SIEM and Firewalls etc. to protect the business and the users.


Many businesses often have a number of projects ongoing and if the business is big enough you may also have an information security change consultant to advise on any potential risks. These consultants advise on data protection and other information security risks on each project to control/mitigate the impact of any changes.

No one size fits all...

Depending on the size of your business, many of these departments could be folded in to one very busy role! Alternative there could be a different structure or other departments I haven't mentioned but I wanted to share what a large InfoSec department might actually look like. Please feel free to contribute any other departments I might have missed!

No comments:

Post a Comment