Re: The procedural aspects and work valorization of an IT Security Service, Advice needed

[Mehdi Bahribayli <m.bahribayli () gmail com>]

Mohamed,

First of all choose an appropriate mailing list to post your question
(I think bs7799 () securityfocus com is most appropriate for your case)
and don't broadcast your mail to all available mailing lists!
The most important task in your case is to get support of higher
management. You can start with a "business case" document to present
impact of an information security management system on you business to
your managers (what should you pay? what would you gain? what will you
lose if you don't have such a system in place? ... ). You can complete
you "business case" with some real samples of malicious things that
can be done (Get permission of you manager before preparing those real
samples. Prepares samples that is related to issues very important to
your managers).

Stay Cool
Mehdi

On Sun, Mar 1, 2009 at 4:21 PM, Mohamed Aymen SAHLI
<sahli.aymen () gmail com> wrote:
> Hi list,
>
> I need pointing on an issue i have with my new job and I hope to find
> some help hereby.
>
> I am occupying an IT Security engineer position within a telecom
> operator, this position, and the matter of fact the whole security
> service, is considered to be purely belonging to the operations
> department having its duties mainly focused on maintaining the
> day-to-day supervision and administration of equipments and such like.
>
> There are two issues I would like to have you advice on:
>
> First, due to the fact that maintaining the smooth working of the IT
> Systems do not have direct appreciable results intelligible by the
> manager’s board, what mechanisms do you guys  use to valorize you work
> so it don’t goes overlooked.
>
> Secondly, as a direct result of considering the security as plus or
> minus a hardware administration matter, there is almost no procedures
> in place relating to security, change management/security issues
> logging and analysis etc… hence my question, what framework would you
> use to develop the procedural aspect of security and how would you
> convince the managers board of its importance. Are there any examples
> of documents relating to security incidents reporting, security
> project achievement follow-up etc… I could base my work on? …
>
> Looking forward to reading from you. All inputs are appreciated.
>
> Best regards.