OS patches aren't a security team assignment? I would think AV and patching are slam dunk security team jobs. The organizational trick is who does the security team belong to? :). I agree on you SMS split - in our org, SMS is handled entirely by the "employee domain / workstation" team, but keep in mind this team has both Desktop Support and Systems Engineers.
So many ways to skin a cat... Dave From: Christopher Bodnar [mailto:[email protected]] Sent: Tuesday, June 02, 2009 11:27 AM To: NT System Admin Issues Subject: RE: Dept delegations (AV/ patching) We have a similar setup. It can be confusing, and there is always talk of restructuring the management of the systems. For example, here our SMS administration is divided. The Desktop team manages the desktops within SMS, and the server team manages the servers. But, technically the server team is responsible for the management of SMS globally. This is the same for package distribution and OS patches. Antivirus in our organization is handled by our Security team. The larger the organization the more "political" decisions like this become. YMMV Chris Bodnar, MCSE Sr. Systems Engineer Distributed Systems Service Delivery - Intel Services Guardian Life Insurance Company of America Email: [email protected]<mailto:[email protected]> Phone: 610-807-6459 Fax: 610-807-6003 ________________________________ From: [email protected] [mailto:[email protected]] Sent: Tuesday, June 02, 2009 2:19 PM To: NT System Admin Issues Subject: Re: Dept delegations (AV/ patching) I'd advocate for the Server / Workstation dichotomy in teams -- just as an example, if you don't do that then you have to make sure your workstation team understands what directories on a server must NOT be scanned by AV applications -- and that's not going to be their strength. On Tue, Jun 2, 2009 at 10:23 AM, David Lum <[email protected]<mailto:[email protected]>> wrote: Quiz: Two domains - basically an employee-used one (all our user accounts, and the servers in it are file/print, Exchange, SharePoint, employee-used apps, etc. The other domain has just web and database servers in it. Patching is delegated via one System Engineer team handles servers, the other team handles workstations. All AV is handled by the "workstation" SE team - even on servers, but currently no AV in the web/database server domain. After putting AV on the web server domain....wouldn't it make sense to have patching and AV handled similarly? Make it all "server team" and "workstation team" or make it "employee domain" / "web domain"? Certainly either way works, and our current environment would support jumping either direction - do any of you guys have a similar domain setup, and if so, how do you handle it? David Lum // SYSTEMS ENGINEER NORTHWEST EVALUATION ASSOCIATION (Desk) 971.222.1025 // (Cell) 503.267.9764 -- David _____________________ We are summoned to act in wisdom and in conscience, to work with industry, to teach with persuasion, to preach with conviction, to weigh our every deed with care and compassion. ~Dwight D. Eisenhower ________________________________ This message, and any attachments to it, may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are notified that any use, dissemination, distribution, copying, or communication of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately by return e-mail and delete the message and any attachments. Thank you. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
