Security Administration Function › Centralization or Decentralization

Centralization or Decentralization

After setting up the central security administration function, consider whether to centralize or decentralize the security function:

• Centralized security will:
  • Give concentrated control over changes in security and will possibly strengthen security enforcement.
  • Provide one point for security administration.
  • Make policies and procedures simpler to develop, enforce, and monitor.
  • Provide a higher level of security by limiting the number and distance of individuals authorized to change security definitions.
  • Allow for more flexible reporting.
  • Require fewer security staff members than would be required by a decentralized organization.
• But centralized security might:
  • Be less responsive to the user because of logical and physical distance from the user's environment.
  • Involve longer response times to react to maintenance requests.
  • Require a higher maintenance workload.
• Decentralized security will:
  • Allow more sensitivity to user requirements, since the administrator is more familiar with the resources being protected and with the users than is possible at the central level.
  • Allow faster response to maintenance requests.
  • Require a lower administration workload per administrator since security maintenance is delegated among several decentralized sites.
• But decentralized security might:
  • Require more complex policies and procedures.
  • Provide a lower level of security since the authority to modify security definitions are performed in many disassociated locations.
  • Require more time to implement.
  • Require additional overhead at the central level to monitor the activities of the decentralized administrators.

Many installations successfully use the central security administration approach and later decentralize the function wherever maintenance requirements make it practical. This allows the central level staff to become the security system experts before they are required to train and monitor administrators and staff on a decentralized level.