We’re considering either transferring all ownership of our firewalls to our Security organization or creating a new firewall role that would allow our Security organization to fully manage the firewall ruleset. How are other firms organized? Our firewalls are currently the responsibility of our Network team. However, the approval for any firewall rule change requires our Security team to review and approve the change before the Network team implements. That’s largely worked well, but we’re evaluating if our Security organization should have greater responsibilities. If you have a separate Network and Security team, I’d appreciate hearing your thoughts. 

It depends on your overall security model i.e. if your security team is 'oversight' or 'operational' or a mix of both. If you currently have an oversight model, adding firewalls to the team would be significant change in what the team do and how they function. If they are already operational, then less so. My team is oversight + operational and this means we have to have better controls for ourselves around assurance of our operations e.g. making sure we test ourselves as much as we test others.

Our operating model closely aligns with this one, wherein firewall rules are managed by our operations team, and any new rules or patterns undergo review and approval by a security solution architect. We made an attempt to integrate the firewall team into the cyber team; however, it proved unsuitable due to the operational nature of the work. Consequently, we had to revert to our original approach and reintegrate them back into the I&O team.