Re: Pre Production System Accreditation

["St Clair, Jim" <Jim.StClair () GT COM>]

Has anyone on the list had a chance to evaluate the new Secure
Configuration Automation Program now required in the Federal government?

"The Security Content Automation Protocol (SCAP) is a method for using
specific standards to enable automated vulnerability management,
measurement, and policy compliance evaluation (e.g., FISMA compliance)."

Here is a link to the NIST presentation, if interested:
http://nvd.nist.gov/scap/docs/ISAP-SecuritySolutions-2007.ppt


James A.St.Clair, CISM
Sr. Manager
Global Public Sector
Grant Thornton LLP
(703) 637-3078 (office)
(703) 727-6332 (mobile)
(703) 837-4455 (fax)


-----Original Message-----
From: Gary Dobbins [mailto:dobbins () ND EDU] 
Sent: Tuesday, September 04, 2007 11:02 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: Pre Production System Accreditation

We have a similar step in our processes.  It definitely took some time 
to become ingrained and enough of the rough edges rounded to make it 
more tolerable, but in the end it benefits everyone.

We have a self-service Nessus scanner the engineers can use for 
verifying the absence (or non-exposure) of known vulnerabilities, and a 
design review step, among other procedural elements.

You're wise in considering this move, it will pay off down the road.
(what's the value of a compromise that DIDN'T happen?)


Chad McDonald wrote:
> I have proposed that GCSU develop a policy that would require that a
> server or system be accredited prior to moving that system into
> production.  The accreditation process among other things would verify
> that the system's security has been reviewed before potentially
> sensitive information is stored on or travels through that system.  I
> originally thought that this would blow through the policy approval
> process with flying colors, but unfortunately I'm being blocked by my
> own department's system administrators.  Am I completely off base with
> this recommendation? 
>
>
> Chad McDonald, CISSP, CISA 
> Chief Information Security Officer
> Georgia College & State University
> Phone   478.445.4473
> Cell    478.454.8250
> Fax     478.445.1202
> Email   chad.mcdonald () gcsu edu

-- 

   ------------------------------------------------------------
   Gary Dobbins, CISSP -- Director, Information Security
   University of Notre Dame, Office of Information Technologies
 

--------------------------------------------------------


In accordance with applicable professional regulations, please understand that, unless expressly stated otherwise, any 
written advice contained in, forwarded with, or attached to this e-mail is not intended or written by Grant Thornton 
LLP to be used, and cannot be used, by any person for the purpose of avoiding any penalties that may be imposed under 
the Internal Revenue Code. 

--------------------------------------------------------

 This e-mail is intended solely for the person or entity to which it is addressed and may contain confidential and/or 
privileged information.  Any review, dissemination, copying, printing or other use of this e-mail by persons or 
entities other than the addressee is prohibited.  If you have received this e-mail in error, please contact the sender 
immediately and delete the material from any computer.