Educause Security Discussion mailing list archives

Re: Pre Production System Accreditation

From: "Jones, Dan" <Dan.Jones () UMASSMED EDU>
Date: Tue, 4 Sep 2007 11:39:25 -0400

Chad, 

I think the initiative is right on the mark. 

I'm finding that it can be beneficial to start with the data owners.
Under NIST 800-18, (1.7.2 and 1.7.3), the SYSTEM OWNER and the
INFORMATION OWNER have responsibility for establishing the rules of
behavior and developing the system security plan. Working with the
system and information owners to help them develop solid requirements
(ensuring that the bar is high enough) helps to clarify what must be
done in the next project phases. 

The next component is to help the technical staff to identify and deploy
solutions that will meet the business requirements as defined by the
data owners. NIST 800-18 was helpful in establishing where these various
responsibilities should rest. 

Helping the data owners develop good standards which safeguard their
funding sources... and helping the systems administrators meet the
business requirements (being a SME for both camps) is a better place to
be than plain ol' policy for policy sake.  

This approach is being embraced by those who have grants that set the
requirements for security. Once security becomes common practice in that
arena then people will be more familiar with better security practices
and start to apply them elsewhere (one would hope). 

Best,

Dan Jones
IT Security Manager
University of Massachusetts Medical School


-----Original Message-----
From: Chad McDonald [mailto:chad.mcdonald () GCSU EDU] 
Sent: Tuesday, September 04, 2007 10:13 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Pre Production System Accreditation

I have proposed that GCSU develop a policy that would require that a
server or system be accredited prior to moving that system into
production.  The accreditation process among other things would verify
that the system's security has been reviewed before potentially
sensitive information is stored on or travels through that system.  I
originally thought that this would blow through the policy approval
process with flying colors, but unfortunately I'm being blocked by my
own department's system administrators.  Am I completely off base with
this recommendation? 


Chad McDonald, CISSP, CISA 
Chief Information Security Officer
Georgia College & State University
Phone   478.445.4473
Cell    478.454.8250
Fax     478.445.1202
Email   chad.mcdonald () gcsu edu

Current thread:

Pre Production System Accreditation Chad McDonald (Sep 04)
- <Possible follow-ups>
- Re: Pre Production System Accreditation Matthew Keller (Sep 04)
- Re: Pre Production System Accreditation Lovaas,Steven (Sep 04)
- Re: Pre Production System Accreditation Dan Johnson (Sep 04)
- Re: Pre Production System Accreditation St Clair, Jim (Sep 04)
- Re: Pre Production System Accreditation Gary Dobbins (Sep 04)
- Re: Pre Production System Accreditation St Clair, Jim (Sep 04)
- Re: Pre Production System Accreditation Shane Bishop (Sep 04)
- Re: Pre Production System Accreditation Jones, Dan (Sep 04)
- Re: Pre Production System Accreditation Jim Dillon (Sep 04)
- Re: Pre Production System Accreditation Dan Johnson (Sep 05)
- Re: Pre Production System Accreditation Jim Dillon (Sep 05)
- Re: Pre Production System Accreditation Dan Johnson (Sep 05)
- Re: Pre Production System Accreditation Valdis Kletnieks (Sep 05)
- Re: Pre Production System Accreditation Jim Dillon (Sep 05)
- Re: Pre Production System Accreditation Chad McDonald (Sep 05)
- Re: Pre Production System Accreditation Dan Johnson (Sep 05)
- Re: Pre Production System Accreditation Valdis Kletnieks (Sep 05)
- Re: Pre Production System Accreditation Dan Johnson (Sep 06)

(Thread continues...)