Educause Security Discussion mailing list archives
Re: Pre Production System Accreditation
From: "Jones, Dan" <Dan.Jones () UMASSMED EDU>
Date: Tue, 4 Sep 2007 11:39:25 -0400
Chad, I think the initiative is right on the mark. I'm finding that it can be beneficial to start with the data owners. Under NIST 800-18, (1.7.2 and 1.7.3), the SYSTEM OWNER and the INFORMATION OWNER have responsibility for establishing the rules of behavior and developing the system security plan. Working with the system and information owners to help them develop solid requirements (ensuring that the bar is high enough) helps to clarify what must be done in the next project phases. The next component is to help the technical staff to identify and deploy solutions that will meet the business requirements as defined by the data owners. NIST 800-18 was helpful in establishing where these various responsibilities should rest. Helping the data owners develop good standards which safeguard their funding sources... and helping the systems administrators meet the business requirements (being a SME for both camps) is a better place to be than plain ol' policy for policy sake. This approach is being embraced by those who have grants that set the requirements for security. Once security becomes common practice in that arena then people will be more familiar with better security practices and start to apply them elsewhere (one would hope). Best, Dan Jones IT Security Manager University of Massachusetts Medical School -----Original Message----- From: Chad McDonald [mailto:chad.mcdonald () GCSU EDU] Sent: Tuesday, September 04, 2007 10:13 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Pre Production System Accreditation I have proposed that GCSU develop a policy that would require that a server or system be accredited prior to moving that system into production. The accreditation process among other things would verify that the system's security has been reviewed before potentially sensitive information is stored on or travels through that system. I originally thought that this would blow through the policy approval process with flying colors, but unfortunately I'm being blocked by my own department's system administrators. Am I completely off base with this recommendation? Chad McDonald, CISSP, CISA Chief Information Security Officer Georgia College & State University Phone 478.445.4473 Cell 478.454.8250 Fax 478.445.1202 Email chad.mcdonald () gcsu edu
Current thread:
- Pre Production System Accreditation Chad McDonald (Sep 04)
- <Possible follow-ups>
- Re: Pre Production System Accreditation Matthew Keller (Sep 04)
- Re: Pre Production System Accreditation Lovaas,Steven (Sep 04)
- Re: Pre Production System Accreditation Dan Johnson (Sep 04)
- Re: Pre Production System Accreditation St Clair, Jim (Sep 04)
- Re: Pre Production System Accreditation Gary Dobbins (Sep 04)
- Re: Pre Production System Accreditation St Clair, Jim (Sep 04)
- Re: Pre Production System Accreditation Shane Bishop (Sep 04)
- Re: Pre Production System Accreditation Jones, Dan (Sep 04)
- Re: Pre Production System Accreditation Jim Dillon (Sep 04)
- Re: Pre Production System Accreditation Dan Johnson (Sep 05)
- Re: Pre Production System Accreditation Jim Dillon (Sep 05)
- Re: Pre Production System Accreditation Dan Johnson (Sep 05)
- Re: Pre Production System Accreditation Valdis Kletnieks (Sep 05)
- Re: Pre Production System Accreditation Jim Dillon (Sep 05)
- Re: Pre Production System Accreditation Chad McDonald (Sep 05)
- Re: Pre Production System Accreditation Dan Johnson (Sep 05)
- Re: Pre Production System Accreditation Valdis Kletnieks (Sep 05)
- Re: Pre Production System Accreditation Dan Johnson (Sep 06)
(Thread continues...)