Re: Pre Production System Accreditation

[Jim Dillon <Jim.Dillon () CUSYS EDU>]

Chad,

Of course this is a great idea, and you should do it, not only because
it's a great idea but:

1. It makes sense - do you try to fly a new airplane wing design without
air tunnel testing, do you try to sail the ocean in a boat design that's
never seen water? Can you create a secure product if you've never tested
its security?
2. A test at this point in time does not put the data asset at risk.  If
you wait, then you not only risk the asset, you risk the service the
system will provide to others.
3. There are fewer variables to test, why complicate the analysis
needlessly?  A baseline is a great tool for future evaluation
comparisons.
4. It would absolutely be required at places that must certify their
security, such as DoD contractors, and the like, so why isn't it a good
idea here if security is indeed a requirement?

I can't imagine an auditor worth their salt wouldn't support the
concepts, and of course without info into the specifics of the
situation, the generic problem space you present seems to be a
no-brainer.  Test the safe before you put money into it - will it really
keep it safe in a fire or not?  What isn't sensible about that?  There
are some good IT Auditors in the larger Georgia systems (Tech, State,
etc.), so I hope you have access to one at your U, I don't know it well
enough.  But this shouldn't be an us vs. them issue as others have said,
simple logic demonstrates value.  Take the time to really ferret out the
objectives of those dissenting, and perhaps seek some help on
identifying the asset value of the production system to see if the
potential return (loss avoidance perhaps) on a secure system is enough.
If you are talking Credit Cards or SSNs or other regulated personal
privacy this is a no-brainer deluxe and you should hold your ground.

Feel free to fire back some of the dissenting arguments and see if we
can't pick at them some!

JD

*****************************************
Jim Dillon, CISA, CISSP
IT Audit Manager, CU Internal Audit
jim.dillon () cusys edu
303-492-9734
*****************************************
 
 

-----Original Message-----
From: Chad McDonald [mailto:chad.mcdonald () GCSU EDU] 
Sent: Tuesday, September 04, 2007 8:13 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Pre Production System Accreditation

I have proposed that GCSU develop a policy that would require that a
server or system be accredited prior to moving that system into
production.  The accreditation process among other things would verify
that the system's security has been reviewed before potentially
sensitive information is stored on or travels through that system.  I
originally thought that this would blow through the policy approval
process with flying colors, but unfortunately I'm being blocked by my
own department's system administrators.  Am I completely off base with
this recommendation? 


Chad McDonald, CISSP, CISA 
Chief Information Security Officer
Georgia College & State University
Phone   478.445.4473
Cell    478.454.8250
Fax     478.445.1202
Email   chad.mcdonald () gcsu edu