Educause Security Discussion mailing list archives
Re: Pre Production System Accreditation
From: Dan Johnson <djj4 () UWM EDU>
Date: Wed, 5 Sep 2007 09:37:28 -0500
Hi Jim, Okay, I'll bite... The thought concept that you present is dead-on accurate, if you are a security person or an auditor. I cannot argue that point one iota. Testing something before it is actually put into production, from a security standpoint, makes all the sense in the world. Of course any policy worth its weight will have that clause or step put into the policy, it only makes sense. I think the area of disconnect for the replies is the 'problem space' that you suggest. Chad mentions that System Administrators are blocking this from going through. Not auditors, security personnel, etc... I read that to mean standard IT people. Quite possibly people who know computers inside and out, but wouldn't know what Wireshark was or what is used for if it came up and bit them in the... This is the struggle between security IT people and standard IT people. You are correct, my message came through as an us vs. them mentality, but sometimes, that is what is needed. (No worries, no quotes from Sun Tzu...) I, hopefully, presented an ideology that is less militant than quite a few other suggestions that I have heard over the years... That's why I stressed that us, as security-minded people, need to be viewed as an asset by other people who are not security minded. A lot of the decision making (read: controllers of the purse strings) do not have security training, as well as some administrators. Quite possibly the ones that Chad mentions fall into this category. How about another analogy... you catch more flies with honey than you do with vinegar? To use your airplane wing example... Do you test the wing only after it has been built to find out that it cannot withstand the subzero temperatures in the stratosphere, then go back and alter the manufacturing process? Or, do you try and find out if the materials used in the manufacturing of the airplane wing, before testing, can accommodate such harsh conditions? How do you educate the welders, metalworkers, suppliers, riveters, etc... that the new material is necessary for the final product? How do you get everyone involved into that mind set? Quite the dilemma and why we all have such wonderful jobs! This is where I think we are on the same page. The step that Chad mentions is the final step of a process that is several steps, not the one and only step. Dan Johnson IS Comprehensive Services Senior University of Wisconsin-Milwaukee PO Box 469 Mellencamp Hall, Room B60 Milwaukee, WI 53201 (414)229-2911 "The stupid neither forgive nor forget; the naive forgive and forget; the wise forgive but do not forget." Thomas Szasz, The Second Sin (1973) "Personal Conduct" -----Original Message----- From: Jim Dillon [mailto:Jim.Dillon () CUSYS EDU] Sent: Tuesday, September 04, 2007 5:34 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Pre Production System Accreditation Chad, Of course this is a great idea, and you should do it, not only because it's a great idea but: 1. It makes sense - do you try to fly a new airplane wing design without air tunnel testing, do you try to sail the ocean in a boat design that's never seen water? Can you create a secure product if you've never tested its security? 2. A test at this point in time does not put the data asset at risk. If you wait, then you not only risk the asset, you risk the service the system will provide to others. 3. There are fewer variables to test, why complicate the analysis needlessly? A baseline is a great tool for future evaluation comparisons. 4. It would absolutely be required at places that must certify their security, such as DoD contractors, and the like, so why isn't it a good idea here if security is indeed a requirement? I can't imagine an auditor worth their salt wouldn't support the concepts, and of course without info into the specifics of the situation, the generic problem space you present seems to be a no-brainer. Test the safe before you put money into it - will it really keep it safe in a fire or not? What isn't sensible about that? There are some good IT Auditors in the larger Georgia systems (Tech, State, etc.), so I hope you have access to one at your U, I don't know it well enough. But this shouldn't be an us vs. them issue as others have said, simple logic demonstrates value. Take the time to really ferret out the objectives of those dissenting, and perhaps seek some help on identifying the asset value of the production system to see if the potential return (loss avoidance perhaps) on a secure system is enough. If you are talking Credit Cards or SSNs or other regulated personal privacy this is a no-brainer deluxe and you should hold your ground. Feel free to fire back some of the dissenting arguments and see if we can't pick at them some! JD ***************************************** Jim Dillon, CISA, CISSP IT Audit Manager, CU Internal Audit jim.dillon () cusys edu 303-492-9734 ***************************************** -----Original Message----- From: Chad McDonald [mailto:chad.mcdonald () GCSU EDU] Sent: Tuesday, September 04, 2007 8:13 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Pre Production System Accreditation I have proposed that GCSU develop a policy that would require that a server or system be accredited prior to moving that system into production. The accreditation process among other things would verify that the system's security has been reviewed before potentially sensitive information is stored on or travels through that system. I originally thought that this would blow through the policy approval process with flying colors, but unfortunately I'm being blocked by my own department's system administrators. Am I completely off base with this recommendation? Chad McDonald, CISSP, CISA Chief Information Security Officer Georgia College & State University Phone 478.445.4473 Cell 478.454.8250 Fax 478.445.1202 Email chad.mcdonald () gcsu edu
Current thread:
- Pre Production System Accreditation Chad McDonald (Sep 04)
- <Possible follow-ups>
- Re: Pre Production System Accreditation Matthew Keller (Sep 04)
- Re: Pre Production System Accreditation Lovaas,Steven (Sep 04)
- Re: Pre Production System Accreditation Dan Johnson (Sep 04)
- Re: Pre Production System Accreditation St Clair, Jim (Sep 04)
- Re: Pre Production System Accreditation Gary Dobbins (Sep 04)
- Re: Pre Production System Accreditation St Clair, Jim (Sep 04)
- Re: Pre Production System Accreditation Shane Bishop (Sep 04)
- Re: Pre Production System Accreditation Jones, Dan (Sep 04)
- Re: Pre Production System Accreditation Jim Dillon (Sep 04)
- Re: Pre Production System Accreditation Dan Johnson (Sep 05)
- Re: Pre Production System Accreditation Jim Dillon (Sep 05)
- Re: Pre Production System Accreditation Dan Johnson (Sep 05)
- Re: Pre Production System Accreditation Valdis Kletnieks (Sep 05)
- Re: Pre Production System Accreditation Jim Dillon (Sep 05)
- Re: Pre Production System Accreditation Chad McDonald (Sep 05)
- Re: Pre Production System Accreditation Dan Johnson (Sep 05)
- Re: Pre Production System Accreditation Valdis Kletnieks (Sep 05)
- Re: Pre Production System Accreditation Dan Johnson (Sep 06)
- Re: Pre Production System Accreditation Ken Hanna (Sep 06)