Re: Pre Production System Accreditation

[Jim Dillon <Jim.Dillon () CUSYS EDU>]

Dan, Inline below. Hard to debate when you are so agreeable, but some
thoughts anyway...   :)

JD

*****************************************
Jim Dillon, CISA, CISSP
IT Audit Manager, CU Internal Audit
jim.dillon () cusys edu
303-492-9734
*****************************************
 
-----Original Message-----
From: Dan Johnson [mailto:djj4 () UWM EDU] 
Sent: Wednesday, September 05, 2007 8:37 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Pre Production System Accreditation

Hi Jim, 

Okay, I'll bite...

The thought concept that you present is dead-on accurate, if you are a
security person or an auditor. 

{**JD My dad used to argue that the truth is by definition the truth, it
cannot be argued, it is axiomatic.  There are some philosophical souls
that might try, but only if you can choose to deny the axiom - most
can't.  JD**} 

I cannot argue that point one iota. {**JD Axiom confirmed?  :)  JD**}
Testing something before it is actually put into production, from a
security standpoint, makes all the sense in the world.  Of course any
policy worth its weight will have that clause or step put into the
policy, it only makes sense.  {**JD I assume from the original post that
the server is meant to serve "sensitive" or "private" data, thus there
is a precedent for Chad's expectations.  **JD}

I think the area of disconnect for the replies is the 'problem space'
that
you suggest.  Chad mentions that System Administrators are blocking this
from going through.  Not auditors, security personnel, etc... {**JD I
mention them as allies, not blockers.  They should be familiar with
local opinions and issues and be able to support the goal with insight
into the actual value assessment for this particular institution - I
don't think I missed the administrators issue data point **JD} I read
that to mean standard IT people.  Quite possibly people who know
computers inside
and out, but wouldn't know what Wireshark was or what is used for if it
came
up and bit them in the...

This is the struggle between security IT people and standard IT people.
You
are correct, my message came through as an us vs. them mentality, but
sometimes, that is what is needed.  (No worries, no quotes from Sun
Tzu...)
I, hopefully, presented an ideology that is less militant than quite a
few
other suggestions that I have heard over the years...  

{**JD - Having the referent authority of the Board of Regents is quite
helpful in the us vs. them situations for auditors.  Seems like every
idea we have is a good one if someone has to explain to the Regents why
it isn't.  Why is that I wonder?   :).    That's certainly why I
mentioned the auditors, but I'd still like a solution that didn't
require arm twisting - sensibilities should prevail. Chad may want to
take his case up the tree a bit to those with strategic responsibility
rather than the admins, maybe some redirected pressure will help, but I
still think a value case can be made, just let's agree not to get into
ROI or ROSI discussions, that'll cause a headache no one can cure.
JD**}

That's why I stressed that us, as security-minded people, need to be
viewed
as an asset by other people who are not security minded.  

{**JD - The easiest way I've found to do this is to help the IT folks
recognize that attention by audit lends authority to the issue.  In most
cases what is missing is a history of support for control or security
which is seen by the unaware as a cost, not an asset.  Typically the IT
folks want to do it, but have no budgetary or authority support, thus
when an audit provides the authority, they often run almost gleefully
down the recently authorized security path.    Better though, is to
realize good security is like a good warranty.  The sofa with a lifetime
or 30 year warranty on all parts, including the cushions and fabrics,
makes a much better impression, and is typically a much better product
than the one with a one year limited warranty. (And it typically costs a
bunch more - cost reflecting value.)  I go home sleeping better buying
that product.  The IT product with tested security will make that parent
much happier with his/her student's care/privacy than the one without,
product value!  The worse option is to have happen what happened at a
"nameless" institution I know: A letter to the president wondering how
serious the institution really was at providing service when the child
of the letter writer had received 4 "We're Sorry - can we monitor your
credit for you..." notices regarding data breaches with his/her private
info involved.  That's right, 4!  No president or Board is going to
stand for that kind of public image, (see those Alumni donations flying
bye-bye) and the value of security becomes apparent - it is an absolute
requirement for a quality educational product, demanded by the customer
through law and regulation. JD**} 

A lot of the decision making (read: controllers of the purse strings) do
not have security training, as well as some administrators.  Quite
possibly the ones that Chad mentions fall into this category.  How about
another analogy...  {**JD - Which is why we've finally made such
training mandatory and part of policy.  All personnel will take basic
training, those with access to Private or Restricted data will take
advanced training - part of the performance review cycle for every
individual. Painful getting here, almost 8 years of work on my part and
help from a few negative but much publicized events!!! JD**} you catch
more flies with honey than you do with vinegar?  {JD** In this case
vinegar at least kills a few flies, water didn't do anything.  The Honey
is becoming apparent as the consequences and responsibilities tied to
the management of regulated data become more apparent to end users
through actual pain and through the training.  Many, when they realize
what they have to attest to, are starting to look for services and help.
This will have a great positive impact on our overall security JD**}

This is where I think we are on the same page.  The step that Chad
mentions
is the final step of a process that is several steps, not the one and
only
step.  {**JD - and he shouldn't assume it is an easy step, it may take
some time, but enlisting some local allies might help him better prepare
for the du jour issues of his local constituents.  We have legal and
policy help from the state to heighten value awareness, I don't know
what the situation is in GA. Federal "help" - more vinegar - is soon to
arrive. - JD**}


Dan Johnson
IS Comprehensive Services Senior
University of Wisconsin-Milwaukee