Educause Security Discussion mailing list archives
Re: Pre Production System Accreditation
From: Jim Dillon <Jim.Dillon () CUSYS EDU>
Date: Wed, 5 Sep 2007 10:51:46 -0600
Dan, Inline below. Hard to debate when you are so agreeable, but some thoughts anyway... :) JD ***************************************** Jim Dillon, CISA, CISSP IT Audit Manager, CU Internal Audit jim.dillon () cusys edu 303-492-9734 ***************************************** -----Original Message----- From: Dan Johnson [mailto:djj4 () UWM EDU] Sent: Wednesday, September 05, 2007 8:37 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Pre Production System Accreditation Hi Jim, Okay, I'll bite... The thought concept that you present is dead-on accurate, if you are a security person or an auditor. {**JD My dad used to argue that the truth is by definition the truth, it cannot be argued, it is axiomatic. There are some philosophical souls that might try, but only if you can choose to deny the axiom - most can't. JD**} I cannot argue that point one iota. {**JD Axiom confirmed? :) JD**} Testing something before it is actually put into production, from a security standpoint, makes all the sense in the world. Of course any policy worth its weight will have that clause or step put into the policy, it only makes sense. {**JD I assume from the original post that the server is meant to serve "sensitive" or "private" data, thus there is a precedent for Chad's expectations. **JD} I think the area of disconnect for the replies is the 'problem space' that you suggest. Chad mentions that System Administrators are blocking this from going through. Not auditors, security personnel, etc... {**JD I mention them as allies, not blockers. They should be familiar with local opinions and issues and be able to support the goal with insight into the actual value assessment for this particular institution - I don't think I missed the administrators issue data point **JD} I read that to mean standard IT people. Quite possibly people who know computers inside and out, but wouldn't know what Wireshark was or what is used for if it came up and bit them in the... This is the struggle between security IT people and standard IT people. You are correct, my message came through as an us vs. them mentality, but sometimes, that is what is needed. (No worries, no quotes from Sun Tzu...) I, hopefully, presented an ideology that is less militant than quite a few other suggestions that I have heard over the years... {**JD - Having the referent authority of the Board of Regents is quite helpful in the us vs. them situations for auditors. Seems like every idea we have is a good one if someone has to explain to the Regents why it isn't. Why is that I wonder? :). That's certainly why I mentioned the auditors, but I'd still like a solution that didn't require arm twisting - sensibilities should prevail. Chad may want to take his case up the tree a bit to those with strategic responsibility rather than the admins, maybe some redirected pressure will help, but I still think a value case can be made, just let's agree not to get into ROI or ROSI discussions, that'll cause a headache no one can cure. JD**} That's why I stressed that us, as security-minded people, need to be viewed as an asset by other people who are not security minded. {**JD - The easiest way I've found to do this is to help the IT folks recognize that attention by audit lends authority to the issue. In most cases what is missing is a history of support for control or security which is seen by the unaware as a cost, not an asset. Typically the IT folks want to do it, but have no budgetary or authority support, thus when an audit provides the authority, they often run almost gleefully down the recently authorized security path. Better though, is to realize good security is like a good warranty. The sofa with a lifetime or 30 year warranty on all parts, including the cushions and fabrics, makes a much better impression, and is typically a much better product than the one with a one year limited warranty. (And it typically costs a bunch more - cost reflecting value.) I go home sleeping better buying that product. The IT product with tested security will make that parent much happier with his/her student's care/privacy than the one without, product value! The worse option is to have happen what happened at a "nameless" institution I know: A letter to the president wondering how serious the institution really was at providing service when the child of the letter writer had received 4 "We're Sorry - can we monitor your credit for you..." notices regarding data breaches with his/her private info involved. That's right, 4! No president or Board is going to stand for that kind of public image, (see those Alumni donations flying bye-bye) and the value of security becomes apparent - it is an absolute requirement for a quality educational product, demanded by the customer through law and regulation. JD**} A lot of the decision making (read: controllers of the purse strings) do not have security training, as well as some administrators. Quite possibly the ones that Chad mentions fall into this category. How about another analogy... {**JD - Which is why we've finally made such training mandatory and part of policy. All personnel will take basic training, those with access to Private or Restricted data will take advanced training - part of the performance review cycle for every individual. Painful getting here, almost 8 years of work on my part and help from a few negative but much publicized events!!! JD**} you catch more flies with honey than you do with vinegar? {JD** In this case vinegar at least kills a few flies, water didn't do anything. The Honey is becoming apparent as the consequences and responsibilities tied to the management of regulated data become more apparent to end users through actual pain and through the training. Many, when they realize what they have to attest to, are starting to look for services and help. This will have a great positive impact on our overall security JD**} This is where I think we are on the same page. The step that Chad mentions is the final step of a process that is several steps, not the one and only step. {**JD - and he shouldn't assume it is an easy step, it may take some time, but enlisting some local allies might help him better prepare for the du jour issues of his local constituents. We have legal and policy help from the state to heighten value awareness, I don't know what the situation is in GA. Federal "help" - more vinegar - is soon to arrive. - JD**} Dan Johnson IS Comprehensive Services Senior University of Wisconsin-Milwaukee
Current thread:
- Re: Pre Production System Accreditation, (continued)
- Re: Pre Production System Accreditation Matthew Keller (Sep 04)
- Re: Pre Production System Accreditation Lovaas,Steven (Sep 04)
- Re: Pre Production System Accreditation Dan Johnson (Sep 04)
- Re: Pre Production System Accreditation St Clair, Jim (Sep 04)
- Re: Pre Production System Accreditation Gary Dobbins (Sep 04)
- Re: Pre Production System Accreditation St Clair, Jim (Sep 04)
- Re: Pre Production System Accreditation Shane Bishop (Sep 04)
- Re: Pre Production System Accreditation Jones, Dan (Sep 04)
- Re: Pre Production System Accreditation Jim Dillon (Sep 04)
- Re: Pre Production System Accreditation Dan Johnson (Sep 05)
- Re: Pre Production System Accreditation Jim Dillon (Sep 05)
- Re: Pre Production System Accreditation Dan Johnson (Sep 05)
- Re: Pre Production System Accreditation Valdis Kletnieks (Sep 05)
- Re: Pre Production System Accreditation Jim Dillon (Sep 05)
- Re: Pre Production System Accreditation Chad McDonald (Sep 05)
- Re: Pre Production System Accreditation Dan Johnson (Sep 05)
- Re: Pre Production System Accreditation Valdis Kletnieks (Sep 05)
- Re: Pre Production System Accreditation Dan Johnson (Sep 06)
- Re: Pre Production System Accreditation Ken Hanna (Sep 06)