Re: Pre Production System Accreditation

[Matthew Keller <kellermg () POTSDAM EDU>]

On Tue, 2007-09-04 at 10:13 -0400, Chad McDonald wrote:
> I have proposed that GCSU develop a policy that would require that a
> server or system be accredited prior to moving that system into
> production.  The accreditation process among other things would verify
> that the system's security has been reviewed before potentially
> sensitive information is stored on or travels through that system.  I
> originally thought that this would blow through the policy approval
> process with flying colors, but unfortunately I'm being blocked by my
> own department's system administrators.  Am I completely off base with
> this recommendation?

Chad,

It really depends on your requirements. I have implemented a "hardening
policy" with our server team, and they've embraced it whole-heartedly.

I worked WITH them to determine what's realistic, and what's just my ISO
pipedream. Also, they are in the drivers seat when it comes to
"accreditation" and documentation. I retain auditing oversight to
prevent inbred blinders from being a problem, but they get to do the
right thing "in house". Sysadmins don't like policy inflicted on them,
and they REALLY don't like people staring over their shoulder when they
work.

So no, you're not off base with your goal, but you may be going about it
in an offensive (unintentionally) manner. Scrap your policy; Engage the
admins; Write it together; Keep oversight and auditing; Give them as
much other control as they want.

--
Matthew Keller
Information Security Officer & Network Administrator
Computing & Technology Services
State University of New York @ Potsdam
Potsdam, NY, USA
http://mattwork.potsdam.edu/