Educause Security Discussion mailing list archives
Re: Security Reviews for New Systems / Services
From: Alexander Kurt Keller <alkeller () SFSU EDU>
Date: Tue, 24 Jan 2012 19:30:24 +0000
Hi Chris, Our unit doesn’t have anything formal in place, but in the last year we have been making a cursory assessment of some higher profile products before they are purchased/implemented. It isn’t always possible in our environment, but we figured we had to start somewhere. Some of our inspiration came from HD Moore’s (Metaspolit author and Rapid 7 CTO) talk at BSIDES in Feb 2011….who argues you will never have more leverage with the vendor (to address security issues) than BEFORE you purchase the product. My colleague Mike Regan and I gave a short presentation at the DET/CHE 2011 conference on this topic entitled “Securing the Vendor”. Target audience was more for managers and technology generalists. Someone posted our slide deck here: http://www.slideshare.net/DET_CHE_Conference_2011/regan-keller-sf-state-securing-the-vendor-mrak Best, alex Alex Keller Systems Administrator Academic Technology, San Francisco State University ☛Burk Hall 155 ☎ (415)338-6117 ✉alkeller () sfsu edu<mailto:alkeller () sfsu edu> From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Chris Kidd Sent: Tuesday, January 24, 2012 10:05 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Security Reviews for New Systems / Services I’m wondering how organizations have a requirement that all new IT systems/services undergo a security review prior to purchase or implementation. By security review, I mean architecture, risk and control assessments, etc. as well as the use of tools like vulnerability scanners. If you’ve implemented a review, would you mind sharing your policy and any thoughts on implementation (resourcing, scope, lessons learned)? Thanks, Chris Chris Kidd Chief Information Security Officer University of Utah
Current thread:
- Security Reviews for New Systems / Services Chris Kidd (Jan 24)
- Re: Security Reviews for New Systems / Services Alexander Kurt Keller (Jan 24)
- Re: Security Reviews for New Systems / Services David Seidl (Jan 25)