Re: Security Reviews for New Systems / Services

[Alexander Kurt Keller <alkeller () SFSU EDU>]

Hi Chris,

Our unit doesn’t have anything formal in place, but in the last year we have been making a cursory assessment of some 
higher profile products before they are purchased/implemented. It isn’t always possible in our environment, but we 
figured we had to start somewhere. Some of our inspiration came from HD Moore’s (Metaspolit author and Rapid 7 CTO) 
talk at BSIDES in Feb 2011….who argues you will never have more leverage with the vendor (to address security issues) 
than BEFORE you purchase the product.

My colleague Mike Regan and I gave a short presentation at the DET/CHE 2011 conference on this topic entitled “Securing 
the Vendor”. Target audience was more for managers and technology generalists. Someone posted our slide deck here: 
http://www.slideshare.net/DET_CHE_Conference_2011/regan-keller-sf-state-securing-the-vendor-mrak

Best,
alex




Alex Keller
Systems Administrator
Academic Technology, San Francisco State University
☛Burk Hall 155 ☎ (415)338-6117 ✉alkeller () sfsu edu<mailto:alkeller () sfsu edu>

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Chris 
Kidd
Sent: Tuesday, January 24, 2012 10:05 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Security Reviews for New Systems / Services

I’m wondering how organizations have a requirement that all new IT systems/services undergo a security review prior to 
purchase or implementation. By security review, I mean architecture, risk and control assessments, etc. as well as the 
use of tools like vulnerability scanners.

If you’ve implemented a review, would you mind sharing your policy and any thoughts on implementation (resourcing, 
scope, lessons learned)?

Thanks,
Chris

Chris Kidd
Chief Information Security Officer
University of Utah