Educause Security Discussion mailing list archives
Re: Pre Production System Accreditation
From: "St Clair, Jim" <Jim.StClair () GT COM>
Date: Tue, 4 Sep 2007 11:17:57 -0400
Has anyone on the list had a chance to evaluate the new Secure Configuration Automation Program now required in the Federal government? "The Security Content Automation Protocol (SCAP) is a method for using specific standards to enable automated vulnerability management, measurement, and policy compliance evaluation (e.g., FISMA compliance)." Here is a link to the NIST presentation, if interested: http://nvd.nist.gov/scap/docs/ISAP-SecuritySolutions-2007.ppt James A.St.Clair, CISM Sr. Manager Global Public Sector Grant Thornton LLP (703) 637-3078 (office) (703) 727-6332 (mobile) (703) 837-4455 (fax) -----Original Message----- From: Gary Dobbins [mailto:dobbins () ND EDU] Sent: Tuesday, September 04, 2007 11:02 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: Pre Production System Accreditation We have a similar step in our processes. It definitely took some time to become ingrained and enough of the rough edges rounded to make it more tolerable, but in the end it benefits everyone. We have a self-service Nessus scanner the engineers can use for verifying the absence (or non-exposure) of known vulnerabilities, and a design review step, among other procedural elements. You're wise in considering this move, it will pay off down the road. (what's the value of a compromise that DIDN'T happen?) Chad McDonald wrote:
I have proposed that GCSU develop a policy that would require that a server or system be accredited prior to moving that system into production. The accreditation process among other things would verify that the system's security has been reviewed before potentially sensitive information is stored on or travels through that system. I originally thought that this would blow through the policy approval process with flying colors, but unfortunately I'm being blocked by my own department's system administrators. Am I completely off base with this recommendation? Chad McDonald, CISSP, CISA Chief Information Security Officer Georgia College & State University Phone 478.445.4473 Cell 478.454.8250 Fax 478.445.1202 Email chad.mcdonald () gcsu edu
-- ------------------------------------------------------------ Gary Dobbins, CISSP -- Director, Information Security University of Notre Dame, Office of Information Technologies -------------------------------------------------------- In accordance with applicable professional regulations, please understand that, unless expressly stated otherwise, any written advice contained in, forwarded with, or attached to this e-mail is not intended or written by Grant Thornton LLP to be used, and cannot be used, by any person for the purpose of avoiding any penalties that may be imposed under the Internal Revenue Code. -------------------------------------------------------- This e-mail is intended solely for the person or entity to which it is addressed and may contain confidential and/or privileged information. Any review, dissemination, copying, printing or other use of this e-mail by persons or entities other than the addressee is prohibited. If you have received this e-mail in error, please contact the sender immediately and delete the material from any computer.
Current thread:
- Pre Production System Accreditation Chad McDonald (Sep 04)
- <Possible follow-ups>
- Re: Pre Production System Accreditation Matthew Keller (Sep 04)
- Re: Pre Production System Accreditation Lovaas,Steven (Sep 04)
- Re: Pre Production System Accreditation Dan Johnson (Sep 04)
- Re: Pre Production System Accreditation St Clair, Jim (Sep 04)
- Re: Pre Production System Accreditation Gary Dobbins (Sep 04)
- Re: Pre Production System Accreditation St Clair, Jim (Sep 04)
- Re: Pre Production System Accreditation Shane Bishop (Sep 04)
- Re: Pre Production System Accreditation Jones, Dan (Sep 04)
- Re: Pre Production System Accreditation Jim Dillon (Sep 04)
- Re: Pre Production System Accreditation Dan Johnson (Sep 05)
- Re: Pre Production System Accreditation Jim Dillon (Sep 05)
- Re: Pre Production System Accreditation Dan Johnson (Sep 05)
- Re: Pre Production System Accreditation Valdis Kletnieks (Sep 05)
- Re: Pre Production System Accreditation Jim Dillon (Sep 05)
- Re: Pre Production System Accreditation Chad McDonald (Sep 05)
- Re: Pre Production System Accreditation Dan Johnson (Sep 05)
(Thread continues...)