Re: Pre Production System Accreditation

[Dan Johnson <djj4 () UWM EDU>]

Hi Jim,

Okay, I'll bite...

The thought concept that you present is dead-on accurate, if you are a
security person or an auditor.  I cannot argue that point one iota.  Testing
something before it is actually put into production, from a security
standpoint, makes all the sense in the world.  Of course any policy worth
its weight will have that clause or step put into the policy, it only makes
sense.

I think the area of disconnect for the replies is the 'problem space' that
you suggest.  Chad mentions that System Administrators are blocking this
from going through.  Not auditors, security personnel, etc... I read that to
mean standard IT people.  Quite possibly people who know computers inside
and out, but wouldn't know what Wireshark was or what is used for if it came
up and bit them in the...

This is the struggle between security IT people and standard IT people.  You
are correct, my message came through as an us vs. them mentality, but
sometimes, that is what is needed.  (No worries, no quotes from Sun Tzu...)
I, hopefully, presented an ideology that is less militant than quite a few
other suggestions that I have heard over the years...

That's why I stressed that us, as security-minded people, need to be viewed
as an asset by other people who are not security minded.  A lot of the
decision making (read: controllers of the purse strings) do not have
security training, as well as some administrators.  Quite possibly the ones
that Chad mentions fall into this category.  How about another analogy...
you catch more flies with honey than you do with vinegar?

To use your airplane wing example... Do you test the wing only after it has
been built to find out that it cannot withstand the subzero temperatures in
the stratosphere, then go back and alter the manufacturing process?  Or, do
you try and find out if the materials used in the manufacturing of the
airplane wing, before testing, can accommodate such harsh conditions?  How
do you educate the welders, metalworkers, suppliers, riveters, etc... that
the new material is necessary for the final product?  How do you get
everyone involved into that mind set?

Quite the dilemma and why we all have such wonderful jobs!

This is where I think we are on the same page.  The step that Chad mentions
is the final step of a process that is several steps, not the one and only
step.


Dan Johnson
IS Comprehensive Services Senior
University of Wisconsin-Milwaukee
PO Box 469
Mellencamp Hall, Room B60
Milwaukee, WI  53201
(414)229-2911

"The stupid neither forgive nor forget; the naive forgive and forget; the
wise forgive but do not forget."

Thomas Szasz, The Second Sin (1973) "Personal Conduct"




-----Original Message-----
From: Jim Dillon [mailto:Jim.Dillon () CUSYS EDU]
Sent: Tuesday, September 04, 2007 5:34 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Pre Production System Accreditation

Chad,

Of course this is a great idea, and you should do it, not only because
it's a great idea but:

1. It makes sense - do you try to fly a new airplane wing design without
air tunnel testing, do you try to sail the ocean in a boat design that's
never seen water? Can you create a secure product if you've never tested
its security?
2. A test at this point in time does not put the data asset at risk.  If
you wait, then you not only risk the asset, you risk the service the
system will provide to others.
3. There are fewer variables to test, why complicate the analysis
needlessly?  A baseline is a great tool for future evaluation
comparisons.
4. It would absolutely be required at places that must certify their
security, such as DoD contractors, and the like, so why isn't it a good
idea here if security is indeed a requirement?

I can't imagine an auditor worth their salt wouldn't support the
concepts, and of course without info into the specifics of the
situation, the generic problem space you present seems to be a
no-brainer.  Test the safe before you put money into it - will it really
keep it safe in a fire or not?  What isn't sensible about that?  There
are some good IT Auditors in the larger Georgia systems (Tech, State,
etc.), so I hope you have access to one at your U, I don't know it well
enough.  But this shouldn't be an us vs. them issue as others have said,
simple logic demonstrates value.  Take the time to really ferret out the
objectives of those dissenting, and perhaps seek some help on
identifying the asset value of the production system to see if the
potential return (loss avoidance perhaps) on a secure system is enough.
If you are talking Credit Cards or SSNs or other regulated personal
privacy this is a no-brainer deluxe and you should hold your ground.

Feel free to fire back some of the dissenting arguments and see if we
can't pick at them some!

JD

*****************************************
Jim Dillon, CISA, CISSP
IT Audit Manager, CU Internal Audit
jim.dillon () cusys edu
303-492-9734
*****************************************



-----Original Message-----
From: Chad McDonald [mailto:chad.mcdonald () GCSU EDU]
Sent: Tuesday, September 04, 2007 8:13 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Pre Production System Accreditation

I have proposed that GCSU develop a policy that would require that a
server or system be accredited prior to moving that system into
production.  The accreditation process among other things would verify
that the system's security has been reviewed before potentially
sensitive information is stored on or travels through that system.  I
originally thought that this would blow through the policy approval
process with flying colors, but unfortunately I'm being blocked by my
own department's system administrators.  Am I completely off base with
this recommendation?


Chad McDonald, CISSP, CISA
Chief Information Security Officer
Georgia College & State University
Phone   478.445.4473
Cell    478.454.8250
Fax     478.445.1202
Email   chad.mcdonald () gcsu edu