Educause Security Discussion mailing list archives
Re: Pre Production System Accreditation
From: Chad McDonald <chad.mcdonald () GCSU EDU>
Date: Wed, 5 Sep 2007 16:08:37 -0400
A<0a0601c7efca$4b8e07a0$e2aa16e0$@edu> <7315857F21D51B449CC55ADE3A56831804047157 () ex2k3 ad cusys edu> <0aa701c7efe3$2451e530$6cf5af90$@edu> X-Mailer: CTM PowerMail version 5.5.3 build 4480 English (PPC) <http://www.ctmdev.com> Organization: Georgia College & State University MIME-Version: 1.0 X-WatchGuard-Spam-ID: str=0001.0A010205.46DF0CCE.0020,ss=2,fgs=0 X-WatchGuard-Spam-Score: 2, suspect; 0, no virus X-WatchGuard-Mail-From: chad.mcdonald () gcsu edu X-WatchGuard-Mail-Recipients: SECURITY () LISTSERV EDUCAUSE EDU Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit I'll be happy to respond off-line other than to say everyone's information has been very helpful. Chad McDonald, CISSP, CISA Chief Information Security Officer Georgia College & State University Phone 478.445.4473 Cell 478.454.8250 Fax 478.445.1202 Email chad.mcdonald () gcsu edu
Jim, Very well played! You'll have to forgive me a little... I truly enjoy debates (which this is...), over the old tried and true flame war... Instead of adding more to the long message that this has become... the axiom provided is completely true. As security professionals, we all need to strive for the perfection of secure systems. In this scenario, which is usually true in most scenarios, the devil is in the details! How do we get there? Would we get fired for discussing this at great length? ;o) Chad, if we haven't bored you to death yet while waxing philosophical, would you be willing to share a little more on your particular instance that you mentioned? Has there been security instilled before the measure that you had asked? Do the system administrators have a particular stance on why, exactly, they are opposed to this step? Please don't feel pressured to answer, my questions are a bit selfish. I would value other opinions on how to deal with this scenario with a little more information. Jim and I have slightly different opinions on how to view our constituents (half full, half empty type stuff), but I would love to investigate this scenario a bit further. Or is it just noise on the list? Dan Johnson IS Comprehensive Services Senior University of Wisconsin-Milwaukee PO Box 469 Mellencamp Hall, Room B60 Milwaukee, WI 53201 (414)229-2911 "The stupid neither forgive nor forget; the naive forgive and forget; the wise forgive but do not forget." Thomas Szasz, The Second Sin (1973) "Personal Conduct" -----Original Message----- From: Jim Dillon [mailto:Jim.Dillon () CUSYS EDU] Sent: Wednesday, September 05, 2007 11:52 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Pre Production System Accreditation Dan, Inline below. Hard to debate when you are so agreeable, but some thoughts anyway... :) JD ***************************************** Jim Dillon, CISA, CISSP IT Audit Manager, CU Internal Audit jim.dillon () cusys edu 303-492-9734 ***************************************** -----Original Message----- From: Dan Johnson [mailto:djj4 () UWM EDU] Sent: Wednesday, September 05, 2007 8:37 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Pre Production System Accreditation Hi Jim, Okay, I'll bite... The thought concept that you present is dead-on accurate, if you are a security person or an auditor. {**JD My dad used to argue that the truth is by definition the truth, it cannot be argued, it is axiomatic. There are some philosophical souls that might try, but only if you can choose to deny the axiom - most can't. JD**} I cannot argue that point one iota. {**JD Axiom confirmed? :) JD**} Testing something before it is actually put into production, from a security standpoint, makes all the sense in the world. Of course any policy worth its weight will have that clause or step put into the policy, it only makes sense. {**JD I assume from the original post that the server is meant to serve "sensitive" or "private" data, thus there is a precedent for Chad's expectations. **JD} I think the area of disconnect for the replies is the 'problem space' that you suggest. Chad mentions that System Administrators are blocking this from going through. Not auditors, security personnel, etc... {**JD I mention them as allies, not blockers. They should be familiar with local opinions and issues and be able to support the goal with insight into the actual value assessment for this particular institution - I don't think I missed the administrators issue data point **JD} I read that to mean standard IT people. Quite possibly people who know computers inside and out, but wouldn't know what Wireshark was or what is used for if it came up and bit them in the... This is the struggle between security IT people and standard IT people. You are correct, my message came through as an us vs. them mentality, but sometimes, that is what is needed. (No worries, no quotes from Sun Tzu...) I, hopefully, presented an ideology that is less militant than quite a few other suggestions that I have heard over the years... {**JD - Having the referent authority of the Board of Regents is quite helpful in the us vs. them situations for auditors. Seems like every idea we have is a good one if someone has to explain to the Regents why it isn't. Why is that I wonder? :). That's certainly why I mentioned the auditors, but I'd still like a solution that didn't require arm twisting - sensibilities should prevail. Chad may want to take his case up the tree a bit to those with strategic responsibility rather than the admins, maybe some redirected pressure will help, but I still think a value case can be made, just let's agree not to get into ROI or ROSI discussions, that'll cause a headache no one can cure. JD**} That's why I stressed that us, as security-minded people, need to be viewed as an asset by other people who are not security minded. {**JD - The easiest way I've found to do this is to help the IT folks recognize that attention by audit lends authority to the issue. In most cases what is missing is a history of support for control or security which is seen by the unaware as a cost, not an asset. Typically the IT folks want to do it, but have no budgetary or authority support, thus when an audit provides the authority, they often run almost gleefully down the recently authorized security path. Better though, is to realize good security is like a good warranty. The sofa with a lifetime or 30 year warranty on all parts, including the cushions and fabrics, makes a much better impression, and is typically a much better product than the one with a one year limited warranty. (And it typically costs a bunch more - cost reflecting value.) I go home sleeping better buying that product. The IT product with tested security will make that parent much happier with his/her student's care/privacy than the one without, product value! The worse option is to have happen what happened at a "nameless" institution I know: A letter to the president wondering how serious the institution really was at providing service when the child of the letter writer had received 4 "We're Sorry - can we monitor your credit for you..." notices regarding data breaches with his/her private info involved. That's right, 4! No president or Board is going to stand for that kind of public image, (see those Alumni donations flying bye-bye) and the value of security becomes apparent - it is an absolute requirement for a quality educational product, demanded by the customer through law and regulation. JD**} A lot of the decision making (read: controllers of the purse strings) do not have security training, as well as some administrators. Quite possibly the ones that Chad mentions fall into this category. How about another analogy... {**JD - Which is why we've finally made such training mandatory and part of policy. All personnel will take basic training, those with access to Private or Restricted data will take advanced training - part of the performance review cycle for every individual. Painful getting here, almost 8 years of work on my part and help from a few negative but much publicized events!!! JD**} you catch more flies with honey than you do with vinegar? {JD** In this case vinegar at least kills a few flies, water didn't do anything. The Honey is becoming apparent as the consequences and responsibilities tied to the management of regulated data become more apparent to end users through actual pain and through the training. Many, when they realize what they have to attest to, are starting to look for services and help. This will have a great positive impact on our overall security JD**} This is where I think we are on the same page. The step that Chad mentions is the final step of a process that is several steps, not the one and only step. {**JD - and he shouldn't assume it is an easy step, it may take some time, but enlisting some local allies might help him better prepare for the du jour issues of his local constituents. We have legal and policy help from the state to heighten value awareness, I don't know what the situation is in GA. Federal "help" - more vinegar - is soon to arrive. - JD**} Dan Johnson IS Comprehensive Services Senior University of Wisconsin-Milwaukee
Current thread:
- Re: Pre Production System Accreditation, (continued)
- Re: Pre Production System Accreditation Gary Dobbins (Sep 04)
- Re: Pre Production System Accreditation St Clair, Jim (Sep 04)
- Re: Pre Production System Accreditation Shane Bishop (Sep 04)
- Re: Pre Production System Accreditation Jones, Dan (Sep 04)
- Re: Pre Production System Accreditation Jim Dillon (Sep 04)
- Re: Pre Production System Accreditation Dan Johnson (Sep 05)
- Re: Pre Production System Accreditation Jim Dillon (Sep 05)
- Re: Pre Production System Accreditation Dan Johnson (Sep 05)
- Re: Pre Production System Accreditation Valdis Kletnieks (Sep 05)
- Re: Pre Production System Accreditation Jim Dillon (Sep 05)
- Re: Pre Production System Accreditation Chad McDonald (Sep 05)
- Re: Pre Production System Accreditation Dan Johnson (Sep 05)
- Re: Pre Production System Accreditation Valdis Kletnieks (Sep 05)
- Re: Pre Production System Accreditation Dan Johnson (Sep 06)
- Re: Pre Production System Accreditation Ken Hanna (Sep 06)