Re: Pre Production System Accreditation

[Chad McDonald <chad.mcdonald () GCSU EDU>]

             A<0a0601c7efca$4b8e07a0$e2aa16e0$@edu>
             <7315857F21D51B449CC55ADE3A56831804047157 () ex2k3 ad cusys edu>
 <0aa701c7efe3$2451e530$6cf5af90$@edu>
X-Mailer: CTM PowerMail version 5.5.3 build 4480 English (PPC)
 <http://www.ctmdev.com>
Organization: Georgia College & State University
MIME-Version: 1.0
X-WatchGuard-Spam-ID: str=0001.0A010205.46DF0CCE.0020,ss=2,fgs=0
X-WatchGuard-Spam-Score: 2, suspect; 0, no virus
X-WatchGuard-Mail-From: chad.mcdonald () gcsu edu
X-WatchGuard-Mail-Recipients: SECURITY () LISTSERV EDUCAUSE EDU
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

I'll be happy to respond off-line other than to say everyone's
information has been very helpful.

Chad McDonald, CISSP, CISA
Chief Information Security Officer
Georgia College & State University
Phone   478.445.4473
Cell    478.454.8250
Fax     478.445.1202
Email   chad.mcdonald () gcsu edu

> Jim,
>
> Very well played!  You'll have to forgive me a little... I truly enjoy
> debates (which this is...), over the old tried and true flame war...
>
> Instead of adding more to the long message that this has become... the axiom
> provided is completely true.  As security professionals, we all need to
> strive for the perfection of secure systems.  In this scenario, which is
> usually true in most scenarios, the devil is in the details!  How do we get
> there?  Would we get fired for discussing this at great length? ;o)
>
> Chad, if we haven't bored you to death yet while waxing philosophical, would
> you be willing to share a little more on your particular instance that you
> mentioned?  Has there been security instilled before the measure that you
> had asked?  Do the system administrators have a particular stance on why,
> exactly, they are opposed to this step?
>
> Please don't feel pressured to answer, my questions are a bit selfish.  I
> would value other opinions on how to deal with this scenario with a little
> more information.  Jim and I have slightly different opinions on how to view
> our constituents (half full, half empty type stuff), but I would love to
> investigate this scenario a bit further.
>
> Or is it just noise on the list?
>
> Dan Johnson
> IS Comprehensive Services Senior
> University of Wisconsin-Milwaukee
> PO Box 469
> Mellencamp Hall, Room B60
> Milwaukee, WI  53201
> (414)229-2911
>
> "The stupid neither forgive nor forget; the naive forgive and forget; the
> wise forgive but do not forget."
>
> Thomas Szasz, The Second Sin (1973) "Personal Conduct"
>
>
>
>
> -----Original Message-----
> From: Jim Dillon [mailto:Jim.Dillon () CUSYS EDU]
> Sent: Wednesday, September 05, 2007 11:52 AM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Pre Production System Accreditation
>
> Dan, Inline below. Hard to debate when you are so agreeable, but some
> thoughts anyway...   :)
>
> JD
>
> *****************************************
> Jim Dillon, CISA, CISSP
> IT Audit Manager, CU Internal Audit
> jim.dillon () cusys edu
> 303-492-9734
> *****************************************
>
> -----Original Message-----
> From: Dan Johnson [mailto:djj4 () UWM EDU]
> Sent: Wednesday, September 05, 2007 8:37 AM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Pre Production System Accreditation
>
> Hi Jim,
>
> Okay, I'll bite...
>
> The thought concept that you present is dead-on accurate, if you are a
> security person or an auditor.
>
> {**JD My dad used to argue that the truth is by definition the truth, it
> cannot be argued, it is axiomatic.  There are some philosophical souls
> that might try, but only if you can choose to deny the axiom - most
> can't.  JD**}
>
> I cannot argue that point one iota. {**JD Axiom confirmed?  :)  JD**}
> Testing something before it is actually put into production, from a
> security standpoint, makes all the sense in the world.  Of course any
> policy worth its weight will have that clause or step put into the
> policy, it only makes sense.  {**JD I assume from the original post that
> the server is meant to serve "sensitive" or "private" data, thus there
> is a precedent for Chad's expectations.  **JD}
>
> I think the area of disconnect for the replies is the 'problem space'
> that
> you suggest.  Chad mentions that System Administrators are blocking this
> from going through.  Not auditors, security personnel, etc... {**JD I
> mention them as allies, not blockers.  They should be familiar with
> local opinions and issues and be able to support the goal with insight
> into the actual value assessment for this particular institution - I
> don't think I missed the administrators issue data point **JD} I read
> that to mean standard IT people.  Quite possibly people who know
> computers inside
> and out, but wouldn't know what Wireshark was or what is used for if it
> came
> up and bit them in the...
>
> This is the struggle between security IT people and standard IT people.
> You
> are correct, my message came through as an us vs. them mentality, but
> sometimes, that is what is needed.  (No worries, no quotes from Sun
> Tzu...)
> I, hopefully, presented an ideology that is less militant than quite a
> few
> other suggestions that I have heard over the years...
>
> {**JD - Having the referent authority of the Board of Regents is quite
> helpful in the us vs. them situations for auditors.  Seems like every
> idea we have is a good one if someone has to explain to the Regents why
> it isn't.  Why is that I wonder?   :).    That's certainly why I
> mentioned the auditors, but I'd still like a solution that didn't
> require arm twisting - sensibilities should prevail. Chad may want to
> take his case up the tree a bit to those with strategic responsibility
> rather than the admins, maybe some redirected pressure will help, but I
> still think a value case can be made, just let's agree not to get into
> ROI or ROSI discussions, that'll cause a headache no one can cure.
> JD**}
>
> That's why I stressed that us, as security-minded people, need to be
> viewed
> as an asset by other people who are not security minded.
>
> {**JD - The easiest way I've found to do this is to help the IT folks
> recognize that attention by audit lends authority to the issue.  In most
> cases what is missing is a history of support for control or security
> which is seen by the unaware as a cost, not an asset.  Typically the IT
> folks want to do it, but have no budgetary or authority support, thus
> when an audit provides the authority, they often run almost gleefully
> down the recently authorized security path.    Better though, is to
> realize good security is like a good warranty.  The sofa with a lifetime
> or 30 year warranty on all parts, including the cushions and fabrics,
> makes a much better impression, and is typically a much better product
> than the one with a one year limited warranty. (And it typically costs a
> bunch more - cost reflecting value.)  I go home sleeping better buying
> that product.  The IT product with tested security will make that parent
> much happier with his/her student's care/privacy than the one without,
> product value!  The worse option is to have happen what happened at a
> "nameless" institution I know: A letter to the president wondering how
> serious the institution really was at providing service when the child
> of the letter writer had received 4 "We're Sorry - can we monitor your
> credit for you..." notices regarding data breaches with his/her private
> info involved.  That's right, 4!  No president or Board is going to
> stand for that kind of public image, (see those Alumni donations flying
> bye-bye) and the value of security becomes apparent - it is an absolute
> requirement for a quality educational product, demanded by the customer
> through law and regulation. JD**}
>
> A lot of the decision making (read: controllers of the purse strings) do
> not have security training, as well as some administrators.  Quite
> possibly the ones that Chad mentions fall into this category.  How about
> another analogy...  {**JD - Which is why we've finally made such
> training mandatory and part of policy.  All personnel will take basic
> training, those with access to Private or Restricted data will take
> advanced training - part of the performance review cycle for every
> individual. Painful getting here, almost 8 years of work on my part and
> help from a few negative but much publicized events!!! JD**} you catch
> more flies with honey than you do with vinegar?  {JD** In this case
> vinegar at least kills a few flies, water didn't do anything.  The Honey
> is becoming apparent as the consequences and responsibilities tied to
> the management of regulated data become more apparent to end users
> through actual pain and through the training.  Many, when they realize
> what they have to attest to, are starting to look for services and help.
> This will have a great positive impact on our overall security JD**}
>
> This is where I think we are on the same page.  The step that Chad
> mentions
> is the final step of a process that is several steps, not the one and
> only
> step.  {**JD - and he shouldn't assume it is an easy step, it may take
> some time, but enlisting some local allies might help him better prepare
> for the du jour issues of his local constituents.  We have legal and
> policy help from the state to heighten value awareness, I don't know
> what the situation is in GA. Federal "help" - more vinegar - is soon to
> arrive. - JD**}
>
>
> Dan Johnson
> IS Comprehensive Services Senior
> University of Wisconsin-Milwaukee