Re: Pre Production System Accreditation

["Lovaas,Steven" <Steven.Lovaas () COLOSTATE EDU>]

Chad,

You're not at all off-base with this suggestion. What you might be is a little over-eager :)

If you're getting push-back in your gatekeeper role, you might try addressing the problem earlier in the development 
cycle. Get yourself a seat at the weekly development team meetings (or visit the sysadmins' weekly meetings) and keep 
tabs on what's going on. If you can get them to trust you as a partner rather than an opponent, you might win them over.

As always, if I've misinterpreted your environment based on my reading of your question, please feel free to disregard 
any advice!

Steve Lovaas
Colorado State University

-----Original Message-----
From: Chad McDonald [mailto:chad.mcdonald () GCSU EDU]
Sent: Tuesday, September 04, 2007 8:13 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Pre Production System Accreditation

I have proposed that GCSU develop a policy that would require that a
server or system be accredited prior to moving that system into
production.  The accreditation process among other things would verify
that the system's security has been reviewed before potentially
sensitive information is stored on or travels through that system.  I
originally thought that this would blow through the policy approval
process with flying colors, but unfortunately I'm being blocked by my
own department's system administrators.  Am I completely off base with
this recommendation?


Chad McDonald, CISSP, CISA
Chief Information Security Officer
Georgia College & State University
Phone   478.445.4473
Cell    478.454.8250
Fax     478.445.1202
Email   chad.mcdonald () gcsu edu