Educause Security Discussion mailing list archives

Re: Vetting of software to be installed on production systems

From: "Sarazen, Daniel" <dsarazen () UMASSP EDU>
Date: Fri, 10 Apr 2009 10:28:26 -0400

Gary,

Does your school have Change Management/Program Development policies?

        :: Daniel Sarazen, Information Technology Auditor
:: University Internal Audit
:: University of Massachusetts President's Office       
:: 508-856-2443
:: 781-724-3377 Cell
:: 508-856-8824 Fax
:: Dsarazen () umassp edu

University of Massachusetts : 333 South St. : Suite 450 : Shrewsbury, MA
01545 : www.massachusetts.edu

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Jesse Thompson
Sent: Friday, April 10, 2009 10:24 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Vetting of software to be installed on
production systems

Gary Flynn wrote:


I'm trying to provide some general guidance on making trust
decisions for software to be installed on production systems.

Does anyone have any documentation or policies concerning
a vetting procedure I could look at or any general advice?


How about:

Hire competent staff to perform technical reviews.  And trust them to 
make smart decisions.  Since all software is different, any vetting 
procedures you create would have to be so generic that they would be 
common sense to a competent technologist, and not thorough enough for a 
technologist that doesn't think outside the box.

Jesse

Current thread:

Vetting of software to be installed on production systems Gary Flynn (Apr 01)
- <Possible follow-ups>
- Re: Vetting of software to be installed on production systems Jesse Thompson (Apr 10)
- Re: Vetting of software to be installed on production systems Sarazen, Daniel (Apr 10)