Re: Security Reviews for New Systems / Services

[David Seidl <dseidl () ND EDU>]

Chris,

We have multiple steps. Our policy is primarily wrapped around our Standards and Architecture team, which is part of 
our project process.


1.       We have a set of security questions that are integrated into our RFP and initial vendor review processes.

2.       At project initiation, it goes past our Standards and Architecture team which has representatives from each of 
our major IT areas (systems engineering, support, project management, infosec, QA). This snapshots any immediate 
"you're planning to do WHAT!?" sort of issues and does an initial small scale IT risk snapshot assessment. It also 
serves to assign specific staff to work on the project if there is an identified need for extra care - say a security 
or identity management person.

3.       Our IT architects work with the project team to design the architecture in a sensible and secure way, and act 
as a second layer to identify issues. This may result in specific design requirements to meet security needs. I'm 
fortunate that our infrastructure architect was previously my most senior security analyst.

4.       At design review, we ensure that the design fits our standards and uses appropriate security.

5.       Pre-deployment, we scan the system using a vulnerability scanner, and a web application security scan tool as 
appropriate, with fixes required before go-live.

6.       Post deployment, it enters our ongoing scan/review lifecycle, with required additional work at any major 
change/upgrade. For example, if the product gets a .1 rev, we likely won't re-run a WebInspect run, but at a 2.0 
version we would.

7.       Projects of anything beyond very small scope have a lessons learned conducted with the project team which 
feeds back into our process.

Taken as a whole, this may sound somewhat unwieldy, but it has actually decreased our re-work, and the staff who handle 
the bulk of our project load have been identifying security problems before we even see the project due to their 
experience with the process.

David

David Seidl, CISSP, GCIH, GPEN
Director of Information Security
Office of Information Technologies
University of Notre Dame
Notre Dame, IN 46556
(574) 631-7305
dseidl () nd edu<mailto:dseidl () nd edu>



From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Chris 
Kidd
Sent: Tuesday, January 24, 2012 1:05 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Security Reviews for New Systems / Services

I'm wondering how organizations have a requirement that all new IT systems/services undergo a security review prior to 
purchase or implementation. By security review, I mean architecture, risk and control assessments, etc. as well as the 
use of tools like vulnerability scanners.

If you've implemented a review, would you mind sharing your policy and any thoughts on implementation (resourcing, 
scope, lessons learned)?

Thanks,
Chris

Chris Kidd
Chief Information Security Officer
University of Utah