Educause Security Discussion mailing list archives
Re: Security Reviews for New Systems / Services
From: David Seidl <dseidl () ND EDU>
Date: Wed, 25 Jan 2012 09:02:25 -0500
Chris, We have multiple steps. Our policy is primarily wrapped around our Standards and Architecture team, which is part of our project process. 1. We have a set of security questions that are integrated into our RFP and initial vendor review processes. 2. At project initiation, it goes past our Standards and Architecture team which has representatives from each of our major IT areas (systems engineering, support, project management, infosec, QA). This snapshots any immediate "you're planning to do WHAT!?" sort of issues and does an initial small scale IT risk snapshot assessment. It also serves to assign specific staff to work on the project if there is an identified need for extra care - say a security or identity management person. 3. Our IT architects work with the project team to design the architecture in a sensible and secure way, and act as a second layer to identify issues. This may result in specific design requirements to meet security needs. I'm fortunate that our infrastructure architect was previously my most senior security analyst. 4. At design review, we ensure that the design fits our standards and uses appropriate security. 5. Pre-deployment, we scan the system using a vulnerability scanner, and a web application security scan tool as appropriate, with fixes required before go-live. 6. Post deployment, it enters our ongoing scan/review lifecycle, with required additional work at any major change/upgrade. For example, if the product gets a .1 rev, we likely won't re-run a WebInspect run, but at a 2.0 version we would. 7. Projects of anything beyond very small scope have a lessons learned conducted with the project team which feeds back into our process. Taken as a whole, this may sound somewhat unwieldy, but it has actually decreased our re-work, and the staff who handle the bulk of our project load have been identifying security problems before we even see the project due to their experience with the process. David David Seidl, CISSP, GCIH, GPEN Director of Information Security Office of Information Technologies University of Notre Dame Notre Dame, IN 46556 (574) 631-7305 dseidl () nd edu<mailto:dseidl () nd edu> From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Chris Kidd Sent: Tuesday, January 24, 2012 1:05 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Security Reviews for New Systems / Services I'm wondering how organizations have a requirement that all new IT systems/services undergo a security review prior to purchase or implementation. By security review, I mean architecture, risk and control assessments, etc. as well as the use of tools like vulnerability scanners. If you've implemented a review, would you mind sharing your policy and any thoughts on implementation (resourcing, scope, lessons learned)? Thanks, Chris Chris Kidd Chief Information Security Officer University of Utah
Current thread:
- Security Reviews for New Systems / Services Chris Kidd (Jan 24)
- Re: Security Reviews for New Systems / Services Alexander Kurt Keller (Jan 24)
- Re: Security Reviews for New Systems / Services David Seidl (Jan 25)