Educause Security Discussion mailing list archives
Re: SECURITY Listserv Instructions and ParticipationGuidelines
From: Randy Marchany <marchany () VT EDU>
Date: Mon, 8 Jul 2002 13:52:59 -0400
Thanks to Rodney for the additional information. Spaf said:
The first set of CIS standards on Cisco routers, for instance, if mandated on our router would have DECREASED the security of our site!
Agreed. However, the CIS Solaris, Linux and W2K benchmarks have been tremendously helpful in increasing the security of those platforms here on our campus. The CIS tools are benchmarks and each sysadmin is free to enable/disable features as needed by their users. Spaf said:
It is also a huge problem if the standards can't be met without
additional funding that also isn't provided..... Several of the tribal colleges, for instance, may not be able to stay online >if there are requirements for firewalls, IDS, smartcards or anything else with >a non-zero cost. None of us have that much funding because of the current political mood. What about applying benchmarks to existing IT equipment that is already installed at the EDU? That seems more reasonable and something that should have been done in the first place. Spaf said:
VA Tech must have more money than other places. I'm sure it has more than most HBCUs and Tribal colleges.
Hardly. We've lost millions in our budget due to cutbacks. However, we did get the buy-in of the CFO of the University. He's convinced that doing security now saves VT money in the long run. He's agreed to be the stick when it's time for the depts to do their risk analysis reports. It seems to work because we're getting 98% on-time returns from our 150+ depts. Nothing like a "no risk analysis, no budget" message to get the blood flowing. This is the key in any edu....get the buy-in of the upper administration. Training the existing IT support staff be they permanent staff or grad students is the real $$$ issue. We sponsored a free 3 day security training event last fall that was open to any edu. Yeah, it was full but there were edus that didn't send anyone because the event was on a weekend. huh? It's that attitude that has to change. One of our engineering depts recently held a "securing linux and solaris" seminar for their grad students aka sysadmins. It was taught be the central IT staff and was free. So, the training issue can be done in-house with a lot of work. The question is whether the edu is willing to put in that work. I am in favor of inducing edus to tighten the security of their systems. Why? We had an incident last year where a faculty member's research system was confiscated by law enforcement because it was involved in an attack. That research lab was shut down for a considerable period of time (the confiscated machine was the server) and there were no backups of the data on the machine. Had the system been brought to even a minimum level of security (for example, using the CIS benchmarks), the likelihood of the attack succeeding would have been greatly reduced and the faculty member wouldn't have lost over a month of down time. It's a pay me now or pay me later situation. After that incident, wehad faculty asking to check the security of their systems :-). -r. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/memdir/cg/cg.html.
Current thread:
- Re: SECURITY Listserv Instructions and ParticipationGuidelines H. Morrow Long (Jul 03)
- <Possible follow-ups>
- Re: SECURITY Listserv Instructions and ParticipationGuidelines Wayne Wilson (Jul 03)
- Re: SECURITY Listserv Instructions and ParticipationGuidelines Rodney Petersen (Jul 07)
- Re: SECURITY Listserv Instructions and ParticipationGuidelines Randy Marchany (Jul 08)
- Re: SECURITY Listserv Instructions and ParticipationGuidelines Gene Spafford (Jul 08)