Re: SECURITY Listserv Instructions and ParticipationGuidelines

[Randy Marchany <marchany () VT EDU>]

Thanks to Rodney for the additional information.

Spaf said:
> The first set of CIS standards on Cisco routers, for instance, if mandated on
> our router would have DECREASED the security of our site!

Agreed. However, the CIS Solaris, Linux and W2K benchmarks have been
tremendously helpful in increasing the security of those platforms here on our
campus. The CIS tools are benchmarks and each sysadmin is free to
enable/disable features as needed by their users.

Spaf said:
> It is also a huge problem if the standards can't be met without
additional funding that also isn't provided..... Several of the tribal
colleges, for instance, may not be able to stay online >if there are
requirements for firewalls, IDS, smartcards or anything else with >a non-zero
cost.

None of us have that much funding because of the current political mood. What
about applying benchmarks to existing IT equipment that is already installed
at the EDU? That seems more reasonable and something that should have been
done in the first place.

Spaf said:
> VA  Tech must have more money than other places.  I'm sure it has
> more than most HBCUs and Tribal colleges.

Hardly. We've lost millions in our budget due to cutbacks. However, we did get
the buy-in of the CFO of the University. He's convinced that doing security
now saves VT money in the long run. He's agreed to be the stick when it's time
for the depts to do their risk analysis reports. It seems to work because
we're getting 98% on-time returns from our 150+ depts. Nothing like a "no risk
analysis, no budget" message to get the blood flowing. This is the key in any
edu....get the buy-in of the upper administration.

Training the existing IT support staff be they permanent staff or grad
students is the real $$$ issue. We sponsored a free 3 day security training
event last fall that was open to any edu. Yeah, it was full but there were
edus that didn't send anyone because the event was on a weekend. huh? It's
that attitude that has to change. One of our engineering depts recently held a
"securing linux and solaris" seminar for their grad students aka sysadmins. It
was taught be the central IT staff and was free. So, the training issue can be
done in-house with a lot of work. The question is whether the edu is willing
to put in that work.

I am in favor of inducing edus to tighten the security of their systems. Why?
We had an incident last year where a faculty member's research system was
confiscated by law enforcement because it was involved in an attack. That
research lab was shut down for a considerable period of time (the confiscated
machine was the server) and there were no backups of the data on the machine.
Had the system been brought to even a minimum level of security (for example,
using the CIS benchmarks), the likelihood of the attack succeeding would have
been greatly reduced and the faculty member wouldn't have lost over a month of
down time. It's a pay me now or pay me later situation. After that incident,
wehad faculty asking to check the security of their systems :-).


        -r.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/memdir/cg/cg.html.