Educause Security Discussion mailing list archives
Re: Outsourcing security scanning (internal and external)
From: Valdis Kletnieks <Valdis.Kletnieks () VT EDU>
Date: Fri, 7 Oct 2005 13:45:24 -0400
On Fri, 07 Oct 2005 08:32:55 PDT, Greg Francis said:
We don't currently follow any model for information security. Up until now
(Aha! Now a lot of things from your first note suddenly make a lot more sense, seen in context....)
we have had a very loose security policy with most of it being completely undocumented. Our work on security tends to be reactive rather than proactive with any significant changes coming as a result of negative events. Over the years that has created a loose plan but far from being comprehensive and very little of it being organized. Security emphasis has mostly been in those areas that we consider higher risk but there are still many, many gaps to work on.
I suggest to you that perhaps rather than fretting over outsourcing, your school needs to address the lack of a model. Among other things, how do you expect to outsource something when you have no idea of what you need or what you are outsourcing? How do you tell if the outsourcer is doing a good job at what you're paying them for, or even if what you're paying for is actually going to benefit your site's security?
currently on the network that we might not even know are there. Plus, it creates a nice tidy report that makes some upper management people. I wish that wasn't a huge concern but we have a set of trustees on on the technology committee that think they know everything about everything and that has created major pressure on the technology staff to prioritize things in perhaps a less than optimal order.
What I'd do (and probably indicative of why I'm not management material :) Get a nice tidy report. About something else. The 2004 UN statistics on grain shipments to Africa. Doesn't matter what, as long as it's irrelevant to your site's security posture. When the trustees that think they know everything ask what the heck this means, put them on the spot: Ask them *flat out* what a tidy report *on security* would mean, if there's no policy or model to measure it against. Then put up a nice *pretty* overhead slide that says "37 vulnerabilities were found". No other explanatory text. Ask them if they'd rate this as good or bad. Would they change their stance if it was 37 major holes found on the payroll server alone? Or 37 minor problems found in the entire resnet? Close by saying that tidy reports are just numbers, and without a clear vision of what numbers your site considers important, it's all just a lot of sound and fury, signifying nothing....
Attachment:
_bin
Description:
Current thread:
- Outsourcing security scanning (internal and external) Greg Francis (Oct 07)
- <Possible follow-ups>
- Re: Outsourcing security scanning (internal and external) John Kemp (Oct 07)
- Re: Outsourcing security scanning (internal and external) Sarah Stevens (Oct 07)
- Re: Outsourcing security scanning (internal and external) Greg Francis (Oct 07)
- Re: Outsourcing security scanning (internal and external) Valdis Kletnieks (Oct 07)
- Re: Outsourcing security scanning (internal and external) Valdis Kletnieks (Oct 07)
- Re: Outsourcing security scanning (internal and external) Greg Francis (Oct 08)