Re: Pre Production System Accreditation

[Gary Dobbins <dobbins () ND EDU>]

We have a similar step in our processes.  It definitely took some time
to become ingrained and enough of the rough edges rounded to make it
more tolerable, but in the end it benefits everyone.

We have a self-service Nessus scanner the engineers can use for
verifying the absence (or non-exposure) of known vulnerabilities, and a
design review step, among other procedural elements.

You're wise in considering this move, it will pay off down the road.
(what's the value of a compromise that DIDN'T happen?)


Chad McDonald wrote:
> I have proposed that GCSU develop a policy that would require that a
> server or system be accredited prior to moving that system into
> production.  The accreditation process among other things would verify
> that the system's security has been reviewed before potentially
> sensitive information is stored on or travels through that system.  I
> originally thought that this would blow through the policy approval
> process with flying colors, but unfortunately I'm being blocked by my
> own department's system administrators.  Am I completely off base with
> this recommendation?
>
>
> Chad McDonald, CISSP, CISA
> Chief Information Security Officer
> Georgia College & State University
> Phone   478.445.4473
> Cell    478.454.8250
> Fax     478.445.1202
> Email   chad.mcdonald () gcsu edu

--

  ------------------------------------------------------------
  Gary Dobbins, CISSP -- Director, Information Security
  University of Notre Dame, Office of Information Technologies