Educause Security Discussion mailing list archives
Re: Pre Production System Accreditation
From: Dan Johnson <djj4 () UWM EDU>
Date: Tue, 4 Sep 2007 09:34:08 -0500
Hi Chad, Both Steve and Matthew gave great advice! I would side with both of them, most everything that I have been taught in security is to implement security from the beginning. Not as an 'afterthought' when it has been developed, then hurry up and bolt some stuff on. Granted, every environment is different and the approach you mentioned may seem to be the best in your particular case. I would say short term, it may be needed. Long term, you have to get security implemented in the beginning and work all the way through for security to be truly successful. Work WITH your sys admins, show them that you are an asset, not a roadblock to be overcome. Maybe some advice from public relations: "Public relations is the ability to tell someone to go to hell in such a way that they look forward to the trip!" Hopefully, you don't have to be so militant as the advice above, but security is a very tenuous position! Best of luck in your endeavors. Dan Johnson IS Comprehensive Services Senior University of Wisconsin-Milwaukee PO Box 469 Mellencamp Hall, Room B60 Milwaukee, WI 53201 (414)229-2911 "The stupid neither forgive nor forget; the naive forgive and forget; the wise forgive but do not forget." Thomas Szasz, The Second Sin (1973) "Personal Conduct" -----Original Message----- From: Chad McDonald [mailto:chad.mcdonald () GCSU EDU] Sent: Tuesday, September 04, 2007 9:13 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Pre Production System Accreditation I have proposed that GCSU develop a policy that would require that a server or system be accredited prior to moving that system into production. The accreditation process among other things would verify that the system's security has been reviewed before potentially sensitive information is stored on or travels through that system. I originally thought that this would blow through the policy approval process with flying colors, but unfortunately I'm being blocked by my own department's system administrators. Am I completely off base with this recommendation? Chad McDonald, CISSP, CISA Chief Information Security Officer Georgia College & State University Phone 478.445.4473 Cell 478.454.8250 Fax 478.445.1202 Email chad.mcdonald () gcsu edu
Current thread:
- Pre Production System Accreditation Chad McDonald (Sep 04)
- <Possible follow-ups>
- Re: Pre Production System Accreditation Matthew Keller (Sep 04)
- Re: Pre Production System Accreditation Lovaas,Steven (Sep 04)
- Re: Pre Production System Accreditation Dan Johnson (Sep 04)
- Re: Pre Production System Accreditation St Clair, Jim (Sep 04)
- Re: Pre Production System Accreditation Gary Dobbins (Sep 04)
- Re: Pre Production System Accreditation St Clair, Jim (Sep 04)
- Re: Pre Production System Accreditation Shane Bishop (Sep 04)
- Re: Pre Production System Accreditation Jones, Dan (Sep 04)
- Re: Pre Production System Accreditation Jim Dillon (Sep 04)
- Re: Pre Production System Accreditation Dan Johnson (Sep 05)
- Re: Pre Production System Accreditation Jim Dillon (Sep 05)
- Re: Pre Production System Accreditation Dan Johnson (Sep 05)
- Re: Pre Production System Accreditation Valdis Kletnieks (Sep 05)
(Thread continues...)