Educause Security Discussion mailing list archives

Re: Pre Production System Accreditation

From: Dan Johnson <djj4 () UWM EDU>
Date: Tue, 4 Sep 2007 09:34:08 -0500

Hi Chad,

Both Steve and Matthew gave great advice!

I would side with both of them, most everything that I have been taught in
security is to implement security from the beginning.  Not as an
'afterthought' when it has been developed, then hurry up and bolt some stuff
on.  Granted, every environment is different and the approach you mentioned
may seem to be the best in your particular case.  I would say short term, it
may be needed.  Long term, you have to get security implemented in the
beginning and work all the way through for security to be truly successful.

Work WITH your sys admins, show them that you are an asset, not a roadblock
to be overcome.

Maybe some advice from public relations: "Public relations is the ability to
tell someone to go to hell in such a way that they look forward to the
trip!"

Hopefully, you don't have to be so militant as the advice above, but
security is a very tenuous position!

Best of luck in your endeavors.


Dan Johnson
IS Comprehensive Services Senior
University of Wisconsin-Milwaukee
PO Box 469
Mellencamp Hall, Room B60
Milwaukee, WI  53201
(414)229-2911

"The stupid neither forgive nor forget; the naive forgive and forget; the
wise forgive but do not forget."

Thomas Szasz, The Second Sin (1973) "Personal Conduct"




-----Original Message-----
From: Chad McDonald [mailto:chad.mcdonald () GCSU EDU]
Sent: Tuesday, September 04, 2007 9:13 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Pre Production System Accreditation

I have proposed that GCSU develop a policy that would require that a
server or system be accredited prior to moving that system into
production.  The accreditation process among other things would verify
that the system's security has been reviewed before potentially
sensitive information is stored on or travels through that system.  I
originally thought that this would blow through the policy approval
process with flying colors, but unfortunately I'm being blocked by my
own department's system administrators.  Am I completely off base with
this recommendation?


Chad McDonald, CISSP, CISA
Chief Information Security Officer
Georgia College & State University
Phone   478.445.4473
Cell    478.454.8250
Fax     478.445.1202
Email   chad.mcdonald () gcsu edu

Current thread:

Pre Production System Accreditation Chad McDonald (Sep 04)
- <Possible follow-ups>
- Re: Pre Production System Accreditation Matthew Keller (Sep 04)
- Re: Pre Production System Accreditation Lovaas,Steven (Sep 04)
- Re: Pre Production System Accreditation Dan Johnson (Sep 04)
- Re: Pre Production System Accreditation St Clair, Jim (Sep 04)
- Re: Pre Production System Accreditation Gary Dobbins (Sep 04)
- Re: Pre Production System Accreditation St Clair, Jim (Sep 04)
- Re: Pre Production System Accreditation Shane Bishop (Sep 04)
- Re: Pre Production System Accreditation Jones, Dan (Sep 04)
- Re: Pre Production System Accreditation Jim Dillon (Sep 04)
- Re: Pre Production System Accreditation Dan Johnson (Sep 05)
- Re: Pre Production System Accreditation Jim Dillon (Sep 05)
- Re: Pre Production System Accreditation Dan Johnson (Sep 05)
- Re: Pre Production System Accreditation Valdis Kletnieks (Sep 05)

(Thread continues...)