Educause Security Discussion mailing list archives
Re: Vetting of software to be installed on production systems
From: "Sarazen, Daniel" <dsarazen () UMASSP EDU>
Date: Fri, 10 Apr 2009 10:28:26 -0400
Gary, Does your school have Change Management/Program Development policies? :: Daniel Sarazen, Information Technology Auditor :: University Internal Audit :: University of Massachusetts President's Office :: 508-856-2443 :: 781-724-3377 Cell :: 508-856-8824 Fax :: Dsarazen () umassp edu University of Massachusetts : 333 South St. : Suite 450 : Shrewsbury, MA 01545 : www.massachusetts.edu -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Jesse Thompson Sent: Friday, April 10, 2009 10:24 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Vetting of software to be installed on production systems Gary Flynn wrote:
I'm trying to provide some general guidance on making trust decisions for software to be installed on production systems. Does anyone have any documentation or policies concerning a vetting procedure I could look at or any general advice?
How about: Hire competent staff to perform technical reviews. And trust them to make smart decisions. Since all software is different, any vetting procedures you create would have to be so generic that they would be common sense to a competent technologist, and not thorough enough for a technologist that doesn't think outside the box. Jesse
Current thread:
- Vetting of software to be installed on production systems Gary Flynn (Apr 01)
- <Possible follow-ups>
- Re: Vetting of software to be installed on production systems Jesse Thompson (Apr 10)
- Re: Vetting of software to be installed on production systems Sarazen, Daniel (Apr 10)