Educause Security Discussion mailing list archives

Re: Systems Acquisition and Development standard

From: Ozzie Paez <ozpaez () SPRYNET COM>
Date: Fri, 29 Jan 2010 14:52:13 -0700

I think that David's answer contains an important consideration and that is
the inclusion of the audit team's input.  Without it you could end up with a
system that complies with a design/acquisition/development standard(s) and
an audit system/team that audits to a different one.  That can result in
much wasted time and the need for all kinds of exceptions to the audits in
order to accommodate the system.  In the end, your system requirements
should map effectively with your audit standards, that will save you time
and money, while reducing risks,

Ozzie Paez

SSE/SAIC

303-332-5363



From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of David Escalante
Sent: Friday, January 29, 2010 2:38 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Systems Acquisition and Development standard



We have a document several pages long filled with security questions that we
co-developed with our Internal Audit department a number of years ago.  It's
not something we've shared widely, though.

We are looking at moving to the Shared Assessments tool.  See
http://www.sharedassessments.org/ . I believe it's still free, and is, to
quote the web page,

"Shared Assessments is a member-driven, industry-standard body that injects
speed, efficiency and cost savings into the service provider control
assessment process. Shared Assessments Program members
<http://sharedassessments.org/members/>  work together to eliminate
redundancies and create efficiencies, giving all parties a standardized,
consistent, faster, more rigorous, more efficient and less costly means of
conducting security, privacy and business continuity assessments."


Why re-invent the wheel when the financial industry already has a tool?  If
we all use the same questionnaire, it also makes it easier on vendors and
suppliers, who don't have to deal with a different set of security questions
from every customer.  While the questions are intended for service
providers, they tend to be OK for internal security as well.
--
David Escalante
Boston College

Current thread:

Systems Acquisition and Development standard Ben Woelk (Jan 29)
- <Possible follow-ups>
- Re: Systems Acquisition and Development standard Patria, Patricia (Jan 29)
- Re: Systems Acquisition and Development standard James C. Farr '05 (Jan 29)
- Re: Systems Acquisition and Development standard Lorenz, Eva (Jan 29)
- Re: Systems Acquisition and Development standard Patria, Patricia (Jan 29)
- Re: Systems Acquisition and Development standard David Escalante (Jan 29)
- Re: Systems Acquisition and Development standard Ozzie Paez (Jan 29)