Educause Security Discussion mailing list archives
Re: Systems Acquisition and Development standard
From: Ozzie Paez <ozpaez () SPRYNET COM>
Date: Fri, 29 Jan 2010 14:52:13 -0700
I think that David's answer contains an important consideration and that is the inclusion of the audit team's input. Without it you could end up with a system that complies with a design/acquisition/development standard(s) and an audit system/team that audits to a different one. That can result in much wasted time and the need for all kinds of exceptions to the audits in order to accommodate the system. In the end, your system requirements should map effectively with your audit standards, that will save you time and money, while reducing risks, Ozzie Paez SSE/SAIC 303-332-5363 From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of David Escalante Sent: Friday, January 29, 2010 2:38 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Systems Acquisition and Development standard We have a document several pages long filled with security questions that we co-developed with our Internal Audit department a number of years ago. It's not something we've shared widely, though. We are looking at moving to the Shared Assessments tool. See http://www.sharedassessments.org/ . I believe it's still free, and is, to quote the web page, "Shared Assessments is a member-driven, industry-standard body that injects speed, efficiency and cost savings into the service provider control assessment process. Shared Assessments Program members <http://sharedassessments.org/members/> work together to eliminate redundancies and create efficiencies, giving all parties a standardized, consistent, faster, more rigorous, more efficient and less costly means of conducting security, privacy and business continuity assessments." Why re-invent the wheel when the financial industry already has a tool? If we all use the same questionnaire, it also makes it easier on vendors and suppliers, who don't have to deal with a different set of security questions from every customer. While the questions are intended for service providers, they tend to be OK for internal security as well. -- David Escalante Boston College
Current thread:
- Systems Acquisition and Development standard Ben Woelk (Jan 29)
- <Possible follow-ups>
- Re: Systems Acquisition and Development standard Patria, Patricia (Jan 29)
- Re: Systems Acquisition and Development standard James C. Farr '05 (Jan 29)
- Re: Systems Acquisition and Development standard Lorenz, Eva (Jan 29)
- Re: Systems Acquisition and Development standard Patria, Patricia (Jan 29)
- Re: Systems Acquisition and Development standard David Escalante (Jan 29)
- Re: Systems Acquisition and Development standard Ozzie Paez (Jan 29)