SPF or Text DNS Records for Outbound Campus Mail

[Michael Wilber <mwilber () SC4 EDU>]

Anyone using SPF or Text DNS records to prevent your domain from getting
spoofed? If so how is it working for you? if not what other measures
have you taken to protect from getting spoofed?

 

Thanks,

 

Mike Wilber * Technical Director * CISSP, MCSE, CCNP, CCDP * St. Clair
County Community College * 323 Erie Street, Port Huron, MI 48060 *
michael.wilber () sungardhe com * Tel 810-989-5665 * Fax 810-989-5618

 
CONFIDENTIALITY: This email (including any attachments) may contain
confidential, proprietary
and privileged information, and unauthorized disclosure or use is
prohibited. If you received
this email in error, please notify the sender and delete this email from
your system. Thank you.

 

From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Ozzie Paez
Sent: Friday, January 29, 2010 4:52 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Systems Acquisition and Development standard

 

I think that David's answer contains an important consideration and that
is the inclusion of the audit team's input.  Without it you could end up
with a system that complies with a design/acquisition/development
standard(s) and an audit system/team that audits to a different one.
That can result in much wasted time and the need for all kinds of
exceptions to the audits in order to accommodate the system.  In the
end, your system requirements should map effectively with your audit
standards, that will save you time and money, while reducing risks,

Ozzie Paez

SSE/SAIC

303-332-5363 

 

From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of David Escalante
Sent: Friday, January 29, 2010 2:38 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Systems Acquisition and Development standard

 

We have a document several pages long filled with security questions
that we co-developed with our Internal Audit department a number of
years ago.  It's not something we've shared widely, though.

We are looking at moving to the Shared Assessments tool.  See
http://www.sharedassessments.org/ . I believe it's still free, and is,
to quote the web page,

"Shared Assessments is a member-driven, industry-standard body that
injects speed, efficiency and cost savings into the service provider
control assessment process. Shared Assessments Program members
<http://sharedassessments.org/members/>  work together to eliminate
redundancies and create efficiencies, giving all parties a standardized,
consistent, faster, more rigorous, more efficient and less costly means
of conducting security, privacy and business continuity assessments."


Why re-invent the wheel when the financial industry already has a tool?
If we all use the same questionnaire, it also makes it easier on vendors
and suppliers, who don't have to deal with a different set of security
questions from every customer.  While the questions are intended for
service providers, they tend to be OK for internal security as well.
--
David Escalante
Boston College