Home page logo

educause logo Educause Security Discussion mailing list archives

Re: Pre Production System Accreditation
From: Gary Dobbins <dobbins () ND EDU>
Date: Tue, 4 Sep 2007 11:01:38 -0400

We have a similar step in our processes.  It definitely took some time
to become ingrained and enough of the rough edges rounded to make it
more tolerable, but in the end it benefits everyone.

We have a self-service Nessus scanner the engineers can use for
verifying the absence (or non-exposure) of known vulnerabilities, and a
design review step, among other procedural elements.

You're wise in considering this move, it will pay off down the road.
(what's the value of a compromise that DIDN'T happen?)

Chad McDonald wrote:
I have proposed that GCSU develop a policy that would require that a
server or system be accredited prior to moving that system into
production.  The accreditation process among other things would verify
that the system's security has been reviewed before potentially
sensitive information is stored on or travels through that system.  I
originally thought that this would blow through the policy approval
process with flying colors, but unfortunately I'm being blocked by my
own department's system administrators.  Am I completely off base with
this recommendation?

Chad McDonald, CISSP, CISA
Chief Information Security Officer
Georgia College & State University
Phone   478.445.4473
Cell    478.454.8250
Fax     478.445.1202
Email   chad.mcdonald () gcsu edu


  Gary Dobbins, CISSP -- Director, Information Security
  University of Notre Dame, Office of Information Technologies

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]