Home page logo
/

educause logo Educause Security Discussion mailing list archives

Re: Pre Production System Accreditation
From: "St Clair, Jim" <Jim.StClair () GT COM>
Date: Tue, 4 Sep 2007 11:17:57 -0400

Has anyone on the list had a chance to evaluate the new Secure
Configuration Automation Program now required in the Federal government?

"The Security Content Automation Protocol (SCAP) is a method for using
specific standards to enable automated vulnerability management,
measurement, and policy compliance evaluation (e.g., FISMA compliance)."

Here is a link to the NIST presentation, if interested:
http://nvd.nist.gov/scap/docs/ISAP-SecuritySolutions-2007.ppt


James A.St.Clair, CISM
Sr. Manager
Global Public Sector
Grant Thornton LLP
(703) 637-3078 (office)
(703) 727-6332 (mobile)
(703) 837-4455 (fax)


-----Original Message-----
From: Gary Dobbins [mailto:dobbins () ND EDU] 
Sent: Tuesday, September 04, 2007 11:02 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: Pre Production System Accreditation

We have a similar step in our processes.  It definitely took some time 
to become ingrained and enough of the rough edges rounded to make it 
more tolerable, but in the end it benefits everyone.

We have a self-service Nessus scanner the engineers can use for 
verifying the absence (or non-exposure) of known vulnerabilities, and a 
design review step, among other procedural elements.

You're wise in considering this move, it will pay off down the road.
(what's the value of a compromise that DIDN'T happen?)


Chad McDonald wrote:
I have proposed that GCSU develop a policy that would require that a
server or system be accredited prior to moving that system into
production.  The accreditation process among other things would verify
that the system's security has been reviewed before potentially
sensitive information is stored on or travels through that system.  I
originally thought that this would blow through the policy approval
process with flying colors, but unfortunately I'm being blocked by my
own department's system administrators.  Am I completely off base with
this recommendation? 


Chad McDonald, CISSP, CISA 
Chief Information Security Officer
Georgia College & State University
Phone   478.445.4473
Cell    478.454.8250
Fax     478.445.1202
Email   chad.mcdonald () gcsu edu

-- 

   ------------------------------------------------------------
   Gary Dobbins, CISSP -- Director, Information Security
   University of Notre Dame, Office of Information Technologies
 

--------------------------------------------------------


In accordance with applicable professional regulations, please understand that, unless expressly stated otherwise, any 
written advice contained in, forwarded with, or attached to this e-mail is not intended or written by Grant Thornton 
LLP to be used, and cannot be used, by any person for the purpose of avoiding any penalties that may be imposed under 
the Internal Revenue Code. 

--------------------------------------------------------

 This e-mail is intended solely for the person or entity to which it is addressed and may contain confidential and/or 
privileged information.  Any review, dissemination, copying, printing or other use of this e-mail by persons or 
entities other than the addressee is prohibited.  If you have received this e-mail in error, please contact the sender 
immediately and delete the material from any computer.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]