Home page logo
/

educause logo Educause Security Discussion mailing list archives

Re: Pre Production System Accreditation
From: Shane Bishop <shanebishop () JALC EDU>
Date: Tue, 4 Sep 2007 10:24:54 -0500

Chad,

I would try to pinpoint the reason why the system administrators are not
onboard with such a beneficial goal of increasing the consistency of
security in your production systems. Sensible security recommendations
shouldn't result in bipartisanship between the CISO and IT staff but
there could be extraneous motivators such as political factors that you
are not aware of that are playing a heavy hand in their decision to
block your proposal. This seems to happen more when the CISO is staffed
in the same department as IT personnel as opposed to reporting to the
CFO directly. Personally, I would repackage the effort into a procedure
for system hardening and work with the system administrators to gain
their support. Once that is accomplished you can refocus your effort to
elevate it to policy status or include it into a broader policy, such as
a segment of business continuity. Simply presenting this to upper
management in terms of business continuity instead of system
accreditation may give you the edge you're looking for.   


Shane Bishop
CISM, CISSP
I.T., John A. Logan College
http://shanebishop.info
(618) 985-3741 Ext. 8544


-----Original Message-----
From: Chad McDonald [mailto:chad.mcdonald () GCSU EDU] 
Sent: Tuesday, September 04, 2007 9:13 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Pre Production System Accreditation

I have proposed that GCSU develop a policy that would require that a
server or system be accredited prior to moving that system into
production.  The accreditation process among other things would verify
that the system's security has been reviewed before potentially
sensitive information is stored on or travels through that system.  I
originally thought that this would blow through the policy approval
process with flying colors, but unfortunately I'm being blocked by my
own department's system administrators.  Am I completely off base with
this recommendation? 


Chad McDonald, CISSP, CISA 
Chief Information Security Officer
Georgia College & State University
Phone   478.445.4473
Cell    478.454.8250
Fax     478.445.1202
Email   chad.mcdonald () gcsu edu

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault