Educause Security Discussion
mailing list archives
Re: Pre Production System Accreditation
From: "Jones, Dan" <Dan.Jones () UMASSMED EDU>
Date: Tue, 4 Sep 2007 11:39:25 -0400
I think the initiative is right on the mark.
I'm finding that it can be beneficial to start with the data owners.
Under NIST 800-18, (1.7.2 and 1.7.3), the SYSTEM OWNER and the
INFORMATION OWNER have responsibility for establishing the rules of
behavior and developing the system security plan. Working with the
system and information owners to help them develop solid requirements
(ensuring that the bar is high enough) helps to clarify what must be
done in the next project phases.
The next component is to help the technical staff to identify and deploy
solutions that will meet the business requirements as defined by the
data owners. NIST 800-18 was helpful in establishing where these various
responsibilities should rest.
Helping the data owners develop good standards which safeguard their
funding sources... and helping the systems administrators meet the
business requirements (being a SME for both camps) is a better place to
be than plain ol' policy for policy sake.
This approach is being embraced by those who have grants that set the
requirements for security. Once security becomes common practice in that
arena then people will be more familiar with better security practices
and start to apply them elsewhere (one would hope).
IT Security Manager
University of Massachusetts Medical School
From: Chad McDonald [mailto:chad.mcdonald () GCSU EDU]
Sent: Tuesday, September 04, 2007 10:13 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Pre Production System Accreditation
I have proposed that GCSU develop a policy that would require that a
server or system be accredited prior to moving that system into
production. The accreditation process among other things would verify
that the system's security has been reviewed before potentially
sensitive information is stored on or travels through that system. I
originally thought that this would blow through the policy approval
process with flying colors, but unfortunately I'm being blocked by my
own department's system administrators. Am I completely off base with
Chad McDonald, CISSP, CISA
Chief Information Security Officer
Georgia College & State University
Email chad.mcdonald () gcsu edu