Home page logo

educause logo Educause Security Discussion mailing list archives

Re: Pre Production System Accreditation
From: Chad McDonald <chad.mcdonald () GCSU EDU>
Date: Wed, 5 Sep 2007 16:08:37 -0400

             A<0a0601c7efca$4b8e07a0$e2aa16e0$ () edu>
             <7315857F21D51B449CC55ADE3A56831804047157 () ex2k3 ad cusys edu>
 <0aa701c7efe3$2451e530$6cf5af90$ () edu>
X-Mailer: CTM PowerMail version 5.5.3 build 4480 English (PPC)
Organization: Georgia College & State University
MIME-Version: 1.0
X-WatchGuard-Spam-ID: str=0001.0A010205.46DF0CCE.0020,ss=2,fgs=0
X-WatchGuard-Spam-Score: 2, suspect; 0, no virus
X-WatchGuard-Mail-From: chad.mcdonald () gcsu edu
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

I'll be happy to respond off-line other than to say everyone's
information has been very helpful.

Chad McDonald, CISSP, CISA
Chief Information Security Officer
Georgia College & State University
Phone   478.445.4473
Cell    478.454.8250
Fax     478.445.1202
Email   chad.mcdonald () gcsu edu


Very well played!  You'll have to forgive me a little... I truly enjoy
debates (which this is...), over the old tried and true flame war...

Instead of adding more to the long message that this has become... the axiom
provided is completely true.  As security professionals, we all need to
strive for the perfection of secure systems.  In this scenario, which is
usually true in most scenarios, the devil is in the details!  How do we get
there?  Would we get fired for discussing this at great length? ;o)

Chad, if we haven't bored you to death yet while waxing philosophical, would
you be willing to share a little more on your particular instance that you
mentioned?  Has there been security instilled before the measure that you
had asked?  Do the system administrators have a particular stance on why,
exactly, they are opposed to this step?

Please don't feel pressured to answer, my questions are a bit selfish.  I
would value other opinions on how to deal with this scenario with a little
more information.  Jim and I have slightly different opinions on how to view
our constituents (half full, half empty type stuff), but I would love to
investigate this scenario a bit further.

Or is it just noise on the list?

Dan Johnson
IS Comprehensive Services Senior
University of Wisconsin-Milwaukee
PO Box 469
Mellencamp Hall, Room B60
Milwaukee, WI  53201

"The stupid neither forgive nor forget; the naive forgive and forget; the
wise forgive but do not forget."

Thomas Szasz, The Second Sin (1973) "Personal Conduct"

-----Original Message-----
From: Jim Dillon [mailto:Jim.Dillon () CUSYS EDU]
Sent: Wednesday, September 05, 2007 11:52 AM
Subject: Re: [SECURITY] Pre Production System Accreditation

Dan, Inline below. Hard to debate when you are so agreeable, but some
thoughts anyway...   :)


Jim Dillon, CISA, CISSP
IT Audit Manager, CU Internal Audit
jim.dillon () cusys edu

-----Original Message-----
From: Dan Johnson [mailto:djj4 () UWM EDU]
Sent: Wednesday, September 05, 2007 8:37 AM
Subject: Re: [SECURITY] Pre Production System Accreditation

Hi Jim,

Okay, I'll bite...

The thought concept that you present is dead-on accurate, if you are a
security person or an auditor.

{**JD My dad used to argue that the truth is by definition the truth, it
cannot be argued, it is axiomatic.  There are some philosophical souls
that might try, but only if you can choose to deny the axiom - most
can't.  JD**}

I cannot argue that point one iota. {**JD Axiom confirmed?  :)  JD**}
Testing something before it is actually put into production, from a
security standpoint, makes all the sense in the world.  Of course any
policy worth its weight will have that clause or step put into the
policy, it only makes sense.  {**JD I assume from the original post that
the server is meant to serve "sensitive" or "private" data, thus there
is a precedent for Chad's expectations.  **JD}

I think the area of disconnect for the replies is the 'problem space'
you suggest.  Chad mentions that System Administrators are blocking this
from going through.  Not auditors, security personnel, etc... {**JD I
mention them as allies, not blockers.  They should be familiar with
local opinions and issues and be able to support the goal with insight
into the actual value assessment for this particular institution - I
don't think I missed the administrators issue data point **JD} I read
that to mean standard IT people.  Quite possibly people who know
computers inside
and out, but wouldn't know what Wireshark was or what is used for if it
up and bit them in the...

This is the struggle between security IT people and standard IT people.
are correct, my message came through as an us vs. them mentality, but
sometimes, that is what is needed.  (No worries, no quotes from Sun
I, hopefully, presented an ideology that is less militant than quite a
other suggestions that I have heard over the years...

{**JD - Having the referent authority of the Board of Regents is quite
helpful in the us vs. them situations for auditors.  Seems like every
idea we have is a good one if someone has to explain to the Regents why
it isn't.  Why is that I wonder?   :).    That's certainly why I
mentioned the auditors, but I'd still like a solution that didn't
require arm twisting - sensibilities should prevail. Chad may want to
take his case up the tree a bit to those with strategic responsibility
rather than the admins, maybe some redirected pressure will help, but I
still think a value case can be made, just let's agree not to get into
ROI or ROSI discussions, that'll cause a headache no one can cure.

That's why I stressed that us, as security-minded people, need to be
as an asset by other people who are not security minded.

{**JD - The easiest way I've found to do this is to help the IT folks
recognize that attention by audit lends authority to the issue.  In most
cases what is missing is a history of support for control or security
which is seen by the unaware as a cost, not an asset.  Typically the IT
folks want to do it, but have no budgetary or authority support, thus
when an audit provides the authority, they often run almost gleefully
down the recently authorized security path.    Better though, is to
realize good security is like a good warranty.  The sofa with a lifetime
or 30 year warranty on all parts, including the cushions and fabrics,
makes a much better impression, and is typically a much better product
than the one with a one year limited warranty. (And it typically costs a
bunch more - cost reflecting value.)  I go home sleeping better buying
that product.  The IT product with tested security will make that parent
much happier with his/her student's care/privacy than the one without,
product value!  The worse option is to have happen what happened at a
"nameless" institution I know: A letter to the president wondering how
serious the institution really was at providing service when the child
of the letter writer had received 4 "We're Sorry - can we monitor your
credit for you..." notices regarding data breaches with his/her private
info involved.  That's right, 4!  No president or Board is going to
stand for that kind of public image, (see those Alumni donations flying
bye-bye) and the value of security becomes apparent - it is an absolute
requirement for a quality educational product, demanded by the customer
through law and regulation. JD**}

A lot of the decision making (read: controllers of the purse strings) do
not have security training, as well as some administrators.  Quite
possibly the ones that Chad mentions fall into this category.  How about
another analogy...  {**JD - Which is why we've finally made such
training mandatory and part of policy.  All personnel will take basic
training, those with access to Private or Restricted data will take
advanced training - part of the performance review cycle for every
individual. Painful getting here, almost 8 years of work on my part and
help from a few negative but much publicized events!!! JD**} you catch
more flies with honey than you do with vinegar?  {JD** In this case
vinegar at least kills a few flies, water didn't do anything.  The Honey
is becoming apparent as the consequences and responsibilities tied to
the management of regulated data become more apparent to end users
through actual pain and through the training.  Many, when they realize
what they have to attest to, are starting to look for services and help.
This will have a great positive impact on our overall security JD**}

This is where I think we are on the same page.  The step that Chad
is the final step of a process that is several steps, not the one and
step.  {**JD - and he shouldn't assume it is an easy step, it may take
some time, but enlisting some local allies might help him better prepare
for the du jour issues of his local constituents.  We have legal and
policy help from the state to heighten value awareness, I don't know
what the situation is in GA. Federal "help" - more vinegar - is soon to
arrive. - JD**}

Dan Johnson
IS Comprehensive Services Senior
University of Wisconsin-Milwaukee

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]