Home page logo
/

educause logo Educause Security Discussion mailing list archives

Re: Pre Production System Accreditation
From: Matthew Keller <kellermg () POTSDAM EDU>
Date: Tue, 4 Sep 2007 10:21:16 -0400

On Tue, 2007-09-04 at 10:13 -0400, Chad McDonald wrote:
I have proposed that GCSU develop a policy that would require that a
server or system be accredited prior to moving that system into
production.  The accreditation process among other things would verify
that the system's security has been reviewed before potentially
sensitive information is stored on or travels through that system.  I
originally thought that this would blow through the policy approval
process with flying colors, but unfortunately I'm being blocked by my
own department's system administrators.  Am I completely off base with
this recommendation?

Chad,

It really depends on your requirements. I have implemented a "hardening
policy" with our server team, and they've embraced it whole-heartedly.

I worked WITH them to determine what's realistic, and what's just my ISO
pipedream. Also, they are in the drivers seat when it comes to
"accreditation" and documentation. I retain auditing oversight to
prevent inbred blinders from being a problem, but they get to do the
right thing "in house". Sysadmins don't like policy inflicted on them,
and they REALLY don't like people staring over their shoulder when they
work.

So no, you're not off base with your goal, but you may be going about it
in an offensive (unintentionally) manner. Scrap your policy; Engage the
admins; Write it together; Keep oversight and auditing; Give them as
much other control as they want.

--
Matthew Keller
Information Security Officer & Network Administrator
Computing & Technology Services
State University of New York @ Potsdam
Potsdam, NY, USA
http://mattwork.potsdam.edu/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]