Educause Security Discussion
mailing list archives
Re: Pre Production System Accreditation
From: Dan Johnson <djj4 () UWM EDU>
Date: Tue, 4 Sep 2007 09:34:08 -0500
Both Steve and Matthew gave great advice!
I would side with both of them, most everything that I have been taught in
security is to implement security from the beginning. Not as an
'afterthought' when it has been developed, then hurry up and bolt some stuff
on. Granted, every environment is different and the approach you mentioned
may seem to be the best in your particular case. I would say short term, it
may be needed. Long term, you have to get security implemented in the
beginning and work all the way through for security to be truly successful.
Work WITH your sys admins, show them that you are an asset, not a roadblock
to be overcome.
Maybe some advice from public relations: "Public relations is the ability to
tell someone to go to hell in such a way that they look forward to the
Hopefully, you don't have to be so militant as the advice above, but
security is a very tenuous position!
Best of luck in your endeavors.
IS Comprehensive Services Senior
University of Wisconsin-Milwaukee
PO Box 469
Mellencamp Hall, Room B60
Milwaukee, WI 53201
"The stupid neither forgive nor forget; the naive forgive and forget; the
wise forgive but do not forget."
Thomas Szasz, The Second Sin (1973) "Personal Conduct"
From: Chad McDonald [mailto:chad.mcdonald () GCSU EDU]
Sent: Tuesday, September 04, 2007 9:13 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Pre Production System Accreditation
I have proposed that GCSU develop a policy that would require that a
server or system be accredited prior to moving that system into
production. The accreditation process among other things would verify
that the system's security has been reviewed before potentially
sensitive information is stored on or travels through that system. I
originally thought that this would blow through the policy approval
process with flying colors, but unfortunately I'm being blocked by my
own department's system administrators. Am I completely off base with
Chad McDonald, CISSP, CISA
Chief Information Security Officer
Georgia College & State University
Email chad.mcdonald () gcsu edu