CLASnet: Security Audit Follow-Up Questions

Security Audit Follow-Up Meeting
Allan West, Chris Bunn & Jeff Capehart in 341 Tigert
10:00 a.m. Thursday, August 31, 2006.

First, here is the list of questions I emailed in advance, based on the document they sent to CLAS:

#2 "We recommend the ISM document and formalize their change management procedures.": Exactly what is covered by the term "change management procedures"? Can you provide an example of a suitable statement about change management procedures?
#3 "We recommend that risk assessment results be documented and be available for review.": Can you provide an example of a suitable statement about risk assessment for IT? I am, among other things, a building construction graduate student and a Community Emergency Response Team (CERT) volunteer, so my experience is that "risk assessment" varies widely by audience and purpose.
#6 "We recommend a formal contingency plan be established, which would minimize the potential damage of unforeseen events.": Is the Continuity of Operations Plan (COOP) which I'm preparing on behalf of my shop (and CLAS) for EH&S a suitable response to the request for a contingency plan?
#5 "We recommend a fire extinguisher should be in an easily accessible location, in close proximity to the server room. This would help mitigate the damage of a possible electrical fire, since no sprinkler system was installed.": This issue is for EH&S. They are responsible for all life-safety and fire-prevention apparatus. I've corresponded it with Dr. Hoit, because EH&S told us that they would not recommend or service fire extinguishers in restricted access server rooms. Their position is that since the server rooms are not regularly occupied, there is no reason to place one in the room. I'll include that in the formal response document, but I wanted to let you know about it up front, since it's been resolved "above my political level".

And here is what we talked about in the meeting:

#2 Change Management:: What are the steps when you move things into production? Testing and authorization before handing over to the production side. Is it authorized to be in production? Has it been tested before production? They are mostly concerned with major applications and new hardware systems.
#3 Risk Assessment:: ITAC ISM committee Risk Assessment guidelines are due out in the next month. Something like the "Octave" system. (No, I do not have any reference for Octave.)
How far down the unlikely does it need to be looked at? Make broad categories, eg. power failure. Be able to re-read and redo the policies regularly without it being onerous. You may reduce or accept risk, mitigate possible damage/loss or share risks. Part of this includes knowing what the value in terms of replacement/re-creation of the resource is.
For now, we can say that we are awaiting the ITAC guidelines before proceeding.
#6 Contingency Plan:: The COOP is acceptable. Other ISMs are showing COOPs for their contingency plan. I am almost done with the CLASnet plan, based on the EH&S template. I'll re-workmthe template to include some CLAS-specific assumptions and information, and then distribute it to the CLAS ISM. I hope to do that next week.
#5 Fire Extinguishers:: We tried to get EH&S to install fire extinguishers, but they don't want to be responsible for equipment in restricted spaces. This will be pursued/resolved at the CIO level.