“QA !== Security”

I wrote that back in December on a yellow post-it and gave it to one of my contacts during some Security Test and Evaluation (ST&E) activities that were stepped on by a bazillion QA people.  He cared enough about the message to put it up in his cubicle when he moved, and it’s been warming the cockles of my heart ever since.

So why is it that today I’m writing policy and appointment letters for the Technical Review Board (TRB), Engineering Review Board (ERB) and Change Control Board (CCB)?

I’m not even remotely an Information Technology Infrastructure Library (ITIL) geek, but I do realize one thing:  I cannot keep denying changes at the CCB because it’s hurting the business side of my organization.  CCB is too late, it’s where people ask for the final approval and deconflicting of maintenance windows.

My chances at success for IT strategy depend on me getting involved in the planning stages of changes.  That means initiating the TRB, ERB, and CCB for the simple reason that I can straphang on their efforts.  In other words, I can head off security problems at the pass.

Moral of this story is that it pays to have friends in ITIL/CMMI/QA/$foo.

• A Niche to a Niche is Still Hard to Staff
• Guerilla CISO Tip: Get Inside the Data Center
• Some Comments on SP 800-39
• Rebuilding C&A
• Mike’s Guide to Information Security Policy