Les Bell wrote:
"Ross S. W. Walker" rwalker@medallion.com wrote:
I agree whole heartily. It would go a long way though if Redhat provided independent certification of their products under these compliance banners. <<
RHEL 5 is Common Criteria certified against the Controlled Access Protection Profile (CAPP), Labelled Security Protection Profile (LSPP) and Role-Based Access Control Protection Profile (RBACPP) at EAL (Evaluation Assurance Level) 4+ (i.e. all requirements of EAL4 and some of EAL5), when running on certain hardware platforms (IBM). See http://www.commoncriteriaportal.org/public/consumer/index.php? menu=5 for the reports. That may be overkill for what you require, but if your system is certified and accredited, it usually stops auditors in their tracks.
I agree with concerns about the inability of auditors to correctly interpret requirements. The Y2K panic provided lots of examples; I recall one junior auditor demanding that a network hub be replaced because it was not "certified Y2K compliant".
Thanks Les, naw it isn't over kill here as a publically traded company with a commerical bank in Utah we get tag teamed by both the SEC and the FDIC.
I'll definitely keep that bookmarked in the compliance portal!
-Ross
______________________________________________________________________ This e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution or copying of this e-mail, and any attachments thereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify the sender and permanently delete the original and any copy or printout thereof.