On Feb 10, 2009, at 4:30 PM, TJ wrote:
But that is my point - Do any of the compliance frameworks /
requirements /
audit standards today address IPv6, or detail how it could be
implemented in
such a fashion as to 'pass' an audit (including the "in-house" /
consultant-specific audit guidelines)? If it can be done, but is
solely a
"you and your (current) auditor figure it out, on a case by case
every time" I would argue that that is not good enough for the
general case.
Compliance frameworks are generally technology agonistic.
They tell you "have an information boundary for your system",
"manage your user identifiers", etc. Aside from the DoD IA
STIGs (and small handful of NIST areas such as encryption),
you don't find specifications that particular protocols or
technology is required. They don't require major updating
for IPv6 because there's very little IPv4 specific contents
in them already.
That's not to say that moving an application to IPv6 is trivial
from a compliance and security perspective, as you've still got a
pile of mandatory firewall, load-balancing, and IDS infrastructure
that needs to handle IPv6 correctly before you can get started.
In organizations that are planning ahead, this is common security
control infrastructure, and gets done once centrally rather than
each little component.
And while I agree with you, "any change = redo" I would argue that not
everyone realizes that all of their C&A work will need to be re-done
order to retain their CTOs/ATOs if they move forward with any sort
of IPv6
deployment. I have heard the gasps (I didn't see the faces, that
was a
coworker of mine did and said it was amusing - in a sad way.)
Look, systems change. Change your database software, and you
get to update the corresponding pieces of the C&A package. Add
IPv6, you have to update the network portions. This shouldn't
be a surprise to anyone, and it certainly doesn't mean "all of
their C&A work will need to be re-done".