On Feb 10, 2009, at 4:30 PM, TJ wrote:
But that is my point - Do any of the compliance frameworks / requirements / audit standards today address IPv6, or detail how it could be implemented in such a fashion as to 'pass' an audit (including the "in-house" / consultant-specific audit guidelines)? If it can be done, but is solely a "you and your (current) auditor figure it out, on a case by case basis, every time" I would argue that that is not good enough for the general case.
Compliance frameworks are generally technology agonistic. They tell you "have an information boundary for your system", "manage your user identifiers", etc. Aside from the DoD IA STIGs (and small handful of NIST areas such as encryption), you don't find specifications that particular protocols or technology is required. They don't require major updating for IPv6 because there's very little IPv4 specific contents in them already. That's not to say that moving an application to IPv6 is trivial from a compliance and security perspective, as you've still got a pile of mandatory firewall, load-balancing, and IDS infrastructure that needs to handle IPv6 correctly before you can get started. In organizations that are planning ahead, this is common security control infrastructure, and gets done once centrally rather than each little component.
And while I agree with you, "any change = redo" I would argue that not everyone realizes that all of their C&A work will need to be re-done in order to retain their CTOs/ATOs if they move forward with any sort of IPv6 deployment. I have heard the gasps (I didn't see the faces, that was a coworker of mine did and said it was amusing - in a sad way.)
Look, systems change. Change your database software, and you get to update the corresponding pieces of the C&A package. Add IPv6, you have to update the network portions. This shouldn't be a surprise to anyone, and it certainly doesn't mean "all of their C&A work will need to be re-done". /John