Educause Security Discussion mailing list archives
Re: ISO 27000
From: "Lorenz, Eva" <evalorenz () UNC EDU>
Date: Tue, 19 Jan 2010 08:20:56 -0500
Hugh, Thanks for the matrix. It is very helpful to see how other institutions tackle ISO27001. I see that you mention configuration management as well as retention as being in various stages of completion. How would you classify your institution’s status regarding ITIL? Also would you describe your institution as being highly federated or having a more centralized nature? I believe that these factors may determine how ISO27001 can be implemented and at what pace. Feel free to contact me offline at evalorenz () unc edu<mailto:evalorenz () unc edu> to discuss further. Thanks - Eva Eva Lorenz ITS Security 2800 ITS Manning 211 Manning Dr CB3420 Chapel Hill NC 27599 From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Hugh Burley Sent: Monday, January 18, 2010 2:35 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] ISO 27000 Leilani, I have tried to incorporate ISO 27001 in to a three year strategic plan for building the University's Information Security program. I am now in the third year of that plan. One of the issues with this standard, PCI-DSS and our Information Security Assessments, is having a method of measuring and tracking the effective implementation for each component or recommendation. A second and perhaps as important issue is trying to convey this information to our executive in a meaningful manner. I have tried to overlay the CoBiT 4.1 Capability Maturity Model as a scoring tool for each component, with a goal of achieving an overall rating of 4 by then end of this third year. See the attached pdf. I am very interested in feedback on this methodology either on or off list. Thanks and regards, Hugh Burley Thompson Rivers University ITS - Senior Technology Coordinator [cid:image001.png@01CA98E0.0D8E8260] Information Security BCCOL - 222D 250-852-6351
Leilani Lauger <llauger () LUC EDU> 14/01/2010 12:42 pm >>>
We are trying to gather information about how our peers are using the ISO 27000 standards. Is anyone using standards to formally evaluate a security program or as a framework for building a new program? Are they being used as a complete body of work or to inform individual aspects of a security program? We appreciate any feedback. Thank you, Leilani Lauger Information Security Officer Loyola University Chicago 773.508.6086 llauger () luc edu
Current thread:
- ISO 27000 Leilani Lauger (Jan 14)
- <Possible follow-ups>
- Re: ISO 27000 Lorenz, Eva (Jan 14)
- Re: ISO 27000 Scott Sweren (Jan 15)
- Re: ISO 27000 Davis, Thomas R (Jan 15)
- Re: ISO 27000 Payne, Shirley (scp8b) (Jan 15)
- Re: ISO 27000 Drews, Jane E (Jan 15)
- Re: ISO 27000 Chris Bennett (Jan 15)
- Re: ISO 27000 Heidi Wachs (Jan 15)
- Re: ISO 27000 Alex Brown (Jan 15)
- Re: ISO 27000 Hugh Burley (Jan 18)
- Re: ISO 27000 Lorenz, Eva (Jan 19)