Educause Security Discussion mailing list archives

Re: security management techniques

From: Dan Sarazen <dsarazen () BRANDEIS EDU>
Date: Thu, 14 Jun 2012 12:57:02 -0400

The University of Massachusetts has adopted ISO27002 as its official IS
Policy, and is mapping out its controls and documentation accordingly....and
it's all (much of it anyway) available on their website.

Full disclosure: I was their IT Auditor for four+ years and helped work on
the policy.

Dan Sarazen
Senior IT Auditor
The Boston Consortium for Higher Education
Brandeis University, Mailstop 110
Phone: 781-736-8703
Cell:     781-296-4444
Fax:     781-736-8706



-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Stephen C. Gay
Sent: Thursday, June 14, 2012 12:53 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: security management techniques

David,

When founded in 2006, we designed our program at Kennesaw State University
around NIST's 800-53 classes (technical, operational, and managerial). All
projects were mapped into these categories and it was easy to communicate to
a technical / InfoSec audience. Even so, we found the classes did not lend
themselves to mapping into the mission of the organization nor proactive
safeguards.

We transitioned our program over to the ISO 27001 framework in 2011 and it
has provided for a more complete picture of our information security
program. We did pay for the documents (cost is fairly reasonable) but you
may want to start with the numerous Educause presentations regarding the
framework. They will give you the general idea and touch on advantages /
disadvantages.

Stephen C Gay CISSP CISA
ITS Associate Director - Information Security Office KSU Information
Security Officer Kennesaw State University sgay () kennesaw edu

----- Original Message -----
From: "David Pirolo" <webmaster () WARNERPACIFIC EDU>
To: SECURITY () LISTSERV EDUCAUSE EDU
Sent: Thursday, June 14, 2012 12:09:57 AM
Subject: [SECURITY] security management techniques

Just wondering if any other schools have standardized on any of these
security management techniques.
ISO 17799 / 27001, COBIT, NIST, ENISA, OASIS, OWASP, etc.

If so, I'd be interested in your feedback of such.  Unless I'm grossly
missing something, it seems like one has to pay to get the ISO standards
from ISO.org/ANSI.  That doesn't make sense...

-David

Current thread:

Nginx vs. Apache2 for web service Aaron Hockett (Jun 12)
- Re: Nginx vs. Apache2 for web service John Ladwig (Jun 12)
  - security management techniques David Pirolo (Jun 14)
    - Re: security management techniques Stephen C. Gay (Jun 14)
    - Re: security management techniques Dan Sarazen (Jun 14)
    - Re: security management techniques Wright, A J (A. J.) (Jun 14)
    - Re: security management techniques Dan Sarazen (Jun 14)
    - Re: security management techniques Wright, A J (A. J.) (Jun 14)
    - Re: security management techniques Carlos Lobato (Jun 14)
    - Re: security management techniques Shawn Kohrman (Jun 14)
    - Re: security management techniques Tammy Lynn Clark (Jun 14)
    - Re: security management techniques David Pirolo (Jun 14)
    - Re: security management techniques Carson, Larry (Jun 14)
    - Re: security management techniques Louis Arminio (Jun 15)
    - Re: security management techniques Kalal, Robert (Bob) (Jun 15)

(Thread continues...)