Educause Security Discussion mailing list archives
Re: security management techniques
From: Carlos Lobato <clobato () NMSU EDU>
Date: Thu, 14 Jun 2012 17:22:52 +0000
All, At New Mexico State University we are in the process of researching this topic (ISO 17799 / 27001, COBIT, NIST, ENISA, OASIS, OWASP, etc.) and I am leaning towards ISO 27001 & 27002. Not too long ago I reviewed the free resources including COBIT 5 and I just bought this past week the ISO standards 27001 & 27002 for $407.00. Based on what I have seen so far, I think that we will go with the ISO standards. Carlos S. Lobato, CISA, CIA IT Compliance Officer New Mexico State University Information and Communication Technologies MSC 3AT PO Box 30001 Las Cruces, NM 88003-8001 Phone: 575-646-5902 Fax: 575-646-5278 Email: clobato () nmsu edu From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Dan Sarazen Sent: Thursday, June 14, 2012 10:57 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] security management techniques The University of Massachusetts has adopted ISO27002 as its official IS Policy, and is mapping out its controls and documentation accordingly....and it's all (much of it anyway) available on their website. Full disclosure: I was their IT Auditor for four+ years and helped work on the policy. Dan Sarazen Senior IT Auditor The Boston Consortium for Higher Education Brandeis University, Mailstop 110 Phone: 781-736-8703 Cell: 781-296-4444 Fax: 781-736-8706 From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Shawn Kohrman Sent: Thursday, June 14, 2012 10:58 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] security management techniques Since we are starting to build our program here, we are looking at COBIT, ISO 27001, and NIST for possible implementation. In reviewing them, I think we're most likely to move towards the ISO 27001 series. However, we're still investigating. Shawn ----- Shawn A. Kohrman, Security Architect Azusa Pacific University Information & Media Technology 901 E. Alosta Ave., PO Box 7000 Azusa, CA 91702-7000 -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Dan Sarazen Sent: Thursday, June 14, 2012 11:01 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] security management techniques Hi A.J., Quick question: Are you using this same standard for your health center? I was under the impression that NIST didn't include the HIPAA requirements, but I'm willing to be wrong. Thanks, Dan -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Wright, A J (A. J.) Sent: Thursday, June 14, 2012 12:45 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: security management techniques We're using NIST SP800, and have been pretty happy with it. - Its got a good control catalog (800-53) with good audit instructions (800-53a.) - There are grants that are asking for it (or its related sibling: FISMA.) - It has good risk management (800-37.) - It has the right price (free.) - It has documentation with guidance on many special topics in the area. - Its simple enough to explain with PLENTY (wow) of documentation to back it up. My biggest complaint is that it (and FIPS199) doesn't offer clarification on absolute vs. relative control levels. Just because a service is "high confidentiality" for my institution, does not mean we're going to apply military-grade confidentiality controls. If others are using NIST, I'd love to hear how its going and trade practices. ajw -- A. J. Wright Chief Information Security Officer University of Tennessee -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of David Pirolo Sent: Thursday, June 14, 2012 12:10 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] security management techniques Just wondering if any other schools have standardized on any of these security management techniques. ISO 17799 / 27001, COBIT, NIST, ENISA, OASIS, OWASP, etc. If so, I'd be interested in your feedback of such. Unless I'm grossly missing something, it seems like one has to pay to get the ISO standards from ISO.org/ANSI. That doesn't make sense... -David
Current thread:
- Nginx vs. Apache2 for web service Aaron Hockett (Jun 12)
- Re: Nginx vs. Apache2 for web service John Ladwig (Jun 12)
- security management techniques David Pirolo (Jun 14)
- Re: security management techniques Stephen C. Gay (Jun 14)
- Re: security management techniques Dan Sarazen (Jun 14)
- Re: security management techniques Wright, A J (A. J.) (Jun 14)
- Re: security management techniques Dan Sarazen (Jun 14)
- Re: security management techniques Wright, A J (A. J.) (Jun 14)
- Re: security management techniques Carlos Lobato (Jun 14)
- security management techniques David Pirolo (Jun 14)
- Re: Nginx vs. Apache2 for web service John Ladwig (Jun 12)
- Re: security management techniques Shawn Kohrman (Jun 14)
- Re: security management techniques Tammy Lynn Clark (Jun 14)
- Re: security management techniques David Pirolo (Jun 14)
- Re: security management techniques Carson, Larry (Jun 14)
- Re: security management techniques Louis Arminio (Jun 15)
- Re: security management techniques Kalal, Robert (Bob) (Jun 15)
- Re: security management techniques Doug Markiewicz (Jun 18)
- Re: security management techniques Doug Markiewicz (Jun 18)
- Re: security management techniques David Pirolo (Jun 18)