Re: Security Program: NIST, ISO, other?

["Wright, A J (A. J.)" <ajw () TENNESSEE EDU>]

We use the SANS Top 20 as part of our program.  (I think they're now listed under the "Center for Strategic & 
International Studies" formerly the "Consensus Audit Guidelines" formerly SANS, etc.)

I like that they provide a set of industry standard (and easily justified) priority controls and that they list which 
NIST SP800-53 controls are related.
ajw

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Edgmand, 
Craig
Sent: Thursday, January 17, 2013 10:05 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Security Program: NIST, ISO, other?

Not to plug SANS here, as I have no affiliation with them, has anybody thought about using the SANS 20 Critical 
Controls?

http://www.sans.org/critical-security-controls/http://www.sans.org/critical-security-controls/<http://www.sans.org/critical-security-controls/http:/www.sans.org/critical-security-controls/>

I know Virginia Tech is implementing these as their guidelines and they map out to the various NIST SP800-53 controls.

Craig Edgmand
IT Security Manager
Oklahoma State University

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of 
McLaughlin, Bryan S.
Sent: Thursday, January 17, 2013 8:57 AM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] Security Program: NIST, ISO, other?

Quinn, I am planning to map our policies to standards and regulations, if you are willing to share I would love to see 
what you have developed.

Bryan McLaughlin
Informaiton Security Officer
Creighton University
bmclaughiln () creighton edu<mailto:bmclaughiln () creighton edu>

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of 
Shamblin, Quinn
Sent: Thursday, January 17, 2013 8:45 AM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] Security Program: NIST, ISO, other?

We do a combination of the various security best practices and standards.  We evaluate our systems using NIST 800-53, 
etc. mainly because we do a lot of research for the government and they require data security and management plans 
based on those standards.  But we run the larger program with inputs from ISO27001/2, NIST, COBIT, and even inputs from 
ITIL (or ISO 20000 if you prefer).  We map our various policies to the standards/regulations that require that policy.  
I have a matrix (partially complete) that shows that mapping if you are interested.

Quinn R Shamblin
------------------------------------------------------------------------------------------------
Executive Director of Information Security, Boston University
CISM, CISSP, GCFA, PMP  -  O 617-358-6310  M 617-999-7523
Contact me securely: https://securecontact.me/qrs () bu edu

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Wright, 
A J (A. J.)
Sent: Thursday, January 17, 2013 9:37 AM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [SECURITY] Security Program: NIST, ISO, other?

Hello all,

At the University of Tennessee, our security program is based on the NIST 800 Series special publications rather than 
ISO 27001.  While we don't claim to implement 100% of it (it wouldn't be appropriate,) we're making heavy use of 
FIPS199, 800-37, 800-53, 800-66, etc.

I've had staff calling and emailing around asking this, but I figured I'd ask this list also: what is your school's 
security program based on?

Thanks,
ajw
--
A. J. Wright
Chief Information Security Officer

University of Tennessee - System Administration
2309 Kingston Pike, Suite 131C
Knoxville, TN  37996-1717
Phone:  865-974-0637
Email: ajw () tennessee edu<mailto:ajw () tennessee edu>