Educause Security Discussion mailing list archives
Re: Security Program: NIST, ISO, other?
From: "Wright, A J (A. J.)" <ajw () TENNESSEE EDU>
Date: Thu, 17 Jan 2013 16:05:39 +0000
We use the SANS Top 20 as part of our program. (I think they're now listed under the "Center for Strategic & International Studies" formerly the "Consensus Audit Guidelines" formerly SANS, etc.) I like that they provide a set of industry standard (and easily justified) priority controls and that they list which NIST SP800-53 controls are related. ajw From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Edgmand, Craig Sent: Thursday, January 17, 2013 10:05 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Security Program: NIST, ISO, other? Not to plug SANS here, as I have no affiliation with them, has anybody thought about using the SANS 20 Critical Controls? http://www.sans.org/critical-security-controls/http://www.sans.org/critical-security-controls/<http://www.sans.org/critical-security-controls/http:/www.sans.org/critical-security-controls/> I know Virginia Tech is implementing these as their guidelines and they map out to the various NIST SP800-53 controls. Craig Edgmand IT Security Manager Oklahoma State University From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of McLaughlin, Bryan S. Sent: Thursday, January 17, 2013 8:57 AM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] Security Program: NIST, ISO, other? Quinn, I am planning to map our policies to standards and regulations, if you are willing to share I would love to see what you have developed. Bryan McLaughlin Informaiton Security Officer Creighton University bmclaughiln () creighton edu<mailto:bmclaughiln () creighton edu> From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Shamblin, Quinn Sent: Thursday, January 17, 2013 8:45 AM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] Security Program: NIST, ISO, other? We do a combination of the various security best practices and standards. We evaluate our systems using NIST 800-53, etc. mainly because we do a lot of research for the government and they require data security and management plans based on those standards. But we run the larger program with inputs from ISO27001/2, NIST, COBIT, and even inputs from ITIL (or ISO 20000 if you prefer). We map our various policies to the standards/regulations that require that policy. I have a matrix (partially complete) that shows that mapping if you are interested. Quinn R Shamblin ------------------------------------------------------------------------------------------------ Executive Director of Information Security, Boston University CISM, CISSP, GCFA, PMP - O 617-358-6310 M 617-999-7523 Contact me securely: https://securecontact.me/qrs () bu edu From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Wright, A J (A. J.) Sent: Thursday, January 17, 2013 9:37 AM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: [SECURITY] Security Program: NIST, ISO, other? Hello all, At the University of Tennessee, our security program is based on the NIST 800 Series special publications rather than ISO 27001. While we don't claim to implement 100% of it (it wouldn't be appropriate,) we're making heavy use of FIPS199, 800-37, 800-53, 800-66, etc. I've had staff calling and emailing around asking this, but I figured I'd ask this list also: what is your school's security program based on? Thanks, ajw -- A. J. Wright Chief Information Security Officer University of Tennessee - System Administration 2309 Kingston Pike, Suite 131C Knoxville, TN 37996-1717 Phone: 865-974-0637 Email: ajw () tennessee edu<mailto:ajw () tennessee edu>
Current thread:
- Security Program: NIST, ISO, other? Wright, A J (A. J.) (Jan 17)
- Re: Security Program: NIST, ISO, other? Shamblin, Quinn (Jan 17)
- Re: Security Program: NIST, ISO, other? mccalluq (Jan 17)
- Re: Security Program: NIST, ISO, other? McLaughlin, Bryan S. (Jan 17)
- Re: Security Program: NIST, ISO, other? Edgmand, Craig (Jan 17)
- Re: Security Program: NIST, ISO, other? Dan Sarazen (Jan 17)
- Re: Security Program: NIST, ISO, other? David Curry (Jan 17)
- Re: Security Program: NIST, ISO, other? Wright, A J (A. J.) (Jan 17)
- Re: Security Program: NIST, ISO, other? Valdis Kletnieks (Jan 18)
- Re: Security Program: NIST, ISO, other? Shamblin, Quinn (Jan 17)
- Re: Security Program: NIST, ISO, other? Shamblin, Quinn (Jan 17)
- Re: Security Program: NIST, ISO, other? Lorenz, Eva (Jan 17)
- Re: Security Program: NIST, ISO, other? Shamblin, Quinn (Jan 17)
- Re: Security Program: NIST, ISO, other? Valerie Vogel (Jan 17)
- Re: Security Program: NIST, ISO, other? Dan Sarazen (Jan 17)