Re: CIS vs NIST

["Simanovich, Roman" <rsimanovich () USJ EDU>]

Chris,

You are trying to compare apples to oranges. CIS top 20 is a set of 20 controls that you should implement. NIST 800-171 
is a standard for protecting controlled unclassified information.

What you really need to do is implement a risk management program, this will address most of the requirements of every 
compliance regulation. This will also help you prioritize limited security resources to ensure your spending time 
securing the weakest parts of your network based on how much risk there is to the organization. FYI, Risk Management is 
not the same as Vulnerability Management.

NIST CSF and NIST RMF are good set of standards to follow to get you started toward compliance with all regulations.
https://www.nist.gov/cyberframework
https://csrc.nist.gov/projects/risk-management/risk-management-framework-(RMF)-Overview
https://csrc.nist.gov/publications/detail/sp/800-39/final
https://csrc.nist.gov/publications/detail/sp/800-37/rev-1/final

Thanks,
Roman Simanovich
Information Security Specialist
University of Saint Joseph

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Davis, 
Chris
Sent: Monday, April 30, 2018 9:50 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] CIS vs NIST

We are a very small school and are just getting started with infosec.  We are evaluating frameworks and seem to be 
wavering between CIS and NIST 800-171.

My thoughts are that CIS will be easier for us to implement and manage long-term given our limited resources.  But we 
have compliance issues to consider just like everyone else – HIPAA, PCI, FEPRA, GLBA, etc.

Given those parameters, which do you think would be more successful for us – CIS or 800-171?

Thanks!

Chris

Christopher Davis, Ph.D.
Chief Information Officer
Lourdes University
6832 Convent Blvd | REH 003P | Sylvania, OH 43560
cdavis () lourdes edu<mailto:cdavis () lourdes edu>

CyberAware – Be aware. Stay Secure.
Lourdes University will never ask you to send sensitive information through unsecure channels. Report any message that 
asks you to provide or confirm personal information such as credit card and/or bank account numbers, Social Security 
numbers, passwords, etc. or any other suspicious activity to infosec () lourdes edu<mailto:infosec () lourdes edu>. For 
more information please visit lourdes.edu/cyberaware<http://lourdes.edu/cyberaware>.

CONFIDENTIALITY NOTICE: The contents of this email message and any attachments are intended solely for the addressee(s) 
and may contain confidential and/or privileged information and may be legally protected from disclosure. If you are not 
the intended recipient of this message or their agent, or if this message has been addressed to you in error, please 
immediately alert the sender by reply email and then delete this message and any attachments. If you are not the 
intended recipient, you are hereby notified that any use, dissemination, copying, or storage of this message or its 
attachments is strictly prohibited.