Educause Security Discussion mailing list archives
Re: CIS vs NIST
From: "Menne, Michael S" <michael.menne () MNSU EDU>
Date: Mon, 30 Apr 2018 14:30:23 +0000
Chris, I would recommend looking at any framework (CIS, NIST 800-53/171, NIST CSF) and pair down the list. Start with understanding the overall framework and whether or not the framework fits given your size. Given you size with an approximate enrollment of 1,100, you aren’t going to be able to implement any particular framework fully. I would recommend a 3 year plan to address the top 5 or 6 things. There are diminishing returns as you continue down the path. #1 on your list should be Patch, Patch, Patch. This protects against 90%+ of all network based attacks out there and is relatively easy. This is low hanging fruit. Pick 2 things you can accomplish this year. Pick 2 things you can accomplish next year as well as continue to maintain your first 2. Then, pick 2 more things you can do in your 3rd year while maintaining your first 4. After you’ve been successful at your first 6, re-evaluate each one of them individually and see if you have the capacity to expand beyond the first 6. Each of these can be done according to the recommendations of a framework of your choosing. Your list should be based on your own risks. Don’t worry about quantifying your risks. A qualitative assessment with some simple numbers would be good enough. Start tracking every event and start developing some simple metrics in order to justify your risk ranking and control priorities. Michael Michael Menne, CISSP Chief Information Security Officer IT Solutions Information Security Minnesota State University, Mankato Phone: (507) 389-5705 www.mnsu.edu/its/security [cid:image001.png@01CECA64.5FE3FB80] Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Davis, Chris Sent: Monday, April 30, 2018 8:50 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] CIS vs NIST We are a very small school and are just getting started with infosec. We are evaluating frameworks and seem to be wavering between CIS and NIST 800-171. My thoughts are that CIS will be easier for us to implement and manage long-term given our limited resources. But we have compliance issues to consider just like everyone else – HIPAA, PCI, FEPRA, GLBA, etc. Given those parameters, which do you think would be more successful for us – CIS or 800-171? Thanks! Chris Christopher Davis, Ph.D. Chief Information Officer Lourdes University 6832 Convent Blvd | REH 003P | Sylvania, OH 43560 cdavis () lourdes edu<mailto:cdavis () lourdes edu> CyberAware – Be aware. Stay Secure. Lourdes University will never ask you to send sensitive information through unsecure channels. Report any message that asks you to provide or confirm personal information such as credit card and/or bank account numbers, Social Security numbers, passwords, etc. or any other suspicious activity to infosec () lourdes edu<mailto:infosec () lourdes edu>. For more information please visit lourdes.edu/cyberaware<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Flourdes.edu%2Fcyberaware&data=02%7C01%7Cmichael.menne%40MNSU.EDU%7Cb14593aed9ee4596b02508d5aea14020%7C0c0d13782eaf49c7afa98b40189a1b5c%7C0%7C1%7C636606929957592666&sdata=uFpYlzbuPxarGpOmMwC9PcklROe%2FEgt7eN01jwnLAgk%3D&reserved=0>. CONFIDENTIALITY NOTICE: The contents of this email message and any attachments are intended solely for the addressee(s) and may contain confidential and/or privileged information and may be legally protected from disclosure. If you are not the intended recipient of this message or their agent, or if this message has been addressed to you in error, please immediately alert the sender by reply email and then delete this message and any attachments. If you are not the intended recipient, you are hereby notified that any use, dissemination, copying, or storage of this message or its attachments is strictly prohibited.
Current thread:
- CIS vs NIST Davis, Chris (Apr 30)
- Re: CIS vs NIST Chad Tracy (Apr 30)
- Re: CIS vs NIST Nicklaus Giacobe (Apr 30)
- Re: CIS vs NIST Nicklaus Giacobe (Apr 30)
- Re: [External Sender] Re: [SECURITY] CIS vs NIST Davis, Chris (Apr 30)
- Re: CIS vs NIST Nicklaus Giacobe (Apr 30)
- Re: CIS vs NIST Adam Menos (Apr 30)
- Re: CIS vs NIST Simanovich, Roman (Apr 30)
- Re: [External Sender] Re: [SECURITY] CIS vs NIST Davis, Chris (Apr 30)
- Re: [External Sender] Re: [SECURITY] CIS vs NIST Edgmand, Craig (Apr 30)
- Re: [External Sender] Re: [SECURITY] CIS vs NIST Davis, Chris (Apr 30)
- Re: CIS vs NIST Menne, Michael S (Apr 30)
- Re: CIS vs NIST Valdis Kletnieks (Apr 30)
- Re: CIS vs NIST Bridges, Robert A. (Apr 30)
- Re: CIS vs NIST Valdis Kletnieks (Apr 30)
- Re: CIS vs NIST Bridges, Robert A. (Apr 30)
- Re: CIS vs NIST Kevin Wilcox (May 02)
- Re: CIS vs NIST Bridges, Robert A. (May 03)
- Re: CIS vs NIST Kevin Wilcox (May 03)
- Re: CIS vs NIST Valdis Kletnieks (Apr 30)
- <Possible follow-ups>
- Re: CIS vs NIST Mark Corlew (May 21)