Educause Security Discussion mailing list archives
Re: CIS vs NIST
From: randy <marchany () VT EDU>
Date: Mon, 30 Apr 2018 11:50:36 -0400
Chris, I think you mixed standards with operational tasks. 800-171 is a standard/framework whereas CIS is an operational task list. Framework implementation plans are "stacked" in the sense that they address different stages of implementing a particular framework. The "stack" starts at the high level frameworks (NIST 800-53a, ISO27002, NIST 800-171, IEC 62443, COBIT etc.), regulations (FERPA, HIPAA, PCI, GLBA, MA CoM 201, NY-NYCRR 500, etc.) -> operational strategy (20 Critical Security Controls) -> operational tasks (CIS Benchmarks) -> building your "gold" images. This roadmap helps you translate the high level requirements of a framework like NIST or ISO to actual operational steps that meet the requirements. I wasn't sure if you were talking about implementing a security framework for your entire university or if you were talking about creating a course for students. I'm assuming it's the university's compliance with a security framework. We use the Critical Security Controls (CSC) as our operational strategy. You can view a map the critical controls to a ton of standards by downloading a spreadsheet from www.auditscripts.com/download/2742 or go to www.auditscripts.com-> FreeResources->Critical Security Controls and click on the Auditscripts Critical Security Controls Mapping spreadsheet link. We adopted the Stanford Minimum Security Standards model (our version is attached to this note) which gives a set of actions to be done on endpoints, servers and apps. We mapped these actions to the CSC. You can find details commands to implement these actions in the CIS benchmarks. For example, NIST 800-171 control 3.5.7 states "Enforce a minimum password complexity and change of characters when new passwords are created." This NIST requirement maps to CSC 16 (Account Monitoring and Control) but you want to do this for a Windows Server 2016 system. The details are in the CIS benchmark for Windows Server 2016. You look up password complexity in the CIS Server 2016 Benchmark document and section 1.1.5 of the document contains the commands to implement this requirement. Cut and paste that command into a script file that "hardens" your server to If on the other hand you were talking about creating course content for classes, you can see some of the offerings at the VA Cyber Range ( www.virginiacyberrange.org) by clicking on the courseware link. Accessing the materials is available to VA schools only at the moment but there are plans to expand but you can see the course offerings and how they map to KSA/KSUs. Joanna Grama, Jarret Cummings and I did a workshop at the recent Educause SecPro conference on implementing 800-171 compliance using the 20 CSC. The workshop materials are at https://events.educause.edu/special-topic-events/security-professionals-conference/2018/agenda/from-preparation-to-practice--using-the-cis-critical-security-controls-to-implement-nist-800171-security-compliance . Hope this helps. Randy Marchany VA Tech IT Security Office and Lab On Mon, Apr 30, 2018 at 9:49 AM, Davis, Chris <CDavis () lourdes edu> wrote:
We are a very small school and are just getting started with infosec. We are evaluating frameworks and seem to be wavering between CIS and NIST 800-171. My thoughts are that CIS will be easier for us to implement and manage long-term given our limited resources. But we have compliance issues to consider just like everyone else – HIPAA, PCI, FEPRA, GLBA, etc. Given those parameters, which do you think would be more successful for us – CIS or 800-171? Thanks! Chris *Christopher Davis, Ph.D.* Chief Information Officer Lourdes University 6832 Convent Blvd <https://maps.google.com/?q=6832+Convent+Blvd&entry=gmail&source=g> | REH 003P | Sylvania, OH 43560 cdavis () lourdes edu *CyberAware – Be aware. Stay Secure.* Lourdes University will never ask you to send sensitive information through unsecure channels. Report any message that asks you to provide or confirm personal information such as credit card and/or bank account numbers, Social Security numbers, passwords, etc. or any other suspicious activity to infosec () lourdes edu. For more information please visit lourdes.edu/cyberaware. CONFIDENTIALITY NOTICE: The contents of this email message and any attachments are intended solely for the addressee(s) and may contain confidential and/or privileged information and may be legally protected from disclosure. If you are not the intended recipient of this message or their agent, or if this message has been addressed to you in error, please immediately alert the sender by reply email and then delete this message and any attachments. If you are not the intended recipient, you are hereby notified that any use, dissemination, copying, or storage of this message or its attachments is strictly prohibited.
Attachment:
DRAFT Updated Minimum Security Standards 03 2018.docx
Description:
Current thread:
- Re: [External Sender] Re: [SECURITY] CIS vs NIST, (continued)
- Re: [External Sender] Re: [SECURITY] CIS vs NIST Davis, Chris (Apr 30)
- Re: [External Sender] Re: [SECURITY] CIS vs NIST Edgmand, Craig (Apr 30)
- Re: [External Sender] Re: [SECURITY] CIS vs NIST Davis, Chris (Apr 30)
- Re: CIS vs NIST Menne, Michael S (Apr 30)
- Re: CIS vs NIST Valdis Kletnieks (Apr 30)
- Re: CIS vs NIST Bridges, Robert A. (Apr 30)
- Re: CIS vs NIST Valdis Kletnieks (Apr 30)
- Re: CIS vs NIST Bridges, Robert A. (Apr 30)
- Re: CIS vs NIST Kevin Wilcox (May 02)
- Re: CIS vs NIST Bridges, Robert A. (May 03)
- Re: CIS vs NIST Kevin Wilcox (May 03)
- Re: CIS vs NIST Valdis Kletnieks (Apr 30)
- Re: [External] Re: [SECURITY] CIS vs NIST Bennett, Daniel (May 21)
- Re: [External] Re: [SECURITY] CIS vs NIST Larry K. Emmons (May 21)