Educause Security Discussion mailing list archives
Re: [External] [SECURITY] ISO27001 vs NIST 800-171
From: "Shankar, Anurag" <ashankar () IU EDU>
Date: Fri, 31 Aug 2018 13:58:09 +0000
Hi Chris, The biggest difference from my view is that, while ISO 27001 has a hundred-odd controls set, it is really a framework aimed at measuring/improving the high-level cybersecurity management structure for an organization (to protect data confidentiality, integrity, and availability). NIST 800-171 is a more typical physical, admin, and technical control set (also around a hundred) designed to protect data confidentiality only. As for which is more appropriate, it depends on what the relevant compliance regimes are in your case and the effort you are willing to expend. The primary ones affecting EDU with specific cybersecurity requirements in my opinion are HIPAA, DFARS, (for DoD contracts), CMS, and FISMA (for certain govt. contracts). NIST 800-171 is a good place to start if you don’t have a lot of resources, but if you want to use a single framework to cover all cyber compliance, I’d establish a NIST risk management framework (which uses NIST 800-53, the superset of 800-171) that also addresses integrity and availability. That is what we do here at IU. I’d be more than happy to talk to you in more detail if you are interested. Regards, Anurag --- Anurag Shankar, Ph.D. Email: ashankar [at] iu.edu Phone: +1 (812) 856-6978 Center for Applied Cybersecurity Research, Pervasive Technology Institute, Indiana University 2719 E. 10th Street, Suite 231, Bloomington, IN 47408 From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () listserv educause edu> on behalf of "Davis, Chris" <CDavis () LOURDES EDU> Reply-To: The EDUCAUSE Security Constituent Group Listserv <SECURITY () listserv educause edu> Date: Friday, August 31, 2018 at 9:20 AM To: "SECURITY () listserv educause edu" <SECURITY () listserv educause edu> Subject: [External] [SECURITY] ISO27001 vs NIST 800-171 This message was sent from a non-IU address. Please exercise caution when clicking links or opening attachments from external sources. Can anyone provide me a quick and dirty compare/contrast between the two? Which is more appropriate for a higher education setting seeking to comply with the various regulatory requirements typically found in higher ed? Thanks! Chris Christopher Davis, Ph.D. Chief Information Officer Assistant Professor of Education Apple Teacher Lourdes University 6832 Convent Blvd | REH 003P | Sylvania, OH 43560 cdavis () lourdes edu CyberAware – Be aware. Stay Secure! Lourdes University will never ask you to send sensitive information through unsecure channels. Report any message that asks you to provide or confirm personal information such as credit card and/or bank account numbers, Social Security numbers, passwords, etc. or any other suspicious activity to infosec () lourdes edu. For more information please visit lourdes.edu/cyberaware. CONFIDENTIALITY NOTICE: The contents of this email message and any attachments are intended solely for the addressee(s) and may contain confidential and/or privileged information and may be legally protected from disclosure. If you are not the intended recipient of this message or their agent, or if this message has been addressed to you in error, please immediately alert the sender by reply email and then delete this message and any attachments. If you are not the intended recipient, you are hereby notified that any use, dissemination, copying, or storage of this message or its attachments is strictly prohibited.
Attachment:
smime.p7s
Description:
Current thread:
- Re: [External] [SECURITY] ISO27001 vs NIST 800-171 Shankar, Anurag (Aug 31)
- Re: [External] [SECURITY] ISO27001 vs NIST 800-171 WALTER KERNER (Aug 31)