Educause Security Discussion mailing list archives
NIST 800-53 evidence curating and maintenance
From: Stephen Gay <sgay () KENNESAW EDU>
Date: Wed, 13 Jan 2021 14:53:15 +0000
All, As part of a recent audit engagement, we have been working toward creating an accurate and timely assessment of the institution’s Student Information System using the NIST 800-53 control categories. Areas that are measured at a maturity level of 2 (internally or by audit) or below are incorporated into a system risk register maintained in the same document and escalated to the enterprise IT risk register as applicable. As we have gone through this exercise, there are many control categories which are scoped to the enterprise (Identity and Access Management, Incident Response, etc) to specific data centers (Environmental Controls, Physical Access Controls) or are managed via contracted relationships with 3rd parties (also managed at an enterprise level). To that end, it seems reasonable to me that a matrix could be created which could serve as a programmatic backend for the creation and maintenance of this data and which would facilitate a larger rollout of 800-53 assessments? For example, a replacement of the organization’s fire suppression system could be updated in one location (db table, xlsx, etc) which is then referenced and output for all 800-53 system assessments which have the appropriate flags set for organizationally hosted and within institutional data centers. Externally hosted systems would reference another entry specific to fire protection controls being mitigated through 3rd party contracts. Has anyone done anything like this and, if so, would you be willing to share your experiences and the areas which I may be overlooking? Thanks, [Kennesaw State University] Stephen Gay Executive Director Cybersecurity, CISO University Information Technology Services (UITS) 1075 Canton Pl NW Room 016, MD 3503 Kennesaw, GA 30144 p: 470-578-6620<tel:4705786620> e: sgay () kennesaw edu<mailto:sgay () kennesaw edu> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
Current thread:
- NIST 800-53 evidence curating and maintenance Stephen Gay (Jan 13)