Re: [External] Re: [SECURITY] What security framework are you using, and why?

[Shane Kroening <skroening () QUALYS COM>]

All,

I’d like to echo the folks here that say you need to start with the why before complying to a certain framework. To 
take that a step further, let me walk you through what I would advise doing to get started.

Rather than focusing on a certain security framework or mandate, such as NIST 800-53, CMMC, etc. you should first focus 
on what is in your environment. This has two key aspects: technologies (operating systems, databases, middleware, 
frontends, etc.) and system use cases (what is this device used for, what is it accessing, does it communicate with a 
protected entity, such as fed gov?).

Once you’ve determined those details, you can start to consider the individual controls that each technology and system 
needs to meet. If you want an ‘easy button’ and aren’t looking to focus on the controls, I’d start with the CIS 
benchmarks and utilize their controls for each appropriate technology.

Once you have some controls in place and are ensuring they are met, then you can start to consider how to meet certain 
mandates. Not to mention, you’ll just be in a better overall cybersecurity position.

I hope this helps! Please do not hesitate to reach out to me directly if I can clarify any of this or provide more info 
on specific controls, policies, or mandates!

Best,
Shane

Shane Kroening  [signature_796095325] <https://www.linkedin.com/company/qualys>
Technical Account Manager, Pre-Sales, Central (SLED)

skroening () qualys com<mailto:skroening () qualys com>
414.791.5674

Qualys, Inc. – Blog<https://qualys.com/blog> | Community<https://community.qualys.com/> | 
Twitter<https://twitter.com/qualys>


From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of Powell, Andy 
<ap16 () WILLIAMS EDU>
Date: Monday, September 20, 2021 at 7:44 AM
To: SECURITY () LISTSERV EDUCAUSE EDU <SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] [External] Re: [SECURITY] What security framework are you using, and why?
Hi all,

  As I am up to my eyeballs in this at the moment, I figured I'd share a bit about my experience and our journey here 
at Williams.

  Coming from FinSvcs, I immediately gravitated towards 800-53r4 and developed a Program that aligned to it and mapped 
activities and controls back to both 800-53r4 and NIST CSF. CSF is the broad framework the college has agreed to align 
with, leaving me some latitude with lower-level frameworks for realizing the goals.

  But, 800-53r5 dropped earlier this year around the same time that the Federal Student 
Aid<https://fsapartners.ed.gov/knowledge-center/library/electronic-announcements/2020-12-18/protecting-student-information-compliance-cui-and-glba>
 was indicating that they would audit for compliance with NIST 800-171r2.

  For sanity's sake, it may be important to note that 800-53r4 contained ~240 controls across 18 groups, while 
800-53r5, which supersedes r4, has 20 groups, and has ~850 controls and control enhancements.

  When faced with this uphill, control-based climb, I was relieved to read the advice on 800-171, which feels more like 
800-53r4 with 111 controls, covering both "basic" and "derived" areas of concern.

  To plug 800-171 into the existing CSF/800-53r4 based program, I used NIST's helpful mapping of 800-171 to CSF 
here<https://csrc.nist.gov/CSRC/media/Publications/sp/800-171/rev-2/final/documents/csf-v1-0-to-sp800-171rev2-mapping.xlsx>.
 In the notes, it clearly spells out that 800-171 is designed to protect the confidentiality of CUI only, and may not 
address Integrity or Availability well enough to meet our respective institutions' needs. There are a few 800-171 
controls that are not mapped to the CSF directly (4 or 5) but those were manually mapped to corresponding sections of 
our Program that made logical sense.

  The caution here is threefold:

  1. Don't use superseded frameworks (i.e. 800-53r4)
  2. Compliance is not security (i.e. you may need to invite in 800-53r5 or CIS controls selectively to address data 
integrity and availability for your institution)
  3. Know your org and, as Anurag said, know what you are trying to accomplish. 800-53r5 is too heavily control- and 
control-maturity-based for our college, and we don't govern the program by control effectiveness as much as risk 
reduction.

  I suppose it makes sense for Federal Student Aid to "only" care about data confidentiality, but I suspect the college 
and our board care about more than just that single dimension of information security. I hope this helps!

--Andy


On Fri, Sep 17, 2021 at 4:50 PM Shankar, Anurag <ashankar () iu edu<mailto:ashankar () iu edu>> wrote:
Hi Vince,

It really depends on what you want to do.  If it is to make individual systems comply with regulations, the NIST RMF 
and 800-53 are still the way to go in my opinion, that is, if you have the resources and gumption to stomach the lot.  
We have used the RMF since 2014, mostly because it gives us a single tool to address pretty much all cyber compliance, 
in particular FISMA, DFARS, and HIPAA.  (We have about 70 central research and enterprise systems for which we maintain 
800-53 SSPs.)  The problem is that, because of its use of a control set like 800-53, the RMF is highly system-centric, 
expensive, and a poor choice for building say a campus security program.  The best framework for that is the newly 
minted Trusted CI Framework (https://www.trustedci.org/framework).  While its implementation guide is for research CI 
providers, the general principles are universal.  800-171 is just a smaller, system-centric control catalog (than 
800-53), but still system-centric.  NIST CSF is ok as a framework, but still too NIST-ish for me.

Anurag
--
Anurag Shankar, PhD
Center for Applied Cybersecurity Research
Indiana University

From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> on behalf of Jay Gallman <jay.gallman () DUKE EDU<mailto:jay.gallman () DUKE EDU>>
Reply-To: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>>
Date: Friday, September 17, 2021 at 3:03 PM
To: "SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>" <SECURITY () LISTSERV EDUCAUSE 
EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>>
Subject: [External] Re: [SECURITY] What security framework are you using, and why?

This message was sent from a non-IU address. Please exercise caution when clicking links or opening attachments from 
external sources.

As Robert mentions the HEISC 800-171 Community Group | 
EDUCAUSE<https://www.educause.edu/community/heisc-800-171-community-group> where I am one of the group leaders, is 
looking at questions like the one raised.  We meet next Tuesday at 10:30, so please feel free to join us.

Regards,
--
Jay Gallman, GCIH
Risk Management IT Analyst | IT Security Office | Duke University
Phone: 919 684-8060
My Availability:  Microsoft 365<https://outlook.office365.com/owa/calendar/d787a256f208403e9711748e356080af () duke 
edu/57d1ee81e6ad40daa985f447ef6881ce17105695644070449399/calendar.html>

From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> on behalf of Barton, Robert W. <bartonrt () LEWISU EDU<mailto:bartonrt () LEWISU EDU>>
Date: Friday, September 17, 2021 at 2:47 PM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> <SECURITY () LISTSERV EDUCAUSE 
EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>>
Subject: Re: [SECURITY] What security framework are you using, and why?
With Student Financial Aid requiring agencies to use NIST 800-171, I would use that.  There are a few working groups 
within Educause examining 800-171 and working on tools.

Robert W. Barton
Executive Director of Information Security & Policy
Lewis University
1 University Parkway
Romeoville, IL  60446-2200
815-836-5663

________________________________
From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> on behalf of Vince Bonura <vbonura () FORDHAM EDU<mailto:vbonura () FORDHAM EDU>>
Sent: Friday, September 17, 2021 1:39 PM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> <SECURITY () LISTSERV EDUCAUSE 
EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>>
Subject: [SECURITY] What security framework are you using, and why?


Hello again!



With the vast list of security frameworks to choose from, ISO/IEC 27000, COBIT 5, NIST SP 800-53, ITIL to name a few,  
I have been tasked to find the best one to use for our institution.  I thought it might be a good idea to see what 
other institutions are using and why.



I would be interested in knowing if you have a case study or a weblink that explains the reasoning for your selection.



We have tried a number over the last 15 years and while we thought NIST 800-53 was the right choice, we find that it 
doesn’t accurately align with our school. Last year a consultant firm we hired for a NIST 800-171 gap assessment, 
recommended NIST CSF.



So, we’re working through the crosswalk exercise and thought we should reach out to our higher education colleagues for 
your feedback.



Don’t be shy!



Thanks in advance!



Vince Bonura



IT Risk Analyst

Fordham University

(718) 817-1875





**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community



[https://d1dejaj6dcqv24.cloudfront.net/asset/image/email-banner-384-2x.png]<https://www.qualys.com/email-banner>



This message may contain confidential and privileged information. If it has been sent to you in error, please reply to 
advise the sender of the error and then immediately delete it. If you are not the intended recipient, do not read, 
copy, disclose or otherwise use this message. The sender disclaims any liability for such unauthorized use. NOTE that 
all incoming emails sent to Qualys email accounts will be archived and may be scanned by us and/or by external service 
providers to detect and prevent threats to our systems, investigate illegal or inappropriate behavior, and/or eliminate 
unsolicited promotional emails (“spam”). If you have any concerns about this process, please contact us.

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community