Re: security management techniques

["Stephen C. Gay" <sgay () KENNESAW EDU>]

David,

When founded in 2006, we designed our program at Kennesaw State University around NIST's 800-53 classes (technical, 
operational, and managerial). All projects were mapped into these categories and it was easy to communicate to a 
technical / InfoSec audience. Even so, we found the classes did not lend themselves to mapping into the mission of the 
organization nor proactive safeguards.

We transitioned our program over to the ISO 27001 framework in 2011 and it has provided for a more complete picture of 
our information security program. We did pay for the documents (cost is fairly reasonable) but you may want to start 
with the numerous Educause presentations regarding the framework. They will give you the general idea and touch on 
advantages / disadvantages. 

Stephen C Gay CISSP CISA 
ITS Associate Director - Information Security Office 
KSU Information Security Officer 
Kennesaw State University 
sgay () kennesaw edu 

----- Original Message -----
From: "David Pirolo" <webmaster () WARNERPACIFIC EDU>
To: SECURITY () LISTSERV EDUCAUSE EDU
Sent: Thursday, June 14, 2012 12:09:57 AM
Subject: [SECURITY] security management techniques

Just wondering if any other schools have standardized on any of these
security management techniques.  
ISO 17799 / 27001, COBIT, NIST, ENISA, OASIS, OWASP, etc.

If so, I'd be interested in your feedback of such.  Unless I'm grossly
missing something, it seems like one has to pay to get the ISO standards
from ISO.org/ANSI.  That doesn't make sense...

-David