Educause Security Discussion mailing list archives
Re: security management techniques
From: Doug Markiewicz <doug () CMU EDU>
Date: Mon, 18 Jun 2012 13:36:48 +0000
My own opinion is that all of these frameworks have their advantages and disadvantages. How and what you choose should be somewhat dependent upon what you're trying to accomplish. The HEISC has formed a project team to build an information security program benchmarking tool, building on previous work done around the information security governance assessment tool (link below). The project team is still chartering its work, but early indications are that the tool will standardize around ISO 27000 series with some cross walking of other standards and regulations where appropriate. The intent is to build a tool off of existing standards that will allow academic institutions to benchmark the maturity of their security programs. More to come on that as the work progresses. http://net.educause.edu/ir/library/pdf/SEC0421.pdf At Carnegie Mellon we leverage ISO, NIST, COBIT and others at different times for different reasons. More recently we have been looking at the Resiliency Management Model, which is a model for operational process improvement that brings together information security, business continuity and IT operations to help organizations achieve operational resilience. It's not a security management framework, but it's worth a look. http://www.cert.org/resilience/rmm.html Don't even get me started on licensing for ISO standards, membership fees associated with ITGI resources, the more recent move to licensing of the Shared Assessments framework, etc. Grrr... >:-|
-----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of David Pirolo Sent: Thursday, June 14, 2012 12:10 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] security management techniques Just wondering if any other schools have standardized on any of these security management techniques. ISO 17799 / 27001, COBIT, NIST, ENISA, OASIS, OWASP, etc. If so, I'd be interested in your feedback of such. Unless I'm grossly missing something, it seems like one has to pay to get the ISO standards from ISO.org/ANSI. That doesn't make sense... -David
Current thread:
- Re: security management techniques, (continued)
- Re: security management techniques Wright, A J (A. J.) (Jun 14)
- Re: security management techniques Dan Sarazen (Jun 14)
- Re: security management techniques Wright, A J (A. J.) (Jun 14)
- Re: security management techniques Carlos Lobato (Jun 14)
- Re: security management techniques Shawn Kohrman (Jun 14)
- Re: security management techniques Tammy Lynn Clark (Jun 14)
- Re: security management techniques David Pirolo (Jun 14)
- Re: security management techniques Carson, Larry (Jun 14)
- Re: security management techniques Louis Arminio (Jun 15)
- Re: security management techniques Kalal, Robert (Bob) (Jun 15)
- Re: security management techniques Doug Markiewicz (Jun 18)
- Re: security management techniques Doug Markiewicz (Jun 18)
- Re: security management techniques David Pirolo (Jun 18)