Educause Security Discussion mailing list archives
Re: Security Program: NIST, ISO, other?
From: Dan Sarazen <dsarazen () BRANDEIS EDU>
Date: Thu, 17 Jan 2013 09:55:25 -0500
Hi A.J., For most of the schools I review that don’t have an IS policy I recommend they *base* there IS Policy on ISO27001/2. It’s my understanding that ISO maps to NIST, HIPAA, FERPA, and PCI, but that NIST doesn’t map to HIPAA or PCI. If your Information Security Policy doesn’t cover PCI or HIPAA controls, then you would have to create supplemental policies and procedures to cover those compliance areas, and who really wants to do that? The attached is about a year old, and I cannot verify it’s accuracy, but one of the tabs maps NIST to ISO and shows the gaps. Another reason to use ISO, IMO, is because many risk assessments have already been developed against the ISO series and can be easily leveraged without having to create your own. The link below also contains a discussion on this issue. Good Luck! My $.02 Good Luck! Dan Sarazen Senior IT Auditor The Boston Consortium for Higher Education Phone: 781-736-8703 Cell: 781-296-4444 Fax: 781-736-8706 *From:* The EDUCAUSE Security Constituent Group Listserv [mailto: SECURITY () LISTSERV EDUCAUSE EDU] *On Behalf Of *Wright, A J (A. J.) *Sent:* Thursday, January 17, 2013 9:37 AM *To:* SECURITY () LISTSERV EDUCAUSE EDU *Subject:* Security Program: NIST, ISO, other? Hello all, At the University of Tennessee, our security program is based on the NIST 800 Series special publications rather than ISO 27001. While we don’t claim to implement 100% of it (it wouldn’t be appropriate,) we’re making heavy use of FIPS199, 800-37, 800-53, 800-66, etc. I’ve had staff calling and emailing around asking this, but I figured I’d ask this list also: what is your school’s security program based on? Thanks, ajw -- *A. J. Wright *Chief Information Security Officer University of Tennessee – System Administration 2309 Kingston Pike, Suite 131C Knoxville, TN 37996-1717 Phone: 865-974-0637 Email: ajw () tennessee edu
Attachment:
NIST ISO MappingFINAL.xls
Description:
Current thread:
- Security Program: NIST, ISO, other? Wright, A J (A. J.) (Jan 17)
- Re: Security Program: NIST, ISO, other? Shamblin, Quinn (Jan 17)
- Re: Security Program: NIST, ISO, other? mccalluq (Jan 17)
- Re: Security Program: NIST, ISO, other? McLaughlin, Bryan S. (Jan 17)
- Re: Security Program: NIST, ISO, other? Edgmand, Craig (Jan 17)
- Re: Security Program: NIST, ISO, other? Dan Sarazen (Jan 17)
- Re: Security Program: NIST, ISO, other? David Curry (Jan 17)
- Re: Security Program: NIST, ISO, other? Wright, A J (A. J.) (Jan 17)
- Re: Security Program: NIST, ISO, other? Valdis Kletnieks (Jan 18)
- Re: Security Program: NIST, ISO, other? Shamblin, Quinn (Jan 17)
- Re: Security Program: NIST, ISO, other? Shamblin, Quinn (Jan 17)
- Re: Security Program: NIST, ISO, other? Lorenz, Eva (Jan 17)
- Re: Security Program: NIST, ISO, other? Shamblin, Quinn (Jan 17)
- Re: Security Program: NIST, ISO, other? Valerie Vogel (Jan 17)
- Re: Security Program: NIST, ISO, other? Dan Sarazen (Jan 17)