Educause Security Discussion mailing list archives

Re: Security Program: NIST, ISO, other?

From: "Shamblin, Quinn" <qrs () BU EDU>
Date: Thu, 17 Jan 2013 15:05:42 +0000

Hi Bryan,

I'm happy to share what I have.  It is attached.  I haven't taken the time to map everything but a good start is there. 
 If you want any of the completed policies as a starting point for any review/creation work you might be doing, I can 
point you to what we have.

Another good place to go for mappings like this is the Cloud Security Alliance.
They have some good research and tools in this area that it is nice to not have to replicate:
      https://cloudsecurityalliance.org/
They created a set of controls for cloud services and mapped them to all the major security standards (ISO, NIST, 
COBIT, more):
     https://cloudsecurityalliance.org/research/ccm/
They then took the controls and created a list if Y/N questions to help people evaluate them:
     https://cloudsecurityalliance.org/research/cai/
They are also working to get companies to perform a self-assessment using this tool so that the answers to all of this 
before the customer asks:
     https://cloudsecurityalliance.org/star/


Quinn R Shamblin
------------------------------------------------------------------------------------------------
Executive Director of Information Security, Boston University
CISM, CISSP, GCFA, PMP  -  O 617-358-6310  M 617-999-7523
Contact me securely: https://securecontact.me/qrs () bu edu

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of 
McLaughlin, Bryan S.
Sent: Thursday, January 17, 2013 9:57 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Security Program: NIST, ISO, other?

Quinn, I am planning to map our policies to standards and regulations, if you are willing to share I would love to see 
what you have developed.

Bryan McLaughlin
Informaiton Security Officer
Creighton University
bmclaughiln () creighton edu<mailto:bmclaughiln () creighton edu>

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of 
Shamblin, Quinn
Sent: Thursday, January 17, 2013 8:45 AM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] Security Program: NIST, ISO, other?

We do a combination of the various security best practices and standards.  We evaluate our systems using NIST 800-53, 
etc. mainly because we do a lot of research for the government and they require data security and management plans 
based on those standards.  But we run the larger program with inputs from ISO27001/2, NIST, COBIT, and even inputs from 
ITIL (or ISO 20000 if you prefer).  We map our various policies to the standards/regulations that require that policy.  
I have a matrix (partially complete) that shows that mapping if you are interested.

Quinn R Shamblin
------------------------------------------------------------------------------------------------
Executive Director of Information Security, Boston University
CISM, CISSP, GCFA, PMP  -  O 617-358-6310  M 617-999-7523
Contact me securely: https://securecontact.me/qrs () bu edu

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Wright, 
A J (A. J.)
Sent: Thursday, January 17, 2013 9:37 AM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [SECURITY] Security Program: NIST, ISO, other?

Hello all,

At the University of Tennessee, our security program is based on the NIST 800 Series special publications rather than 
ISO 27001.  While we don't claim to implement 100% of it (it wouldn't be appropriate,) we're making heavy use of 
FIPS199, 800-37, 800-53, 800-66, etc.

I've had staff calling and emailing around asking this, but I figured I'd ask this list also: what is your school's 
security program based on?

Thanks,
ajw
--
A. J. Wright
Chief Information Security Officer

University of Tennessee - System Administration
2309 Kingston Pike, Suite 131C
Knoxville, TN  37996-1717
Phone:  865-974-0637
Email: ajw () tennessee edu<mailto:ajw () tennessee edu>

Attachment: - BU Information Security Policy List and Mapping to Standards - 2012-08-21.doc
Description: - BU Information Security Policy List and Mapping to Standards - 2012-08-21.doc

Current thread:

Security Program: NIST, ISO, other? Wright, A J (A. J.) (Jan 17)
- Re: Security Program: NIST, ISO, other? Shamblin, Quinn (Jan 17)
  - Re: Security Program: NIST, ISO, other? mccalluq (Jan 17)
  - Re: Security Program: NIST, ISO, other? McLaughlin, Bryan S. (Jan 17)
    - Re: Security Program: NIST, ISO, other? Edgmand, Craig (Jan 17)
    - Re: Security Program: NIST, ISO, other? Dan Sarazen (Jan 17)
    - Re: Security Program: NIST, ISO, other? David Curry (Jan 17)
    - Re: Security Program: NIST, ISO, other? Wright, A J (A. J.) (Jan 17)
    - Re: Security Program: NIST, ISO, other? Valdis Kletnieks (Jan 18)
    - Re: Security Program: NIST, ISO, other? Shamblin, Quinn (Jan 17)
- Re: Security Program: NIST, ISO, other? Dan Sarazen (Jan 17)
- Re: Security Program: NIST, ISO, other? Alan (Jan 17)
- Re: Security Program: NIST, ISO, other? Christopher Jones (Jan 17)
  - Re: Security Program: NIST, ISO, other? Lorenz, Eva (Jan 17)
    - Re: Security Program: NIST, ISO, other? Shamblin, Quinn (Jan 17)
    - Re: Security Program: NIST, ISO, other? Valerie Vogel (Jan 17)
  - Re: Security Program: NIST, ISO, other? Steven Alexander (Jan 17)
    - Re: Security Program: NIST, ISO, other? Dan Sarazen (Jan 17)
  - Re: Security Program: NIST, ISO, other? Blake Penn (Jan 18)
- Re: Security Program: NIST, ISO, other? Stephen C. Gay (Jan 17)

(Thread continues...)