Educause Security Discussion mailing list archives
Re: Security Program: NIST, ISO, other?
From: "Shamblin, Quinn" <qrs () BU EDU>
Date: Thu, 17 Jan 2013 15:05:42 +0000
Hi Bryan, I'm happy to share what I have. It is attached. I haven't taken the time to map everything but a good start is there. If you want any of the completed policies as a starting point for any review/creation work you might be doing, I can point you to what we have. Another good place to go for mappings like this is the Cloud Security Alliance. They have some good research and tools in this area that it is nice to not have to replicate: https://cloudsecurityalliance.org/ They created a set of controls for cloud services and mapped them to all the major security standards (ISO, NIST, COBIT, more): https://cloudsecurityalliance.org/research/ccm/ They then took the controls and created a list if Y/N questions to help people evaluate them: https://cloudsecurityalliance.org/research/cai/ They are also working to get companies to perform a self-assessment using this tool so that the answers to all of this before the customer asks: https://cloudsecurityalliance.org/star/ Quinn R Shamblin ------------------------------------------------------------------------------------------------ Executive Director of Information Security, Boston University CISM, CISSP, GCFA, PMP - O 617-358-6310 M 617-999-7523 Contact me securely: https://securecontact.me/qrs () bu edu From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of McLaughlin, Bryan S. Sent: Thursday, January 17, 2013 9:57 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Security Program: NIST, ISO, other? Quinn, I am planning to map our policies to standards and regulations, if you are willing to share I would love to see what you have developed. Bryan McLaughlin Informaiton Security Officer Creighton University bmclaughiln () creighton edu<mailto:bmclaughiln () creighton edu> From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Shamblin, Quinn Sent: Thursday, January 17, 2013 8:45 AM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] Security Program: NIST, ISO, other? We do a combination of the various security best practices and standards. We evaluate our systems using NIST 800-53, etc. mainly because we do a lot of research for the government and they require data security and management plans based on those standards. But we run the larger program with inputs from ISO27001/2, NIST, COBIT, and even inputs from ITIL (or ISO 20000 if you prefer). We map our various policies to the standards/regulations that require that policy. I have a matrix (partially complete) that shows that mapping if you are interested. Quinn R Shamblin ------------------------------------------------------------------------------------------------ Executive Director of Information Security, Boston University CISM, CISSP, GCFA, PMP - O 617-358-6310 M 617-999-7523 Contact me securely: https://securecontact.me/qrs () bu edu From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Wright, A J (A. J.) Sent: Thursday, January 17, 2013 9:37 AM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: [SECURITY] Security Program: NIST, ISO, other? Hello all, At the University of Tennessee, our security program is based on the NIST 800 Series special publications rather than ISO 27001. While we don't claim to implement 100% of it (it wouldn't be appropriate,) we're making heavy use of FIPS199, 800-37, 800-53, 800-66, etc. I've had staff calling and emailing around asking this, but I figured I'd ask this list also: what is your school's security program based on? Thanks, ajw -- A. J. Wright Chief Information Security Officer University of Tennessee - System Administration 2309 Kingston Pike, Suite 131C Knoxville, TN 37996-1717 Phone: 865-974-0637 Email: ajw () tennessee edu<mailto:ajw () tennessee edu>
Attachment:
- BU Information Security Policy List and Mapping to Standards - 2012-08-21.doc
Description: - BU Information Security Policy List and Mapping to Standards - 2012-08-21.doc
Current thread:
- Security Program: NIST, ISO, other? Wright, A J (A. J.) (Jan 17)
- Re: Security Program: NIST, ISO, other? Shamblin, Quinn (Jan 17)
- Re: Security Program: NIST, ISO, other? mccalluq (Jan 17)
- Re: Security Program: NIST, ISO, other? McLaughlin, Bryan S. (Jan 17)
- Re: Security Program: NIST, ISO, other? Edgmand, Craig (Jan 17)
- Re: Security Program: NIST, ISO, other? Dan Sarazen (Jan 17)
- Re: Security Program: NIST, ISO, other? David Curry (Jan 17)
- Re: Security Program: NIST, ISO, other? Wright, A J (A. J.) (Jan 17)
- Re: Security Program: NIST, ISO, other? Valdis Kletnieks (Jan 18)
- Re: Security Program: NIST, ISO, other? Shamblin, Quinn (Jan 17)
- Re: Security Program: NIST, ISO, other? Shamblin, Quinn (Jan 17)
- Re: Security Program: NIST, ISO, other? Lorenz, Eva (Jan 17)
- Re: Security Program: NIST, ISO, other? Shamblin, Quinn (Jan 17)
- Re: Security Program: NIST, ISO, other? Valerie Vogel (Jan 17)
- Re: Security Program: NIST, ISO, other? Dan Sarazen (Jan 17)