Educause Security Discussion mailing list archives

Re: Security Program: NIST, ISO, other?

From: Dan Sarazen <dsarazen () BRANDEIS EDU>
Date: Thu, 17 Jan 2013 19:12:28 -0500

I’ve got to agree with Steven. Using PCI DSS for your overall policy would
probably be expensive overkill. For example, PCI DSS requires (If your are
transmitting cardholder data over your network) that you document each and
every open firewall port and explain, in writing for each, the business
rational for the port being open.



Perhaps your QSA misspoke?



Good Luck.



*From:* The EDUCAUSE Security Constituent Group Listserv [mailto:
SECURITY () LISTSERV EDUCAUSE EDU] *On Behalf Of *Steven Alexander
*Sent:* Thursday, January 17, 2013 6:56 PM
*To:* SECURITY () LISTSERV EDUCAUSE EDU
*Subject:* Re: Security Program: NIST, ISO, other?



I think your QSA has no clue what he’s talking about; sorry.



The 12 PCI DSS requirements are not meant to be applied that way and
several of them refer specifically to cardholder data.  In addition to
that, I just don’t think the detailed requirements are very good.  You
should just make sure the PCI requirements are addressed as part of a more
comprehensive security program.



Steven Alexander Jr.

Online Education Systems Manager

Merced College



*From:* The EDUCAUSE Security Constituent Group Listserv [
mailto:SECURITY () LISTSERV EDUCAUSE EDU <SECURITY () LISTSERV EDUCAUSE EDU>] *On
Behalf Of *Christopher Jones
*Sent:* Thursday, January 17, 2013 8:48 AM
*To:* SECURITY () LISTSERV EDUCAUSE EDU
*Subject:* Re: [SECURITY] Security Program: NIST, ISO, other?



When we were conducting a gap analysis for PCI-DSS, our QSA recommended
that we adopt the 12 PCI standards as our overriding security policy.  Has
anyone had similar advice or considered doing this?



Christopher Jones

IT Security Analyst

University of the Fraser Valley

Christopher.Jones () ufv ca





*From:* The EDUCAUSE Security Constituent Group Listserv [
mailto:SECURITY () LISTSERV EDUCAUSE EDU <SECURITY () LISTSERV EDUCAUSE EDU>] *On
Behalf Of *Wright, A J (A. J.)
*Sent:* Thursday, January 17, 2013 6:37 AM
*To:* SECURITY () LISTSERV EDUCAUSE EDU
*Subject:* [SECURITY] Security Program: NIST, ISO, other?



Hello all,



At the University of Tennessee, our security program is based on the NIST
800 Series special publications rather than ISO 27001.  While we don’t
claim to implement 100% of it (it wouldn’t be appropriate,) we’re making
heavy use of FIPS199, 800-37, 800-53, 800-66, etc.



I’ve had staff calling and emailing around asking this, but I figured I’d
ask this list also: what is your school’s security program based on?



Thanks,

ajw

--

*A. J. Wright
*Chief Information Security Officer



University of Tennessee – System Administration
2309 Kingston Pike, Suite 131C
Knoxville, TN  37996-1717
Phone:  865-974-0637

Email: ajw () tennessee edu

Current thread:

Re: Security Program: NIST, ISO, other?, (continued)
- - - Re: Security Program: NIST, ISO, other? Wright, A J (A. J.) (Jan 17)
    - Re: Security Program: NIST, ISO, other? Valdis Kletnieks (Jan 18)
    - Re: Security Program: NIST, ISO, other? Shamblin, Quinn (Jan 17)
- Re: Security Program: NIST, ISO, other? Dan Sarazen (Jan 17)
- Re: Security Program: NIST, ISO, other? Alan (Jan 17)
- Re: Security Program: NIST, ISO, other? Christopher Jones (Jan 17)
  - Re: Security Program: NIST, ISO, other? Lorenz, Eva (Jan 17)
    - Re: Security Program: NIST, ISO, other? Shamblin, Quinn (Jan 17)
    - Re: Security Program: NIST, ISO, other? Valerie Vogel (Jan 17)
  - Re: Security Program: NIST, ISO, other? Steven Alexander (Jan 17)
    - Re: Security Program: NIST, ISO, other? Dan Sarazen (Jan 17)
  - Re: Security Program: NIST, ISO, other? Blake Penn (Jan 18)
- Re: Security Program: NIST, ISO, other? Stephen C. Gay (Jan 17)
- Re: Security Program: NIST, ISO, other? Davis, Thomas R (Jan 18)
- Re: Security Program: NIST, ISO, other? Payne, Shirley (scp8b) (Jan 18)