Re: System Hardening Standards

["Shankar, Anurag" <ashankar () IU EDU>]

Hello Justin,

We use NIST 800-53, but only as a tool that informs the process for hardening our central systems to meet HIPAA 
standards.  We start by documenting the existing 800-53 controls, using it as a catalog of all controls known to man 
(or woman), so as not to miss any control that might apply.  We then do an assessment to determine if each missing (or 
mis-implemented) control represents risk for the specific environment the system is in and the typical workflows it 
handles. It’s basically poor man’s system threat modeling.

Regards,

Anurag

---
Anurag Shankar,  Ph.D.  Email: ashankar [at] iu.edu  Phone: +1 (812) 856-6978
Center for Applied Cybersecurity Research, Pervasive Technology Institute, Indiana University
2719 E. 10th Street, Suite 231, Bloomington, IN 47408

On 11/14/16, 12:36 PM, "The EDUCAUSE Security Constituent Group Listserv on behalf of Justin Harwood" <SECURITY () 
LISTSERV EDUCAUSE EDU on behalf of Justin.Harwood () CPCC EDU> wrote:

    Hello,
    
    Can someone recommend what you have used in the EDU space for system hardening standards that works well?
    
    ________________________________
    
    This e-mail, including any attachments, is intended only for the addressee's use and may contain confidential and 
proprietary information. If you are not the intended recipient, you are hereby notified that any retention, 
dissemination, reproduction, or use of the information contained in this e-mail is strictly prohibited. If you have 
received this e-mail by error, please delete it and immediately notify the sender. Thank you for your cooperation.

Attachment: smime.p7s
Description: