Educause Security Discussion mailing list archives

Re: CIS vs NIST

From: Mark Corlew <mark.corlew () ANDERSON UCLA EDU>
Date: Mon, 21 May 2018 09:28:08 -0600

Since you are small and just starting down this path, I would go with CIS. NIST is generally directed toward US Federal 
Agencies and honestly probably isn't a good fit for what you are attempting to do. CIS will give you more of what you 
are looking to accomplish without feeling overwhelmed with trying to fit the NIST framework. 

On Mon, 30 Apr 2018 13:49:40 +0000, Davis, Chris <CDavis () LOURDES EDU> wrote:

We are a very small school and are just getting started with infosec. We are evaluating frameworks and seem to be
wavering between CIS and NIST 800-171.

My thoughts are that CIS will be easier for us to implement and manage long-term given our limited resources. But we
have compliance issues to consider just like everyone else – HIPAA, PCI, FEPRA, GLBA, etc.

Given those parameters, which do you think would be more successful for us – CIS or 800-171?

Thanks!

Chris

Christopher Davis, Ph.D.
Chief Information Officer
Lourdes University
6832 Convent Blvd | REH 003P | Sylvania, OH 43560
cdavis () lourdes edu<mailto:cdavis () lourdes edu>

CyberAware – Be aware. Stay Secure.
Lourdes University will never ask you to send sensitive information through unsecure channels. Report any message that
asks you to provide or confirm personal information such as credit card and/or bank account numbers, Social Security
numbers, passwords, etc. or any other suspicious activity to infosec () lourdes edu<mailto:infosec () lourdes edu>.
For more information please visit lourdes.edu/cyberaware<http://lourdes.edu/cyberaware>.

CONFIDENTIALITY NOTICE: The contents of this email message and any attachments are intended solely for the
addressee(s) and may contain confidential and/or privileged information and may be legally protected from disclosure.
If you are not the intended recipient of this message or their agent, or if this message has been addressed to you in
error, please immediately alert the sender by reply email and then delete this message and any attachments. If you are
not the intended recipient, you are hereby notified that any use, dissemination, copying, or storage of this message
or its attachments is strictly prohibited.

Current thread:

Re: CIS vs NIST, (continued)
- Re: CIS vs NIST Menne, Michael S (Apr 30)
  - Re: CIS vs NIST Valdis Kletnieks (Apr 30)
    - Re: CIS vs NIST Bridges, Robert A. (Apr 30)
    - Re: CIS vs NIST Valdis Kletnieks (Apr 30)
    - Re: CIS vs NIST Bridges, Robert A. (Apr 30)
    - Re: CIS vs NIST Kevin Wilcox (May 02)
    - Re: CIS vs NIST Bridges, Robert A. (May 03)
    - Re: CIS vs NIST Kevin Wilcox (May 03)
- Re: CIS vs NIST randy (Apr 30)
- Re: CIS vs NIST Penn, Blake C (Apr 30)
- Re: CIS vs NIST Mark Corlew (May 21)
  - Re: [External] Re: [SECURITY] CIS vs NIST Bennett, Daniel (May 21)
    - Re: [External] Re: [SECURITY] CIS vs NIST Larry K. Emmons (May 21)