Educause Security Discussion mailing list archives
Re: [External] Re: [SECURITY] CIS vs NIST
From: "Larry K. Emmons" <lkemmons () SVSU EDU>
Date: Mon, 21 May 2018 17:02:57 +0000
We started down the CIS path and then turned to NIST 800-171 with the Educause spreadsheet and cross mapping of NIST to CIS. We will turn back to CIS once we have walked through NIST 800-171. Thanks, Larry Larry K. Emmons Director of Technology and Support Services Saginaw Valley State University -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Bennett, Daniel Sent: Monday, May 21, 2018 11:44 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] [External] Re: [SECURITY] CIS vs NIST There are crosswalk guides available for CIS to NIST as well. I see HIPAA on your list and NIST 800-53 (low and moderate controls) is a good resource. These are the controls that auditor could/would look for from OCR/HHS if you had an issue. Daniel Bennett Enterprise Cybersecurity Architect CISSP, ISSAP, ITIL Information Security Office Geisinger Health 100 N Academy Ave, Danville, PA 17822-2290 MC30-02 (w) 570-214-1685 -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Mark Corlew Sent: Monday, May 21, 2018 11:28 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [External] Re: [SECURITY] CIS vs NIST Since you are small and just starting down this path, I would go with CIS. NIST is generally directed toward US Federal Agencies and honestly probably isn't a good fit for what you are attempting to do. CIS will give you more of what you are looking to accomplish without feeling overwhelmed with trying to fit the NIST framework. On Mon, 30 Apr 2018 13:49:40 +0000, Davis, Chris <CDavis () LOURDES EDU> wrote:
We are a very small school and are just getting started with infosec. We are evaluating frameworks and seem to be wavering between CIS and NIST 800-171. My thoughts are that CIS will be easier for us to implement and manage long-term given our limited resources. But we have compliance issues to consider just like everyone else – HIPAA, PCI, FEPRA, GLBA, etc. Given those parameters, which do you think would be more successful for us – CIS or 800-171? Thanks! Chris Christopher Davis, Ph.D. Chief Information Officer Lourdes University 6832 Convent Blvd | REH 003P | Sylvania, OH 43560 cdavis () lourdes edu<mailto:cdavis () lourdes edu> CyberAware – Be aware. Stay Secure. Lourdes University will never ask you to send sensitive information through unsecure channels. Report any message that asks you to provide or confirm personal information such as credit card and/or bank account numbers, Social Security numbers, passwords, etc. or any other suspicious activity to infosec () lourdes edu<mailto:infosec () lourdes edu>. For more information please visit lourdes.edu/cyberaware<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Flourdes.edu%2Fcyberaware&data=02%7C01%7Cdrbennett%40GEISINGER.EDU%7C78d0ae42c1534a2b3a2d08d5bf30dab9%7C37d46c567c664402a16055c2313b910d%7C0%7C0%7C636625138904879513&sdata=8YHkjfWld2JaDY9O%2BEjGUlq0qRGyTFjBqaPTirveKSw%3D&reserved=0>. CONFIDENTIALITY NOTICE: The contents of this email message and any attachments are intended solely for the addressee(s) and may contain confidential and/or privileged information and may be legally protected from disclosure. If you are not the intended recipient of this message or their agent, or if this message has been addressed to you in error, please immediately alert the sender by reply email and then delete this message and any attachments. If you are not the intended recipient, you are hereby notified that any use, dissemination, copying, or storage of this message or its attachments is strictly prohibited.
IMPORTANT WARNING: The information in this message (and the documents attached to it, if any) is confidential and may be legally privileged. It is intended solely for the addressee. Access to this message by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action taken, or omitted to be taken, in reliance on it is prohibited and may be unlawful. If you have received this message in error, please delete all electronic copies of this message (and the documents attached to it, if any), destroy any hard copies you may have created and notify me immediately by replying to this email. Thank you. Geisinger Health System utilizes an encryption process to safeguard Protected Health Information and other confidential data contained in external e-mail messages. If email is encrypted, the recipient will receive an e-mail instructing them to sign on to the Geisinger Health System Secure E-mail Message Center to retrieve the encrypted e-mail.
Current thread:
- Re: CIS vs NIST, (continued)
- Re: CIS vs NIST Bridges, Robert A. (Apr 30)
- Re: CIS vs NIST Valdis Kletnieks (Apr 30)
- Re: CIS vs NIST Bridges, Robert A. (Apr 30)
- Re: CIS vs NIST Kevin Wilcox (May 02)
- Re: CIS vs NIST Bridges, Robert A. (May 03)
- Re: CIS vs NIST Kevin Wilcox (May 03)
- Re: [External] Re: [SECURITY] CIS vs NIST Bennett, Daniel (May 21)
- Re: [External] Re: [SECURITY] CIS vs NIST Larry K. Emmons (May 21)