Educause Security Discussion mailing list archives
Re: Retooling HEISC self-assessment to NIST framework
From: Jeremy Rosenberg <rosey () BERKELEY EDU>
Date: Tue, 16 Jul 2019 11:06:57 -0700
We ran through the NIST CSF framework and generated our profile as we were trying to figure out the best way to judge our current state, set priorities and track progress. We then did the same thing with HEISC to see if it was a better fit. I started by mapping the maturity scores from the NIST profile over to the HEISC. (1-4 felt like they generally say the same thing) What we found was that the mapping isn’t all that good and the scores when dropped into the corresponding HEISC didn’t really make sense. I think the problem is that HEISC is much more specific and prescriptive than NIST CSF. So where our interpretation of the NIST sub category varied too much from the corresponding HEISC question, the score was wrong. In the end our conclusion was the the HEISC tool was too prescriptive for our purposes, it made assumptions about what we “should” be doing that we didn’t agree with. The NIST CSF, on the other hand, felt like it gave us the flexibility to apply it to our environment as we felt was appropriate. YMMV Jeremy ======================================= Jeremy Rosenberg Chief Information Security Officer UC Berkeley
On Jul 16, 2019, at 8:43 AM, Jim A. Bole <jbole () STEVENSON EDU> wrote: I’d be interested in comments from anyone who’s applied the NIST CyberSecurity Framewokr (CSF) to the HEISC self-assessment tool. Attached is my first attempt. Most the questions had NIST mapping in one of the tabs. So far it seems to map fairly well. Regards, Jim Bole Director of Information Security Stevenson University 1525 Greenspring Valley Road Stevenson, MD, 21153-0641 jbole () stevenson edu <mailto:jbole () stevenson edu> | O: 443-334-2696 <HEISCJuly2018-NIST-sample.xlsm>
Current thread:
- Retooling HEISC self-assessment to NIST framework Jim A. Bole (Jul 16)
- Re: Retooling HEISC self-assessment to NIST framework Jeremy Rosenberg (Jul 16)
- <Possible follow-ups>
- Re: Retooling HEISC self-assessment to NIST framework Jim A. Bole (Jul 18)