Educause Security Discussion mailing list archives
Re: Retooling HEISC self-assessment to NIST framework
From: "Jim A. Bole" <jbole () STEVENSON EDU>
Date: Thu, 18 Jul 2019 14:23:24 +0000
Jeremy, Great points. For me, I would love to see some sort of baseline/aggregate scoring that would allow me to see how my institution compares to other peer institutions. HEISC doesn’t have that. Jim From: Jeremy Rosenberg <rosey () BERKELEY EDU> Sent: Tuesday, July 16, 2019 2:07 PM Subject: Re: Retooling HEISC self-assessment to NIST framework We ran through the NIST CSF framework and generated our profile as we were trying to figure out the best way to judge our current state, set priorities and track progress. We then did the same thing with HEISC to see if it was a better fit. I started by mapping the maturity scores from the NIST profile over to the HEISC. (1-4 felt like they generally say the same thing) What we found was that the mapping isn’t all that good and the scores when dropped into the corresponding HEISC didn’t really make sense. I think the problem is that HEISC is much more specific and prescriptive than NIST CSF. So where our interpretation of the NIST sub category varied too much from the corresponding HEISC question, the score was wrong. In the end our conclusion was the the HEISC tool was too prescriptive for our purposes, it made assumptions about what we “should” be doing that we didn’t agree with. The NIST CSF, on the other hand, felt like it gave us the flexibility to apply it to our environment as we felt was appropriate. YMMV Jeremy ======================================= Jeremy Rosenberg Chief Information Security Officer UC Berkeley On Jul 16, 2019, at 8:43 AM, Jim A. Bole <jbole () STEVENSON EDU<mailto:jbole () STEVENSON EDU>> wrote: I’d be interested in comments from anyone who’s applied the NIST CyberSecurity Framewokr (CSF) to the HEISC self-assessment tool. Attached is my first attempt. Most the questions had NIST mapping in one of the tabs. So far it seems to map fairly well. Regards, Jim Bole Director of Information Security Stevenson University 1525 Greenspring Valley Road Stevenson, MD, 21153-0641 jbole () stevenson edu<mailto:jbole () stevenson edu> | O: 443-334-2696 <HEISCJuly2018-NIST-sample.xlsm>
Current thread:
- Retooling HEISC self-assessment to NIST framework Jim A. Bole (Jul 16)
- Re: Retooling HEISC self-assessment to NIST framework Jeremy Rosenberg (Jul 16)
- <Possible follow-ups>
- Re: Retooling HEISC self-assessment to NIST framework Jim A. Bole (Jul 18)