Educause Security Discussion mailing list archives

Re: Retooling HEISC self-assessment to NIST framework

From: "Jim A. Bole" <jbole () STEVENSON EDU>
Date: Thu, 18 Jul 2019 14:23:24 +0000

Jeremy,

Great points.

For me, I would love to see some sort of baseline/aggregate scoring that would allow me to see how my institution 
compares to other peer institutions. HEISC doesn’t have that.

Jim

From: Jeremy Rosenberg <rosey () BERKELEY EDU>
Sent: Tuesday, July 16, 2019 2:07 PM
Subject: Re: Retooling HEISC self-assessment to NIST framework

We ran through the NIST CSF framework and generated our profile as we were trying to figure out the best way to judge 
our current state, set priorities and track progress. We then did the same thing with HEISC to see if it was a better 
fit. I started by mapping the maturity scores from the NIST profile over to the HEISC. (1-4 felt like they generally 
say the same thing)

What we found was that the mapping isn’t all that good and the scores when dropped into the corresponding HEISC didn’t 
really make sense. I think the problem is that HEISC is much more specific and prescriptive than NIST CSF. So where our 
interpretation of the NIST sub category varied too much from the corresponding HEISC question, the score was wrong.

In the end our conclusion was the the HEISC tool was too prescriptive for our purposes, it made assumptions about what 
we “should” be doing that we didn’t agree with. The NIST CSF, on the other hand, felt like it gave us the flexibility 
to apply it to our environment as we felt was appropriate.

YMMV

Jeremy

=======================================
Jeremy Rosenberg
Chief Information Security Officer
UC Berkeley


On Jul 16, 2019, at 8:43 AM, Jim A. Bole <jbole () STEVENSON EDU<mailto:jbole () STEVENSON EDU>> wrote:

I’d be interested in comments from anyone who’s applied the NIST CyberSecurity Framewokr (CSF) to the HEISC 
self-assessment tool.

Attached is my first attempt. Most the questions had NIST mapping in one of the tabs.

So far it seems to map fairly well.

Regards,

Jim Bole

Director of Information Security
Stevenson University
1525 Greenspring Valley Road
Stevenson, MD, 21153-0641
jbole () stevenson edu<mailto:jbole () stevenson edu> | O: 443-334-2696


<HEISCJuly2018-NIST-sample.xlsm>

Current thread:

Retooling HEISC self-assessment to NIST framework Jim A. Bole (Jul 16)
- Re: Retooling HEISC self-assessment to NIST framework Jeremy Rosenberg (Jul 16)
- <Possible follow-ups>
- Re: Retooling HEISC self-assessment to NIST framework Jim A. Bole (Jul 18)