Educause Security Discussion mailing list archives
Re: What security framework are you using, and why?
From: John Virden <john.virden () MIAMIOH EDU>
Date: Fri, 17 Sep 2021 14:59:25 -0400
Hello Vince, always a fun topic. In the past I have followed ISO 27001/2 (which I like) and NIST CSF (easy for non-security folks to understand). At Miami of Ohio we use what we call NIST SP 800-171 'Plus.' Simply means we are using the NIST 171 as a basis to cover confidentiality, and adding a handful of other controls from ISO and NIST SP 800-53 to cover availability and integrity. Why the push for NIST 171? Two reasons. 1) The state of Ohio offers safe harbor <https://codes.ohio.gov/ohio-revised-code/section-1354.02> (i.e. affirmative defense in case of data breach) if we conform to one of their 'industry recognized frameworks.' I mention this in case you want to look at your State's codes to see if they give any direction. 2) With CMMC for Federal research data on our doorstep, conforming to NIST 171 reduces the number of frameworks we need to contend with. Wish you well. John On Fri, Sep 17, 2021 at 2:39 PM Vince Bonura <vbonura () fordham edu> wrote:
Hello again! With the vast list of security frameworks to choose from, ISO/IEC 27000, COBIT 5, NIST SP 800-53, ITIL to name a few, I have been tasked to find the best one to use for our institution. I thought it might be a good idea to see what other institutions are using and why. I would be interested in knowing if you have a case study or a weblink that explains the reasoning for your selection. We have tried a number over the last 15 years and while we thought NIST 800-53 was the right choice, we find that it doesn’t accurately align with our school. Last year a consultant firm we hired for a NIST 800-171 gap assessment, recommended NIST CSF. So, we’re working through the crosswalk exercise and thought we should reach out to our higher education colleagues for your feedback. Don’t be shy! Thanks in advance! Vince Bonura IT Risk Analyst Fordham University (718) 817-1875 ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
-- John Virden Assistant Vice President for Security, Compliance, and Risk Management Chief Information Security Officer Miami University 325 Hoyt Hall Oxford, OH 45056 john.virden () miamioh edu O: 513-529-9252 | MiamiOH.edu ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
Current thread:
- What security framework are you using, and why? Vince Bonura (Sep 17)
- Re: What security framework are you using, and why? Barton, Robert W. (Sep 17)
- Re: What security framework are you using, and why? Jay Gallman (Sep 17)
- Re: What security framework are you using, and why? John Virden (Sep 17)
- Re: What security framework are you using, and why? Christian Schreiber (Sep 17)
- Re: What security framework are you using, and why? Blake Penn (Sep 17)
- Re: What security framework are you using, and why? Foss, Henry L. (Sep 17)
- Re: What security framework are you using, and why? Uday Kiran (Sep 18)
- Re: What security framework are you using, and why? Barton, Robert W. (Sep 17)