Educause Security Discussion mailing list archives

Re: What security framework are you using, and why?

From: "Foss, Henry L." <fossh () SACREDHEART EDU>
Date: Fri, 17 Sep 2021 19:56:06 +0000

Hi Vince,

Great question and thanks for putting it out there.

We are focusing on the 18 CIS Controls. Here's a link<https://www.cisecurity.org/controls/cis-controls-list/> that 
gives you the list and access to download workbooks.

We decided on CIS because the standards are reviewed regularly, and specifically focuses on IT Security. Plus it's an 
international organization (vs. NIST which is only U.S.), and it is not restricted to gov't standards (like NIST is).

We have a lot of respect for NIST but find CIS to be much more detailed and actionable for our environment.



Thank you

Hank Foss
Manager of Security Infrastructure CISSP, GPEN, CCNA
Sacred Heart University
West Campus WCW*W3I302
Office: (203) 396-8279
Mobile: (203) 295-1356
[cid:image001.png@01D7ABDB.E59B32A0]



From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Vince Bonura
Sent: Friday, September 17, 2021 2:40 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] What security framework are you using, and why?

Hello again!

With the vast list of security frameworks to choose from, ISO/IEC 27000, COBIT 5, NIST SP 800-53, ITIL to name a few,  
I have been tasked to find the best one to use for our institution.  I thought it might be a good idea to see what 
other institutions are using and why.

I would be interested in knowing if you have a case study or a weblink that explains the reasoning for your selection.

We have tried a number over the last 15 years and while we thought NIST 800-53 was the right choice, we find that it 
doesn't accurately align with our school. Last year a consultant firm we hired for a NIST 800-171 gap assessment, 
recommended NIST CSF.

So, we're working through the crosswalk exercise and thought we should reach out to our higher education colleagues for 
your feedback.

Don't be shy!

Thanks in advance!

Vince Bonura

IT Risk Analyst
Fordham University
(718) 817-1875


The sender of this email is external to Sacred Heart University. Do not click any links unless you know and trust the 
sender.

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Current thread:

What security framework are you using, and why? Vince Bonura (Sep 17)
- Re: What security framework are you using, and why? Barton, Robert W. (Sep 17)
  - Re: What security framework are you using, and why? Jay Gallman (Sep 17)
- Re: What security framework are you using, and why? John Virden (Sep 17)
- Re: What security framework are you using, and why? Christian Schreiber (Sep 17)
  - Re: What security framework are you using, and why? Blake Penn (Sep 17)
- Re: What security framework are you using, and why? Foss, Henry L. (Sep 17)
- Re: What security framework are you using, and why? Uday Kiran (Sep 18)