Building a Standards-Based Information Security Program

[Rodney Petersen <rpetersen () EDUCAUSE EDU>]

The Security Task Force is considering the organization of our efforts
(e.g., effective practices guide, conference program tracks, working
groups, etc.) around some categories that easily map to existing
information security standards or related frameworks (ISO 27002/17799,
NIST, COBIT, ITIL, ISC2 Common Body of Knowledge, etc.)  We would like
to hear from any institutions who have built their information security
program around such a standard or framework.  We are especially
interested to learn if you have already gone to the effort to create a
matrix of the different standards or frameworks - perhaps coming up with
your own generalized categories. 

For an example of similar mappings, see:

        Appendix G of NIST Special Publication 800-53, Security Control
Mappings:  Relationship of Security Controls to Other Standards and
Control Sets:
http://csrc.nist.gov/publications/nistpubs/800-53-Rev2/sp800-53-rev2-fin
al.pdf

        Virginia Alliance for Secure Computing And Networking (VA SCAN):
http://www.vascan.org/resources/index.html 

Therefore, I would like to request that you reply to the list (if you
have something to share that everyone would benefit from learning more
about) or contact me directly if you have built a standards-based
information security program and are willing to share you story,
including any relevant documentation or links.

Thanks,

-Rodney

--------------------------------------------------
Rodney J. Petersen, J.D.
Government Relations Officer & Security Task Force Coordinator

EDUCAUSE
1150 18th Street, N.W., Suite 1010
Washington, D.C. 20036
(202) 331-5368 / (202) 872-4200
(202) 872-4318 (FAX) 
EDUCAUSE/Internet2 Security Task Force
www.educause.edu/security
--------------------------------------------------