Educause Security Discussion mailing list archives

Re: ISO 27000

From: "Lorenz, Eva" <evalorenz () UNC EDU>
Date: Tue, 19 Jan 2010 08:20:56 -0500

Hugh,
Thanks for the matrix. It is very helpful to see how other institutions tackle ISO27001.
I see that you mention configuration management as well as retention as being in various stages of completion. How 
would you classify your institution’s status regarding ITIL? Also would you describe your institution as being highly 
federated or having a more centralized nature?
I believe that these factors may determine how ISO27001 can be implemented and at what pace.
Feel free to contact me offline at evalorenz () unc edu<mailto:evalorenz () unc edu> to discuss further.
Thanks - Eva

Eva Lorenz
ITS Security
2800 ITS Manning
211 Manning Dr
CB3420
Chapel Hill NC 27599

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Hugh 
Burley
Sent: Monday, January 18, 2010 2:35 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] ISO 27000

Leilani,

I have tried to incorporate ISO 27001 in to a three year strategic plan for building the University's Information 
Security program.  I am now in the third year of that plan. One of the issues with this standard, PCI-DSS and our 
Information Security Assessments, is having a method of measuring and tracking the effective implementation for each 
component or recommendation.  A second and perhaps as important issue is trying to convey this information to our 
executive in a meaningful manner.

I have tried to overlay the CoBiT 4.1 Capability Maturity Model as a scoring tool for each component, with a goal of 
achieving an overall rating of 4 by then end of this third year.  See the attached pdf.

I am very interested in feedback on this methodology either on or off list.

Thanks and regards,



Hugh Burley
Thompson Rivers University
ITS - Senior Technology Coordinator
[cid:image001.png@01CA98E0.0D8E8260]
Information Security
BCCOL - 222D
250-852-6351

Leilani Lauger <llauger () LUC EDU> 14/01/2010 12:42 pm >>>

We are trying to gather information about how our peers are using the ISO 27000 standards.  Is anyone using standards 
to formally evaluate a security program or as a framework for building a new program?  Are they being used as a 
complete body of work or to inform individual aspects of a security program?

We appreciate any feedback.

Thank you,

Leilani Lauger
Information Security Officer
Loyola University Chicago
773.508.6086
llauger () luc edu

Current thread:

ISO 27000 Leilani Lauger (Jan 14)
- <Possible follow-ups>
- Re: ISO 27000 Lorenz, Eva (Jan 14)
- Re: ISO 27000 Scott Sweren (Jan 15)
- Re: ISO 27000 Davis, Thomas R (Jan 15)
- Re: ISO 27000 Payne, Shirley (scp8b) (Jan 15)
- Re: ISO 27000 Drews, Jane E (Jan 15)
- Re: ISO 27000 Chris Bennett (Jan 15)
- Re: ISO 27000 Heidi Wachs (Jan 15)
- Re: ISO 27000 Alex Brown (Jan 15)
- Re: ISO 27000 Hugh Burley (Jan 18)
- Re: ISO 27000 Lorenz, Eva (Jan 19)