Re: security management techniques

["Wright, A J (A. J.)" <ajw () TENNESSEE EDU>]

We're using NIST SP800, and have been pretty happy with it.

- Its got a good control catalog (800-53) with good audit instructions (800-53a.)
- There are grants that are asking for it (or its related sibling: FISMA.)
- It has good risk management (800-37.)
- It has the right price (free.)
- It has documentation with guidance on many special topics in the area.
- Its simple enough to explain with PLENTY (wow) of documentation to back it up.

My biggest complaint is that it (and FIPS199) doesn't offer clarification on absolute vs. relative control levels.  
Just because a service is "high confidentiality" for my institution, does not mean we're going to apply military-grade 
confidentiality controls.

If others are using NIST, I'd love to hear how its going and trade practices.
ajw
--
A. J. Wright 
Chief Information Security Officer
University of Tennessee

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of David 
Pirolo
Sent: Thursday, June 14, 2012 12:10 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] security management techniques

Just wondering if any other schools have standardized on any of these security management techniques.  
ISO 17799 / 27001, COBIT, NIST, ENISA, OASIS, OWASP, etc.

If so, I'd be interested in your feedback of such.  Unless I'm grossly missing something, it seems like one has to pay 
to get the ISO standards from ISO.org/ANSI.  That doesn't make sense...

-David