Educause Security Discussion mailing list archives
Re: security management techniques
From: Dan Sarazen <dsarazen () BRANDEIS EDU>
Date: Thu, 14 Jun 2012 12:57:02 -0400
The University of Massachusetts has adopted ISO27002 as its official IS Policy, and is mapping out its controls and documentation accordingly....and it's all (much of it anyway) available on their website. Full disclosure: I was their IT Auditor for four+ years and helped work on the policy. Dan Sarazen Senior IT Auditor The Boston Consortium for Higher Education Brandeis University, Mailstop 110 Phone: 781-736-8703 Cell: 781-296-4444 Fax: 781-736-8706 -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Stephen C. Gay Sent: Thursday, June 14, 2012 12:53 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: security management techniques David, When founded in 2006, we designed our program at Kennesaw State University around NIST's 800-53 classes (technical, operational, and managerial). All projects were mapped into these categories and it was easy to communicate to a technical / InfoSec audience. Even so, we found the classes did not lend themselves to mapping into the mission of the organization nor proactive safeguards. We transitioned our program over to the ISO 27001 framework in 2011 and it has provided for a more complete picture of our information security program. We did pay for the documents (cost is fairly reasonable) but you may want to start with the numerous Educause presentations regarding the framework. They will give you the general idea and touch on advantages / disadvantages. Stephen C Gay CISSP CISA ITS Associate Director - Information Security Office KSU Information Security Officer Kennesaw State University sgay () kennesaw edu ----- Original Message ----- From: "David Pirolo" <webmaster () WARNERPACIFIC EDU> To: SECURITY () LISTSERV EDUCAUSE EDU Sent: Thursday, June 14, 2012 12:09:57 AM Subject: [SECURITY] security management techniques Just wondering if any other schools have standardized on any of these security management techniques. ISO 17799 / 27001, COBIT, NIST, ENISA, OASIS, OWASP, etc. If so, I'd be interested in your feedback of such. Unless I'm grossly missing something, it seems like one has to pay to get the ISO standards from ISO.org/ANSI. That doesn't make sense... -David
Current thread:
- Nginx vs. Apache2 for web service Aaron Hockett (Jun 12)
- Re: Nginx vs. Apache2 for web service John Ladwig (Jun 12)
- security management techniques David Pirolo (Jun 14)
- Re: security management techniques Stephen C. Gay (Jun 14)
- Re: security management techniques Dan Sarazen (Jun 14)
- Re: security management techniques Wright, A J (A. J.) (Jun 14)
- Re: security management techniques Dan Sarazen (Jun 14)
- Re: security management techniques Wright, A J (A. J.) (Jun 14)
- Re: security management techniques Carlos Lobato (Jun 14)
- security management techniques David Pirolo (Jun 14)
- Re: Nginx vs. Apache2 for web service John Ladwig (Jun 12)
- Re: security management techniques Shawn Kohrman (Jun 14)
- Re: security management techniques Tammy Lynn Clark (Jun 14)
- Re: security management techniques David Pirolo (Jun 14)
- Re: security management techniques Carson, Larry (Jun 14)
- Re: security management techniques Louis Arminio (Jun 15)
- Re: security management techniques Kalal, Robert (Bob) (Jun 15)