Educause Security Discussion mailing list archives
Re: security management techniques
From: "Wright, A J (A. J.)" <ajw () TENNESSEE EDU>
Date: Thu, 14 Jun 2012 17:08:04 +0000
NIST doesn't include any specific HIPAA/PCI/FERPA compliance requirements. My experience is that the compliance requirements fit well into the program as existing or supplemental controls. Oversimplified: if you classify your assets correctly, and apply the controls appropriately, you get compliance "for free." ajw -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Dan Sarazen Sent: Thursday, June 14, 2012 1:01 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] security management techniques Hi A.J., Quick question: Are you using this same standard for your health center? I was under the impression that NIST didn't include the HIPAA requirements, but I'm willing to be wrong. Thanks, Dan -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Wright, A J (A. J.) Sent: Thursday, June 14, 2012 12:45 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: security management techniques We're using NIST SP800, and have been pretty happy with it. - Its got a good control catalog (800-53) with good audit instructions (800-53a.) - There are grants that are asking for it (or its related sibling: FISMA.) - It has good risk management (800-37.) - It has the right price (free.) - It has documentation with guidance on many special topics in the area. - Its simple enough to explain with PLENTY (wow) of documentation to back it up. My biggest complaint is that it (and FIPS199) doesn't offer clarification on absolute vs. relative control levels. Just because a service is "high confidentiality" for my institution, does not mean we're going to apply military-grade confidentiality controls. If others are using NIST, I'd love to hear how its going and trade practices. ajw -- A. J. Wright Chief Information Security Officer University of Tennessee -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of David Pirolo Sent: Thursday, June 14, 2012 12:10 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] security management techniques Just wondering if any other schools have standardized on any of these security management techniques. ISO 17799 / 27001, COBIT, NIST, ENISA, OASIS, OWASP, etc. If so, I'd be interested in your feedback of such. Unless I'm grossly missing something, it seems like one has to pay to get the ISO standards from ISO.org/ANSI. That doesn't make sense... -David
Current thread:
- Nginx vs. Apache2 for web service Aaron Hockett (Jun 12)
- Re: Nginx vs. Apache2 for web service John Ladwig (Jun 12)
- security management techniques David Pirolo (Jun 14)
- Re: security management techniques Stephen C. Gay (Jun 14)
- Re: security management techniques Dan Sarazen (Jun 14)
- Re: security management techniques Wright, A J (A. J.) (Jun 14)
- Re: security management techniques Dan Sarazen (Jun 14)
- Re: security management techniques Wright, A J (A. J.) (Jun 14)
- Re: security management techniques Carlos Lobato (Jun 14)
- security management techniques David Pirolo (Jun 14)
- Re: Nginx vs. Apache2 for web service John Ladwig (Jun 12)
- Re: security management techniques Shawn Kohrman (Jun 14)
- Re: security management techniques Tammy Lynn Clark (Jun 14)
- Re: security management techniques David Pirolo (Jun 14)
- Re: security management techniques Carson, Larry (Jun 14)
- Re: security management techniques Louis Arminio (Jun 15)
- Re: security management techniques Kalal, Robert (Bob) (Jun 15)
- Re: security management techniques Doug Markiewicz (Jun 18)
- Re: security management techniques Doug Markiewicz (Jun 18)
- Re: security management techniques David Pirolo (Jun 18)