Educause Security Discussion mailing list archives

Re: security management techniques

From: Carlos Lobato <clobato () NMSU EDU>
Date: Thu, 14 Jun 2012 17:22:52 +0000

All,

At New Mexico State University we are in the process of researching this topic (ISO 17799 / 27001, COBIT, NIST, ENISA, 
OASIS, OWASP, etc.) and I am leaning towards ISO 27001 & 27002.  Not too long ago I reviewed the free resources 
including COBIT 5 and I just bought this past week the ISO standards 27001 & 27002 for $407.00.

Based on what I have seen so far, I think that we will go with the ISO standards.

Carlos S. Lobato, CISA, CIA
IT Compliance Officer

New Mexico State University
Information and Communication Technologies
MSC 3AT PO Box 30001
Las Cruces, NM  88003-8001

Phone: 575-646-5902
Fax: 575-646-5278

Email: clobato () nmsu edu


From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Dan 
Sarazen
Sent: Thursday, June 14, 2012 10:57 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] security management techniques

The University of Massachusetts has adopted ISO27002 as its official IS Policy, and is mapping out its controls and 
documentation accordingly....and it's all (much of it anyway) available on their website.

Full disclosure: I was their IT Auditor for four+ years and helped work on the policy.

Dan Sarazen
Senior IT Auditor
The Boston Consortium for Higher Education Brandeis University, Mailstop 110
Phone: 781-736-8703
Cell:     781-296-4444
Fax:     781-736-8706

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Shawn 
Kohrman
Sent: Thursday, June 14, 2012 10:58 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] security management techniques

Since we are starting to build our program here, we are looking at COBIT, ISO 27001, and NIST for possible 
implementation.

In reviewing them, I think we're most likely to move towards the ISO 27001 series.  However, we're still investigating.

Shawn

-----
Shawn A. Kohrman, Security Architect
Azusa Pacific University
Information & Media Technology
901 E. Alosta Ave., PO Box 7000
Azusa, CA 91702-7000

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Dan 
Sarazen
Sent: Thursday, June 14, 2012 11:01 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] security management techniques

Hi A.J.,

Quick question: Are you using this same standard for your health center? I was under the impression that NIST didn't 
include the HIPAA requirements, but I'm willing to be wrong.

Thanks,
Dan

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Wright, 
A J (A. J.)
Sent: Thursday, June 14, 2012 12:45 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: security management techniques

We're using NIST SP800, and have been pretty happy with it.

- Its got a good control catalog (800-53) with good audit instructions
(800-53a.)
- There are grants that are asking for it (or its related sibling: FISMA.)
- It has good risk management (800-37.)
- It has the right price (free.)
- It has documentation with guidance on many special topics in the area.
- Its simple enough to explain with PLENTY (wow) of documentation to back it up.

My biggest complaint is that it (and FIPS199) doesn't offer clarification on absolute vs. relative control levels.  
Just because a service is "high confidentiality" for my institution, does not mean we're going to apply military-grade 
confidentiality controls.

If others are using NIST, I'd love to hear how its going and trade practices.
ajw
--
A. J. Wright
Chief Information Security Officer
University of Tennessee

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of David 
Pirolo
Sent: Thursday, June 14, 2012 12:10 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] security management techniques

Just wondering if any other schools have standardized on any of these security management techniques.
ISO 17799 / 27001, COBIT, NIST, ENISA, OASIS, OWASP, etc.

If so, I'd be interested in your feedback of such.  Unless I'm grossly missing something, it seems like one has to pay 
to get the ISO standards from ISO.org/ANSI.  That doesn't make sense...

-David

Current thread:

Nginx vs. Apache2 for web service Aaron Hockett (Jun 12)
- Re: Nginx vs. Apache2 for web service John Ladwig (Jun 12)
  - security management techniques David Pirolo (Jun 14)
    - Re: security management techniques Stephen C. Gay (Jun 14)
    - Re: security management techniques Dan Sarazen (Jun 14)
    - Re: security management techniques Wright, A J (A. J.) (Jun 14)
    - Re: security management techniques Dan Sarazen (Jun 14)
    - Re: security management techniques Wright, A J (A. J.) (Jun 14)
    - Re: security management techniques Carlos Lobato (Jun 14)
    - Re: security management techniques Shawn Kohrman (Jun 14)
    - Re: security management techniques Tammy Lynn Clark (Jun 14)
    - Re: security management techniques David Pirolo (Jun 14)
    - Re: security management techniques Carson, Larry (Jun 14)
    - Re: security management techniques Louis Arminio (Jun 15)
    - Re: security management techniques Kalal, Robert (Bob) (Jun 15)
    - Re: security management techniques Doug Markiewicz (Jun 18)
    - Re: security management techniques Doug Markiewicz (Jun 18)
    - Re: security management techniques David Pirolo (Jun 18)