Educause Security Discussion mailing list archives

Re: security management techniques

From: Doug Markiewicz <doug () CMU EDU>
Date: Mon, 18 Jun 2012 13:36:48 +0000

My own opinion is that all of these frameworks have their advantages and disadvantages. How and what you choose should
be somewhat dependent upon what you're trying to accomplish.

The HEISC has formed a project team to build an information security program benchmarking tool, building on previous
work done around the information security governance assessment tool (link below). The project team is still chartering
its work, but early indications are that the tool will standardize around ISO 27000 series with some cross walking of
other standards and regulations where appropriate. The intent is to build a tool off of existing standards that will
allow academic institutions to benchmark the maturity of their security programs. More to come on that as the work
progresses.

http://net.educause.edu/ir/library/pdf/SEC0421.pdf

At Carnegie Mellon we leverage ISO, NIST, COBIT and others at different times for different reasons. More recently we
have been looking at the Resiliency Management Model, which is a model for operational process improvement that brings
together information security, business continuity and IT operations to help organizations achieve operational
resilience. It's not a security management framework, but it's worth a look.

http://www.cert.org/resilience/rmm.html

Don't even get me started on licensing for ISO standards, membership fees associated with ITGI resources, the more
recent move to licensing of the Shared Assessments framework, etc. Grrr... >:-|

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of David Pirolo
Sent: Thursday, June 14, 2012 12:10 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] security management techniques

Just wondering if any other schools have standardized on any of these
security management techniques.
ISO 17799 / 27001, COBIT, NIST, ENISA, OASIS, OWASP, etc.

If so, I'd be interested in your feedback of such.  Unless I'm grossly
missing something, it seems like one has to pay to get the ISO standards
from ISO.org/ANSI.  That doesn't make sense...

-David

Current thread:

Re: security management techniques, (continued)
- - - Re: security management techniques Wright, A J (A. J.) (Jun 14)
    - Re: security management techniques Dan Sarazen (Jun 14)
    - Re: security management techniques Wright, A J (A. J.) (Jun 14)
    - Re: security management techniques Carlos Lobato (Jun 14)
    - Re: security management techniques Shawn Kohrman (Jun 14)
    - Re: security management techniques Tammy Lynn Clark (Jun 14)
    - Re: security management techniques David Pirolo (Jun 14)
    - Re: security management techniques Carson, Larry (Jun 14)
    - Re: security management techniques Louis Arminio (Jun 15)
    - Re: security management techniques Kalal, Robert (Bob) (Jun 15)
    - Re: security management techniques Doug Markiewicz (Jun 18)
    - Re: security management techniques Doug Markiewicz (Jun 18)
    - Re: security management techniques David Pirolo (Jun 18)