Re: security management techniques

[David Pirolo <webmaster () WARNERPACIFIC EDU>]

Thank you all for the great feedback.  From what I understand about the
27000 series, it tends to emphasize the business continuity and disaster
recovery, but is a bit less stringent on encryption and human resources.
To be fair, I haven't actually seen the standards to make that judgment
myself; it's just what I have read.

If you are using the 27000 series for your overarching plan, how are you
adjusting for potential discrepancies?

-David

On Mon, 2012-06-18 at 20:31 +0000, Doug Markiewicz wrote:
> > At Carnegie Mellon we leverage ISO, NIST, COBIT and others at different
> > times for different reasons. More recently we have been looking at the
> > Resiliency Management Model, which is a model for operational process
> > improvement that brings together information security, business continuity
> > and IT operations to help organizations achieve operational resilience.
> > It's not a security management framework, but it's worth a look.
> >
> > http://www.cert.org/resilience/rmm.html
>
> I thought I'd correct my previous statement about the Resiliency Management Model being used as a security management 
> framework. What I should have said is that it's not a prescriptive code of practice like ISO 27002 and NIST 800-53, 
> but it could certainly be used as a security management framework. There is a crosswalk to ISO 27002, COBIT, PCI DSS 
> and other standards available as well. Didn't want to misrepresent things.