Re: Integrating security in IT processes

[randy <marchany () VT EDU>]

We're using the 20 critical controls as our blueprint for our security
architecture here at VA Tech.

-Randy Marchany
VA Tech IT Security Office

On Tue, Nov 13, 2012 at 6:25 PM, McCrary, Barbara <bmccrary () osrhe edu>wrote:

>  The  SANs 20 critical controls are concise and a quick way to start
> moving forward on formalization, all the while  implementing quick fixes
> along the way.  The key controls have been incorporated into to FISMA as a
> centerpiece for government and large enterprise security programs but they
> are very scalable.  The emphasis on automation makes them even more
> effective.****
>
> ** **
>
> http://www.sans.org/critical-security-controls/****
>
> ** **
>
> Another source?  NIST, particularly, NIST National Checklist Repository
> which provides updated installation administrative, security and device
> hardening checklists for a variety of systems. Granted, you may not intend
> to harden to DoD standards, but along with the now built-in security
> automation goals and how-to guidance, you get some nice base checklists to
> use but it does take a bit more digging and effort.  ****
>
> *Barbara McCrary**
> *Chief Information Security Officer
> *MCSE, MCSE:Security, +Messaging*,* CompTia:Security+* ****
>
> *bmccrary () osrhe edu* <bmccrary () osrhe edu>****
>
> ** **
>
> Protecting data is a shared responsibility!****
>
> ** **
>
> INSTALL antivirus and antispyware software.****
>
> USE strong passwords.****
>
> KNOW who you are dealing with online.****
>
> STORE confidential and sensitive data on encrypted devices only.****
>
> SHUT DOWN home computers or disconnect from the Internet when not in use.*
> ***
>
> ** **
>
> Oklahoma State Regents for Higher Education
> 655 Research Parkway****
>
> Suite 200****
>
> Oklahoma City, OK  73104
> 405 225.9316 office
> 405 234.4321 cell
> 405 234.4588 fax ****
>
> ** **
>
> Note:  This communication and attachments, if any, are intended solely for
> the use of the addressee hereof.  In addition, this information and
> attachments, if any, may contain information that is confidential,
> privileged and exempt from disclosure under applicable law, including,
> but not limited to, the Privacy Act of 1974.  If you are not the intended
> recipient of this information, you are prohibited from reading, disclosing,
> reproducing, distributing, disseminating, or otherwise using this
> information.  If you have received this message in error, please promptly
> notify the sender and immediately, delete this communication from your
> system.****
>
> ** **
>
> *From:* The EDUCAUSE Security Constituent Group Listserv [mailto:
> SECURITY () LISTSERV EDUCAUSE EDU] *On Behalf Of *Andy Scott
> *Sent:* Tuesday, November 13, 2012 10:57 AM
> *To:* SECURITY () LISTSERV EDUCAUSE EDU
> *Subject:* [SECURITY] Integrating security in IT processes****
>
> ** **
>
> Hi,****
>
> ** **
>
> I am looking at improving the integration of information security in IT
> processes (project development, maintenance, etc.). I am interested on what
> others have successfully done to improve the integration of security.****
>
> ** **
>
> Thanks.****
>
> _________________****
>
> Andy Scott, CISSP****
>
> Information Security Officer, IT Services****
>
> British Columbia Institute of Technology****
>
> 3700 Willingdon Ave, Burnaby, BC, V5G 3H2****
>
> ** **
>
> Tel: 604-432-8683  Mobile: 778-928-2444****
>
> Email: andy_scott () bcit ca  Web: bcit.ca/its/security****
>
> ** **