Re: Security Program: NIST, ISO, other?

["Shamblin, Quinn" <qrs () BU EDU>]

We do a combination of the various security best practices and standards.  We evaluate our systems using NIST 800-53, 
etc. mainly because we do a lot of research for the government and they require data security and management plans 
based on those standards.  But we run the larger program with inputs from ISO27001/2, NIST, COBIT, and even inputs from 
ITIL (or ISO 20000 if you prefer).  We map our various policies to the standards/regulations that require that policy.  
I have a matrix (partially complete) that shows that mapping if you are interested.

Quinn R Shamblin
------------------------------------------------------------------------------------------------
Executive Director of Information Security, Boston University
CISM, CISSP, GCFA, PMP  -  O 617-358-6310  M 617-999-7523
Contact me securely: https://securecontact.me/qrs () bu edu

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Wright, 
A J (A. J.)
Sent: Thursday, January 17, 2013 9:37 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Security Program: NIST, ISO, other?

Hello all,

At the University of Tennessee, our security program is based on the NIST 800 Series special publications rather than 
ISO 27001.  While we don't claim to implement 100% of it (it wouldn't be appropriate,) we're making heavy use of 
FIPS199, 800-37, 800-53, 800-66, etc.

I've had staff calling and emailing around asking this, but I figured I'd ask this list also: what is your school's 
security program based on?

Thanks,
ajw
--
A. J. Wright
Chief Information Security Officer

University of Tennessee - System Administration
2309 Kingston Pike, Suite 131C
Knoxville, TN  37996-1717
Phone:  865-974-0637
Email: ajw () tennessee edu<mailto:ajw () tennessee edu>