Educause Security Discussion mailing list archives
Re: Security Program: NIST, ISO, other?
From: mccalluq <mccalluq () LCC EDU>
Date: Thu, 17 Jan 2013 09:54:17 -0500
We were using ISO27001/2 and are/will be using NIST 800-53. Thanks, Quentin L. McCallum, CISSP, ITIL-F Information Security Analyst Lansing Community College 517-267-5014 From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Shamblin, Quinn Sent: Thursday, January 17, 2013 9:45 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Security Program: NIST, ISO, other? We do a combination of the various security best practices and standards. We evaluate our systems using NIST 800-53, etc. mainly because we do a lot of research for the government and they require data security and management plans based on those standards. But we run the larger program with inputs from ISO27001/2, NIST, COBIT, and even inputs from ITIL (or ISO 20000 if you prefer). We map our various policies to the standards/regulations that require that policy. I have a matrix (partially complete) that shows that mapping if you are interested. Quinn R Shamblin ------------------------------------------------------------------------------------------------ Executive Director of Information Security, Boston University CISM, CISSP, GCFA, PMP - O 617-358-6310 M 617-999-7523 Contact me securely: https://securecontact.me/qrs () bu edu <https://securecontact.me/qrs () bu edu> From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Wright, A J (A. J.) Sent: Thursday, January 17, 2013 9:37 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Security Program: NIST, ISO, other? Hello all, At the University of Tennessee, our security program is based on the NIST 800 Series special publications rather than ISO 27001. While we don't claim to implement 100% of it (it wouldn't be appropriate,) we're making heavy use of FIPS199, 800-37, 800-53, 800-66, etc. I've had staff calling and emailing around asking this, but I figured I'd ask this list also: what is your school's security program based on? Thanks, ajw -- A. J. Wright Chief Information Security Officer University of Tennessee - System Administration 2309 Kingston Pike, Suite 131C Knoxville, TN 37996-1717 Phone: 865-974-0637 Email: ajw () tennessee edu <mailto:ajw () tennessee edu>
Current thread:
- Security Program: NIST, ISO, other? Wright, A J (A. J.) (Jan 17)
- Re: Security Program: NIST, ISO, other? Shamblin, Quinn (Jan 17)
- Re: Security Program: NIST, ISO, other? mccalluq (Jan 17)
- Re: Security Program: NIST, ISO, other? McLaughlin, Bryan S. (Jan 17)
- Re: Security Program: NIST, ISO, other? Edgmand, Craig (Jan 17)
- Re: Security Program: NIST, ISO, other? Dan Sarazen (Jan 17)
- Re: Security Program: NIST, ISO, other? David Curry (Jan 17)
- Re: Security Program: NIST, ISO, other? Wright, A J (A. J.) (Jan 17)
- Re: Security Program: NIST, ISO, other? Valdis Kletnieks (Jan 18)
- Re: Security Program: NIST, ISO, other? Shamblin, Quinn (Jan 17)
- Re: Security Program: NIST, ISO, other? Shamblin, Quinn (Jan 17)