Educause Security Discussion mailing list archives

Re: Security Program: NIST, ISO, other?

From: mccalluq <mccalluq () LCC EDU>
Date: Thu, 17 Jan 2013 09:54:17 -0500

We were using ISO27001/2 and are/will be using NIST 800-53.

 

Thanks,

Quentin L. McCallum, CISSP, ITIL-F

Information Security Analyst

Lansing Community College

517-267-5014

 

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of 
Shamblin, Quinn
Sent: Thursday, January 17, 2013 9:45 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Security Program: NIST, ISO, other?

 

We do a combination of the various security best practices and standards.  We evaluate our systems using NIST 800-53, 
etc. mainly because we do a lot of research for the government and they require data security and management plans 
based on those standards.  But we run the larger program with inputs from ISO27001/2, NIST, COBIT, and even inputs from 
ITIL (or ISO 20000 if you prefer).  We map our various policies to the standards/regulations that require that policy.  
I have a matrix (partially complete) that shows that mapping if you are interested.

 

Quinn R Shamblin
------------------------------------------------------------------------------------------------
Executive Director of Information Security, Boston University
CISM, CISSP, GCFA, PMP  -  O 617-358-6310  M 617-999-7523

Contact me securely: https://securecontact.me/qrs () bu edu <https://securecontact.me/qrs () bu edu> 

 

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Wright, 
A J (A. J.)
Sent: Thursday, January 17, 2013 9:37 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Security Program: NIST, ISO, other?

 

Hello all,

 

At the University of Tennessee, our security program is based on the NIST 800 Series special publications rather than 
ISO 27001.  While we don't claim to implement 100% of it (it wouldn't be appropriate,) we're making heavy use of 
FIPS199, 800-37, 800-53, 800-66, etc.

 

I've had staff calling and emailing around asking this, but I figured I'd ask this list also: what is your school's 
security program based on?

 

Thanks,

ajw

--

A. J. Wright 
Chief Information Security Officer

 

University of Tennessee - System Administration
2309 Kingston Pike, Suite 131C
Knoxville, TN  37996-1717
Phone:  865-974-0637

Email: ajw () tennessee edu <mailto:ajw () tennessee edu>

Current thread:

Security Program: NIST, ISO, other? Wright, A J (A. J.) (Jan 17)
- Re: Security Program: NIST, ISO, other? Shamblin, Quinn (Jan 17)
  - Re: Security Program: NIST, ISO, other? mccalluq (Jan 17)
  - Re: Security Program: NIST, ISO, other? McLaughlin, Bryan S. (Jan 17)
    - Re: Security Program: NIST, ISO, other? Edgmand, Craig (Jan 17)
    - Re: Security Program: NIST, ISO, other? Dan Sarazen (Jan 17)
    - Re: Security Program: NIST, ISO, other? David Curry (Jan 17)
    - Re: Security Program: NIST, ISO, other? Wright, A J (A. J.) (Jan 17)
    - Re: Security Program: NIST, ISO, other? Valdis Kletnieks (Jan 18)
    - Re: Security Program: NIST, ISO, other? Shamblin, Quinn (Jan 17)
- Re: Security Program: NIST, ISO, other? Dan Sarazen (Jan 17)
- Re: Security Program: NIST, ISO, other? Alan (Jan 17)
- Re: Security Program: NIST, ISO, other? Christopher Jones (Jan 17)

(Thread continues...)