Educause Security Discussion mailing list archives
Re: Security Program: NIST, ISO, other?
From: Dan Sarazen <dsarazen () BRANDEIS EDU>
Date: Thu, 17 Jan 2013 10:07:34 -0500
I know UMass’s official IS Policy is based on ISO27002, but they do use the SANS top twenty to provide additional procedural guidance. *From:* The EDUCAUSE Security Constituent Group Listserv [mailto: SECURITY () LISTSERV EDUCAUSE EDU] *On Behalf Of *Edgmand, Craig *Sent:* Thursday, January 17, 2013 10:05 AM *To:* SECURITY () LISTSERV EDUCAUSE EDU *Subject:* Re: Security Program: NIST, ISO, other? Not to plug SANS here, as I have no affiliation with them, has anybody thought about using the SANS 20 Critical Controls? http://www.sans.org/critical-security-controls/http://www.sans.org/critical-security-controls/<http://www.sans.org/critical-security-controls/http:/www.sans.org/critical-security-controls/> I know Virginia Tech is implementing these as their guidelines and they map out to the various NIST SP800-53 controls. Craig Edgmand IT Security Manager Oklahoma State University *From:* The EDUCAUSE Security Constituent Group Listserv [ mailto:SECURITY () LISTSERV EDUCAUSE EDU <SECURITY () LISTSERV EDUCAUSE EDU>] *On Behalf Of *McLaughlin, Bryan S. *Sent:* Thursday, January 17, 2013 8:57 AM *To:* SECURITY () LISTSERV EDUCAUSE EDU *Subject:* Re: [SECURITY] Security Program: NIST, ISO, other? Quinn, I am planning to map our policies to standards and regulations, if you are willing to share I would love to see what you have developed. Bryan McLaughlin Informaiton Security Officer Creighton University bmclaughiln () creighton edu *From:* The EDUCAUSE Security Constituent Group Listserv [ mailto:SECURITY () LISTSERV EDUCAUSE EDU <SECURITY () LISTSERV EDUCAUSE EDU>] *On Behalf Of *Shamblin, Quinn *Sent:* Thursday, January 17, 2013 8:45 AM *To:* SECURITY () LISTSERV EDUCAUSE EDU *Subject:* Re: [SECURITY] Security Program: NIST, ISO, other? We do a combination of the various security best practices and standards. We evaluate our systems using NIST 800-53, etc. mainly because we do a lot of research for the government and they require data security and management plans based on those standards. But we run the larger program with inputs from ISO27001/2, NIST, COBIT, and even inputs from ITIL (or ISO 20000 if you prefer). We map our various policies to the standards/regulations that require that policy. I have a matrix (partially complete) that shows that mapping if you are interested. Quinn R Shamblin ------------------------------------------------------------------------------------------------ Executive Director of Information Security, Boston University CISM, CISSP, GCFA, PMP – O 617-358-6310 M 617-999-7523 *Contact me securely: **https://securecontact.me/qrs () bu edu*** *From:* The EDUCAUSE Security Constituent Group Listserv [ mailto:SECURITY () LISTSERV EDUCAUSE EDU <SECURITY () LISTSERV EDUCAUSE EDU>] *On Behalf Of *Wright, A J (A. J.) *Sent:* Thursday, January 17, 2013 9:37 AM *To:* SECURITY () LISTSERV EDUCAUSE EDU *Subject:* [SECURITY] Security Program: NIST, ISO, other? Hello all, At the University of Tennessee, our security program is based on the NIST 800 Series special publications rather than ISO 27001. While we don’t claim to implement 100% of it (it wouldn’t be appropriate,) we’re making heavy use of FIPS199, 800-37, 800-53, 800-66, etc. I’ve had staff calling and emailing around asking this, but I figured I’d ask this list also: what is your school’s security program based on? Thanks, ajw -- *A. J. Wright *Chief Information Security Officer University of Tennessee – System Administration 2309 Kingston Pike, Suite 131C Knoxville, TN 37996-1717 Phone: 865-974-0637 Email: ajw () tennessee edu
Current thread:
- Security Program: NIST, ISO, other? Wright, A J (A. J.) (Jan 17)
- Re: Security Program: NIST, ISO, other? Shamblin, Quinn (Jan 17)
- Re: Security Program: NIST, ISO, other? mccalluq (Jan 17)
- Re: Security Program: NIST, ISO, other? McLaughlin, Bryan S. (Jan 17)
- Re: Security Program: NIST, ISO, other? Edgmand, Craig (Jan 17)
- Re: Security Program: NIST, ISO, other? Dan Sarazen (Jan 17)
- Re: Security Program: NIST, ISO, other? David Curry (Jan 17)
- Re: Security Program: NIST, ISO, other? Wright, A J (A. J.) (Jan 17)
- Re: Security Program: NIST, ISO, other? Valdis Kletnieks (Jan 18)
- Re: Security Program: NIST, ISO, other? Shamblin, Quinn (Jan 17)
- Re: Security Program: NIST, ISO, other? Shamblin, Quinn (Jan 17)
- Re: Security Program: NIST, ISO, other? Lorenz, Eva (Jan 17)
- Re: Security Program: NIST, ISO, other? Shamblin, Quinn (Jan 17)
- Re: Security Program: NIST, ISO, other? Valerie Vogel (Jan 17)