Re: Security Program: NIST, ISO, other?

[Dan Sarazen <dsarazen () BRANDEIS EDU>]

I know UMass’s official IS Policy is based on ISO27002, but they do use the
SANS top twenty to provide additional procedural guidance.



*From:* The EDUCAUSE Security Constituent Group Listserv [mailto:
SECURITY () LISTSERV EDUCAUSE EDU] *On Behalf Of *Edgmand, Craig
*Sent:* Thursday, January 17, 2013 10:05 AM
*To:* SECURITY () LISTSERV EDUCAUSE EDU
*Subject:* Re: Security Program: NIST, ISO, other?



Not to plug SANS here, as I have no affiliation with them, has anybody
thought about using the SANS 20 Critical Controls?



http://www.sans.org/critical-security-controls/http://www.sans.org/critical-security-controls/<http://www.sans.org/critical-security-controls/http:/www.sans.org/critical-security-controls/>



I know Virginia Tech is implementing these as their guidelines and they map
out to the various NIST SP800-53 controls.



Craig Edgmand

IT Security Manager

Oklahoma State University



*From:* The EDUCAUSE Security Constituent Group Listserv [
mailto:SECURITY () LISTSERV EDUCAUSE EDU <SECURITY () LISTSERV EDUCAUSE EDU>] *On
Behalf Of *McLaughlin, Bryan S.
*Sent:* Thursday, January 17, 2013 8:57 AM
*To:* SECURITY () LISTSERV EDUCAUSE EDU
*Subject:* Re: [SECURITY] Security Program: NIST, ISO, other?



Quinn, I am planning to map our policies to standards and regulations, if
you are willing to share I would love to see what you have developed.



Bryan McLaughlin

Informaiton Security Officer

Creighton University

bmclaughiln () creighton edu



*From:* The EDUCAUSE Security Constituent Group Listserv [
mailto:SECURITY () LISTSERV EDUCAUSE EDU <SECURITY () LISTSERV EDUCAUSE EDU>] *On
Behalf Of *Shamblin, Quinn
*Sent:* Thursday, January 17, 2013 8:45 AM
*To:* SECURITY () LISTSERV EDUCAUSE EDU
*Subject:* Re: [SECURITY] Security Program: NIST, ISO, other?



We do a combination of the various security best practices and standards.
We evaluate our systems using NIST 800-53, etc. mainly because we do a lot
of research for the government and they require data security and
management plans based on those standards.  But we run the larger program
with inputs from ISO27001/2, NIST, COBIT, and even inputs from ITIL (or ISO
20000 if you prefer).  We map our various policies to the
standards/regulations that require that policy.  I have a matrix (partially
complete) that shows that mapping if you are interested.



Quinn R Shamblin
------------------------------------------------------------------------------------------------
Executive Director of Information Security, Boston University
CISM, CISSP, GCFA, PMP  –  O 617-358-6310  M 617-999-7523

*Contact me securely: **https://securecontact.me/qrs () bu edu***



*From:* The EDUCAUSE Security Constituent Group Listserv [
mailto:SECURITY () LISTSERV EDUCAUSE EDU <SECURITY () LISTSERV EDUCAUSE EDU>] *On
Behalf Of *Wright, A J (A. J.)
*Sent:* Thursday, January 17, 2013 9:37 AM
*To:* SECURITY () LISTSERV EDUCAUSE EDU
*Subject:* [SECURITY] Security Program: NIST, ISO, other?



Hello all,



At the University of Tennessee, our security program is based on the NIST
800 Series special publications rather than ISO 27001.  While we don’t
claim to implement 100% of it (it wouldn’t be appropriate,) we’re making
heavy use of FIPS199, 800-37, 800-53, 800-66, etc.



I’ve had staff calling and emailing around asking this, but I figured I’d
ask this list also: what is your school’s security program based on?



Thanks,

ajw

--

*A. J. Wright
*Chief Information Security Officer



University of Tennessee – System Administration
2309 Kingston Pike, Suite 131C
Knoxville, TN  37996-1717
Phone:  865-974-0637

Email: ajw () tennessee edu