Educause Security Discussion mailing list archives
Re: Security Program: NIST, ISO, other?
From: David Curry <david.curry () NEWSCHOOL EDU>
Date: Thu, 17 Jan 2013 10:21:42 -0500
Ours is based on the Information Security Forum's Standard of Good Practice for Information Security, 2007 edition, which can be mapped back to ISO 27002 and CObIT 4.1. It can be downloaded at no cost from https://www.securityforum.org/downloadresearch/downloadsogp/. Unfortunately, ISF decided not to make the 2012 edition of the Standard available for download; you have to purchase it unless your organization is a member of the Forum. Having had experience with them in the past I would love it if we were able to join, but their membership fee structure isn't really compatible with universities (i.e., it's expensive). --Dave -- *DAVID A. CURRY, CISSP* • DIRECTOR OF INFORMATION SECURITY *THE NEW SCHOOL* • 55 W. 13TH STREET • NEW YORK, NY 10011 +1 212 229-5300 x4728 • david.curry () newschool edu On Thu, Jan 17, 2013 at 10:07 AM, Dan Sarazen <dsarazen () brandeis edu> wrote:
I know UMass’s official IS Policy is based on ISO27002, but they do use the SANS top twenty to provide additional procedural guidance. *From:* The EDUCAUSE Security Constituent Group Listserv [mailto: SECURITY () LISTSERV EDUCAUSE EDU] *On Behalf Of *Edgmand, Craig *Sent:* Thursday, January 17, 2013 10:05 AM *To:* SECURITY () LISTSERV EDUCAUSE EDU *Subject:* Re: Security Program: NIST, ISO, other? Not to plug SANS here, as I have no affiliation with them, has anybody thought about using the SANS 20 Critical Controls? http://www.sans.org/critical-security-controls/http://www.sans.org/critical-security-controls/<http://www.sans.org/critical-security-controls/http:/www.sans.org/critical-security-controls/> I know Virginia Tech is implementing these as their guidelines and they map out to the various NIST SP800-53 controls. Craig Edgmand IT Security Manager Oklahoma State University *From:* The EDUCAUSE Security Constituent Group Listserv [ mailto:SECURITY () LISTSERV EDUCAUSE EDU <SECURITY () LISTSERV EDUCAUSE EDU>] *On Behalf Of *McLaughlin, Bryan S. *Sent:* Thursday, January 17, 2013 8:57 AM *To:* SECURITY () LISTSERV EDUCAUSE EDU *Subject:* Re: [SECURITY] Security Program: NIST, ISO, other? Quinn, I am planning to map our policies to standards and regulations, if you are willing to share I would love to see what you have developed. Bryan McLaughlin Informaiton Security Officer Creighton University bmclaughiln () creighton edu *From:* The EDUCAUSE Security Constituent Group Listserv [ mailto:SECURITY () LISTSERV EDUCAUSE EDU <SECURITY () LISTSERV EDUCAUSE EDU>] *On Behalf Of *Shamblin, Quinn *Sent:* Thursday, January 17, 2013 8:45 AM *To:* SECURITY () LISTSERV EDUCAUSE EDU *Subject:* Re: [SECURITY] Security Program: NIST, ISO, other? We do a combination of the various security best practices and standards. We evaluate our systems using NIST 800-53, etc. mainly because we do a lot of research for the government and they require data security and management plans based on those standards. But we run the larger program with inputs from ISO27001/2, NIST, COBIT, and even inputs from ITIL (or ISO 20000 if you prefer). We map our various policies to the standards/regulations that require that policy. I have a matrix (partially complete) that shows that mapping if you are interested. Quinn R Shamblin ------------------------------------------------------------------------------------------------ Executive Director of Information Security, Boston University CISM, CISSP, GCFA, PMP – O 617-358-6310 M 617-999-7523 *Contact me securely: **https://securecontact.me/qrs () bu edu*** *From:* The EDUCAUSE Security Constituent Group Listserv [ mailto:SECURITY () LISTSERV EDUCAUSE EDU <SECURITY () LISTSERV EDUCAUSE EDU>] *On Behalf Of *Wright, A J (A. J.) *Sent:* Thursday, January 17, 2013 9:37 AM *To:* SECURITY () LISTSERV EDUCAUSE EDU *Subject:* [SECURITY] Security Program: NIST, ISO, other? Hello all, At the University of Tennessee, our security program is based on the NIST 800 Series special publications rather than ISO 27001. While we don’t claim to implement 100% of it (it wouldn’t be appropriate,) we’re making heavy use of FIPS199, 800-37, 800-53, 800-66, etc. I’ve had staff calling and emailing around asking this, but I figured I’d ask this list also: what is your school’s security program based on? Thanks, ajw -- *A. J. Wright *Chief Information Security Officer University of Tennessee – System Administration 2309 Kingston Pike, Suite 131C Knoxville, TN 37996-1717 Phone: 865-974-0637 Email: ajw () tennessee edu
Current thread:
- Security Program: NIST, ISO, other? Wright, A J (A. J.) (Jan 17)
- Re: Security Program: NIST, ISO, other? Shamblin, Quinn (Jan 17)
- Re: Security Program: NIST, ISO, other? mccalluq (Jan 17)
- Re: Security Program: NIST, ISO, other? McLaughlin, Bryan S. (Jan 17)
- Re: Security Program: NIST, ISO, other? Edgmand, Craig (Jan 17)
- Re: Security Program: NIST, ISO, other? Dan Sarazen (Jan 17)
- Re: Security Program: NIST, ISO, other? David Curry (Jan 17)
- Re: Security Program: NIST, ISO, other? Wright, A J (A. J.) (Jan 17)
- Re: Security Program: NIST, ISO, other? Valdis Kletnieks (Jan 18)
- Re: Security Program: NIST, ISO, other? Shamblin, Quinn (Jan 17)
- Re: Security Program: NIST, ISO, other? Shamblin, Quinn (Jan 17)
- Re: Security Program: NIST, ISO, other? Lorenz, Eva (Jan 17)
- Re: Security Program: NIST, ISO, other? Shamblin, Quinn (Jan 17)
- Re: Security Program: NIST, ISO, other? Valerie Vogel (Jan 17)