Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Security Program: NIST, ISO, other?

From: Alan <astockdale () EDC ORG>
Date: Thu, 17 Jan 2013 11:04:08 -0500
For federal contract work that is subject to FISMA, implementation of the NIST Risk Management Framework is a 
requirement (i.e. NIST SP800-37, NIST SP800-53 controls, etc.). There is no other option. A lot of institutions seem to 
carve out an enclave for that type of work as it is demanding to implement the RMF system-wide. Since 2010, when OMB 
started requiring the Inspectors General to assess agency oversight of contractor FISMA compliance, the security 
requirements in federal contract RFPs have become a lot more explicit and demanding.

UT and UC have some useful webinars on FISMA:

Federal Information Security Comes to Higher Education
http://www.utsystem.edu/compliance/SWCAcademy.html

FISMA Compliance
http://www.ucop.edu/ethics-compliance-audit-services/compliance/webinars/fisma/lib/playback.html

--
Alan Stockdale
Education Development Center
43 Foundry Avenue, Waltham, MA 02453-8313




[cid:edc_logo19d1ac9]<http://www.edc.org>
EDCInc

On 1/17/2013 9:36 AM, Wright, A J (A. J.) wrote:
Hello all,

At the University of Tennessee, our security program is based on the NIST 800 Series special publications rather than 
ISO 27001.  While we don’t claim to implement 100% of it (it wouldn’t be appropriate,) we’re making heavy use of 
FIPS199, 800-37, 800-53, 800-66, etc.

I’ve had staff calling and emailing around asking this, but I figured I’d ask this list also: what is your school’s 
security program based on?

Thanks,
ajw
--
A. J. Wright
Chief Information Security Officer

University of Tennessee – System Administration
2309 Kingston Pike, Suite 131C
Knoxville, TN  37996-1717
Phone:  865-974-0637
Email: ajw () tennessee edu<mailto:ajw () tennessee edu>

Previous By Date Next
Previous By Thread Next

Current thread: