Educause Security Discussion mailing list archives

Re: Security Program: NIST, ISO, other?

From: Valerie Vogel <vvogel () EDUCAUSE EDU>
Date: Thu, 17 Jan 2013 18:26:22 +0000

The Information Security Guide (www.educause.edu/security/guide<http://www.educause.edu/security/guide>) - developed by 
members the EDUCAUSE & Internet2 Higher Education Information Security Council (HEISC) - is based on the ISO standard 
and each chapter focuses on an ISO topic like Risk Management, Security Policy, Organization of Information Security, 
etc.

Each chapter provides an overview describing the general intent of the ISO topic, as well as a cross-reference to other 
common standards used in higher education (other relevant ISO standards, NIST, COBIT, and PCI DSS). The Risk Management 
chapter illustrates this nicely: https://wiki.internet2.edu/confluence/display/itsg2/Risk+Management+%28ISO+4%29

Each page of the guide also provides a link to the Symantec IT Controls Reference chart, which provides a comparison of 
ISO, COBIT, HIPAA, GLBA, and several other standards. http://net.educause.edu/ir/library/pdf/CSD5876.pdf

Thank you,
Valerie

Valerie Vogel Program Manager

EDUCAUSE<http://www.educause.edu/>
Uncommon Thinking for the Common Good
direct: 202.331.5374 | main: 202.872.4200 | educause.edu<http://www.educause.edu/>

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of 
Shamblin, Quinn
Sent: Thursday, January 17, 2013 9:12 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Security Program: NIST, ISO, other?

I would tend to agree with Eva on that point.  That may be a great starting point for financial firms or business that 
have transactions at the core of what they do (retail, etc.), but it is not a good fit for the overall program at an 
educational institution.  It is far too costly, restrictive and far reaching for edu.  It does however provide a good 
list of things to consider as part of the overall program, but certainly not broad/blind adoption.

Quinn R Shamblin
------------------------------------------------------------------------------------------------
Executive Director of Information Security, Boston University
CISM, CISSP, GCFA, PMP  -  O 617-358-6310  M 617-999-7523
Contact me securely: https://securecontact.me/qrs () bu edu

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Lorenz, 
Eva
Sent: Thursday, January 17, 2013 12:02 PM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] Security Program: NIST, ISO, other?

We had already a comprehensive IS policy in place that was modeled after ISO 27001/2, but our QSA never mentioned that 
an industry standard such as PCIDSS would be a good model for a university IS policy.
Personally, if you got nothing to start with, I suppose using PCIDSS is a start, but I would be hesitant to model a 
general IS policy for a higher education institution after a rather narrowly defined set of industry security standards.

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of 
Christopher Jones
Sent: Thursday, January 17, 2013 11:48 AM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] Security Program: NIST, ISO, other?

When we were conducting a gap analysis for PCI-DSS, our QSA recommended that we adopt the 12 PCI standards as our 
overriding security policy.  Has anyone had similar advice or considered doing this?

Christopher Jones
IT Security Analyst
University of the Fraser Valley
Christopher.Jones () ufv ca<mailto:Christopher.Jones () ufv ca>


From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Wright, 
A J (A. J.)
Sent: Thursday, January 17, 2013 6:37 AM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [SECURITY] Security Program: NIST, ISO, other?

Hello all,

At the University of Tennessee, our security program is based on the NIST 800 Series special publications rather than 
ISO 27001.  While we don't claim to implement 100% of it (it wouldn't be appropriate,) we're making heavy use of 
FIPS199, 800-37, 800-53, 800-66, etc.

I've had staff calling and emailing around asking this, but I figured I'd ask this list also: what is your school's 
security program based on?

Thanks,
ajw
--
A. J. Wright
Chief Information Security Officer

University of Tennessee - System Administration
2309 Kingston Pike, Suite 131C
Knoxville, TN  37996-1717
Phone:  865-974-0637
Email: ajw () tennessee edu<mailto:ajw () tennessee edu>

Current thread:

Re: Security Program: NIST, ISO, other?, (continued)
- - - Re: Security Program: NIST, ISO, other? Dan Sarazen (Jan 17)
    - Re: Security Program: NIST, ISO, other? David Curry (Jan 17)
    - Re: Security Program: NIST, ISO, other? Wright, A J (A. J.) (Jan 17)
    - Re: Security Program: NIST, ISO, other? Valdis Kletnieks (Jan 18)
    - Re: Security Program: NIST, ISO, other? Shamblin, Quinn (Jan 17)
- Re: Security Program: NIST, ISO, other? Dan Sarazen (Jan 17)
- Re: Security Program: NIST, ISO, other? Alan (Jan 17)
- Re: Security Program: NIST, ISO, other? Christopher Jones (Jan 17)
  - Re: Security Program: NIST, ISO, other? Lorenz, Eva (Jan 17)
    - Re: Security Program: NIST, ISO, other? Shamblin, Quinn (Jan 17)
    - Re: Security Program: NIST, ISO, other? Valerie Vogel (Jan 17)
  - Re: Security Program: NIST, ISO, other? Steven Alexander (Jan 17)
    - Re: Security Program: NIST, ISO, other? Dan Sarazen (Jan 17)
  - Re: Security Program: NIST, ISO, other? Blake Penn (Jan 18)
- Re: Security Program: NIST, ISO, other? Stephen C. Gay (Jan 17)
- Re: Security Program: NIST, ISO, other? Davis, Thomas R (Jan 18)
- Re: Security Program: NIST, ISO, other? Payne, Shirley (scp8b) (Jan 18)