Educause Security Discussion mailing list archives

Re: Security Program: NIST, ISO, other?

From: Steven Alexander <alexander.s () MCCD EDU>
Date: Thu, 17 Jan 2013 23:56:25 +0000

I think your QSA has no clue what he's talking about; sorry.

The 12 PCI DSS requirements are not meant to be applied that way and several of them refer specifically to cardholder 
data.  In addition to that, I just don't think the detailed requirements are very good.  You should just make sure the 
PCI requirements are addressed as part of a more comprehensive security program.

Steven Alexander Jr.
Online Education Systems Manager
Merced College

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of 
Christopher Jones
Sent: Thursday, January 17, 2013 8:48 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Security Program: NIST, ISO, other?

When we were conducting a gap analysis for PCI-DSS, our QSA recommended that we adopt the 12 PCI standards as our 
overriding security policy.  Has anyone had similar advice or considered doing this?

Christopher Jones
IT Security Analyst
University of the Fraser Valley
Christopher.Jones () ufv ca<mailto:Christopher.Jones () ufv ca>


From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Wright, 
A J (A. J.)
Sent: Thursday, January 17, 2013 6:37 AM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [SECURITY] Security Program: NIST, ISO, other?

Hello all,

At the University of Tennessee, our security program is based on the NIST 800 Series special publications rather than 
ISO 27001.  While we don't claim to implement 100% of it (it wouldn't be appropriate,) we're making heavy use of 
FIPS199, 800-37, 800-53, 800-66, etc.

I've had staff calling and emailing around asking this, but I figured I'd ask this list also: what is your school's 
security program based on?

Thanks,
ajw
--
A. J. Wright
Chief Information Security Officer

University of Tennessee - System Administration
2309 Kingston Pike, Suite 131C
Knoxville, TN  37996-1717
Phone:  865-974-0637
Email: ajw () tennessee edu<mailto:ajw () tennessee edu>


This email has been scanned by a Spam/Virus Firewall. If your email has been classified as Spam please contact the 
HelpDesk at (209) 384-6180.

Current thread:

Re: Security Program: NIST, ISO, other?, (continued)
- - - Re: Security Program: NIST, ISO, other? David Curry (Jan 17)
    - Re: Security Program: NIST, ISO, other? Wright, A J (A. J.) (Jan 17)
    - Re: Security Program: NIST, ISO, other? Valdis Kletnieks (Jan 18)
    - Re: Security Program: NIST, ISO, other? Shamblin, Quinn (Jan 17)
- Re: Security Program: NIST, ISO, other? Dan Sarazen (Jan 17)
- Re: Security Program: NIST, ISO, other? Alan (Jan 17)
- Re: Security Program: NIST, ISO, other? Christopher Jones (Jan 17)
  - Re: Security Program: NIST, ISO, other? Lorenz, Eva (Jan 17)
    - Re: Security Program: NIST, ISO, other? Shamblin, Quinn (Jan 17)
    - Re: Security Program: NIST, ISO, other? Valerie Vogel (Jan 17)
  - Re: Security Program: NIST, ISO, other? Steven Alexander (Jan 17)
    - Re: Security Program: NIST, ISO, other? Dan Sarazen (Jan 17)
  - Re: Security Program: NIST, ISO, other? Blake Penn (Jan 18)
- Re: Security Program: NIST, ISO, other? Stephen C. Gay (Jan 17)
- Re: Security Program: NIST, ISO, other? Davis, Thomas R (Jan 18)
- Re: Security Program: NIST, ISO, other? Payne, Shirley (scp8b) (Jan 18)