Educause Security Discussion mailing list archives

Re: NIST Framework for Improving Critical Infrastructure Cybersecurity Version 1

From: "TAMMY L. CLARK" <TClark () UT EDU>
Date: Thu, 13 Feb 2014 17:33:31 +0000

I think the new NIST Framework is an improvement over previous guidance provided and certainly, critical infrastructure 
protection is paramount in view of all the breaches happening lately across multiple sectors.

Any good framework is an 'umbrella' that you can use as an overall planning and guidance mechanism.  ISO/IEC 27001:2013 
is also a great international framework to use in developing a comprehensive approach to developing information 
security programs (ISO 27001 is mapped against this framework as well as NIST 800-53, COBIT 5 and others).

It's never a 'one size fits all' approach when it comes to selecting frameworks and industry standards/guidelines.  I 
would advocate using what aligns best with your institution's strategic plans, information security and IT strategic 
goals and objectives....risk based and takes into account 'people, process, and technology'... you still have choices 
in this regards.

Tammy L. Clark, CISSP, CISM, CISA, CRISC, PCIP, PMP
Chief Information Security Officer
The University of Tampa
East Walker Hall 133
401 W. Kennedy Blvd. | Box 1F
Tampa, FL 33606
Phone:  813.257.7522 | Fax:  813.257.8800

Office of Information Security (OIS)
East Walker Hall 127
Email:  infosec () ut edu<mailto:infosec () ut edu>
Phone:  813.257.3950 | Fax:  813.257.8800
www.ut.edu

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Carlos 
Lobato
Sent: Thursday, February 13, 2014 10:35 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] NIST Framework for Improving Critical Infrastructure Cybersecurity Version 1


All,

NIST has just released its first Framework for Improving Critical Infrastructure Cybersecurity v1.  
http://www.nist.gov/cyberframework/index.cfm

The Framework takes a risk-based approach to managing cybersecurity risk, and is composed of three parts: the Framework 
Core, the Framework Implementation Tiers, and the Framework Profiles.

The Framework Implementation Tiers section will give you a quick ruler to determine at a high level where you are and 
as you will see, it requires formality when it comes to policies, procedures and risk assessments.

In addition, all federal data privacy regulations (FERPA, HIPAA, GLBA, RFR, FISMA) including PCI now reference NIST 
standards.  Overall, as far as assuring IT compliance, the NIST framework is the way to go.

Carlos,

Carlos S. Lobato, CISA, CIA, CISSP
IT Compliance Officer

New Mexico State University
Information and Communication Technologies
MSC 3AT PO Box 30001
Las Cruces, NM  88003-8001

Phone: 575-646-5902
Fax: 575-646-5278

Email: clobato () nmsu edu<mailto:clobato () nmsu edu>
IT Compliance at NMSU - http://compliance.ict.nmsu.edu/

Current thread:

NIST Framework for Improving Critical Infrastructure Cybersecurity Version 1 Carlos Lobato (Feb 13)
- Re: NIST Framework for Improving Critical Infrastructure Cybersecurity Version 1 TAMMY L. CLARK (Feb 13)
- <Possible follow-ups>
- Re: NIST Framework for Improving Critical Infrastructure Cybersecurity Version 1 Joe St Sauver (Feb 13)