Educause Security Discussion mailing list archives
Re: NIST Framework for Improving Critical Infrastructure Cybersecurity Version 1
From: "TAMMY L. CLARK" <TClark () UT EDU>
Date: Thu, 13 Feb 2014 17:33:31 +0000
I think the new NIST Framework is an improvement over previous guidance provided and certainly, critical infrastructure protection is paramount in view of all the breaches happening lately across multiple sectors. Any good framework is an 'umbrella' that you can use as an overall planning and guidance mechanism. ISO/IEC 27001:2013 is also a great international framework to use in developing a comprehensive approach to developing information security programs (ISO 27001 is mapped against this framework as well as NIST 800-53, COBIT 5 and others). It's never a 'one size fits all' approach when it comes to selecting frameworks and industry standards/guidelines. I would advocate using what aligns best with your institution's strategic plans, information security and IT strategic goals and objectives....risk based and takes into account 'people, process, and technology'... you still have choices in this regards. Tammy L. Clark, CISSP, CISM, CISA, CRISC, PCIP, PMP Chief Information Security Officer The University of Tampa East Walker Hall 133 401 W. Kennedy Blvd. | Box 1F Tampa, FL 33606 Phone: 813.257.7522 | Fax: 813.257.8800 Office of Information Security (OIS) East Walker Hall 127 Email: infosec () ut edu<mailto:infosec () ut edu> Phone: 813.257.3950 | Fax: 813.257.8800 www.ut.edu From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Carlos Lobato Sent: Thursday, February 13, 2014 10:35 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] NIST Framework for Improving Critical Infrastructure Cybersecurity Version 1 All, NIST has just released its first Framework for Improving Critical Infrastructure Cybersecurity v1. http://www.nist.gov/cyberframework/index.cfm The Framework takes a risk-based approach to managing cybersecurity risk, and is composed of three parts: the Framework Core, the Framework Implementation Tiers, and the Framework Profiles. The Framework Implementation Tiers section will give you a quick ruler to determine at a high level where you are and as you will see, it requires formality when it comes to policies, procedures and risk assessments. In addition, all federal data privacy regulations (FERPA, HIPAA, GLBA, RFR, FISMA) including PCI now reference NIST standards. Overall, as far as assuring IT compliance, the NIST framework is the way to go. Carlos, Carlos S. Lobato, CISA, CIA, CISSP IT Compliance Officer New Mexico State University Information and Communication Technologies MSC 3AT PO Box 30001 Las Cruces, NM 88003-8001 Phone: 575-646-5902 Fax: 575-646-5278 Email: clobato () nmsu edu<mailto:clobato () nmsu edu> IT Compliance at NMSU - http://compliance.ict.nmsu.edu/
Current thread:
- NIST Framework for Improving Critical Infrastructure Cybersecurity Version 1 Carlos Lobato (Feb 13)
- Re: NIST Framework for Improving Critical Infrastructure Cybersecurity Version 1 TAMMY L. CLARK (Feb 13)
- <Possible follow-ups>
- Re: NIST Framework for Improving Critical Infrastructure Cybersecurity Version 1 Joe St Sauver (Feb 13)