Re: *EXT* Re: [SECURITY] Security Frameworks

[Velislav K Pavlov <VelislavPavlov () FERRIS EDU>]

+1 for the ISO27001/27002 and CIS CSC Top 20. ISO has a mapping/cross walk to any known security standard and 
regulation. With PCI DSS, HIPAA, GLBA, GDPR, NIST 800-171, FISMA, LEIN, you name it, our IT ops feel in constant 
remediation and adding to the risk register. ISO provides a common denominator that helps to focus on strategic 
objectives not just putting out fires.

Vel Pavlov | Coordinator, IT Security
M.Sc. ISM, CISSP, C|HFI, C|EH, C)PTE,
Security+, CNA, MPCS, ITILv3F, A+



From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Snook, 
Allen
Sent: Tuesday, November 21, 2017 8:59 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: *EXT* Re: [SECURITY] Security Frameworks

Thanks so much this is great information.


Regards,

Allen A. Snook
ITS Security Analyst
[cid:image002.png@01D30B7E.0621A750]

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of randy
Sent: Monday, November 20, 2017 6:21 PM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] Security Frameworks


We use ISO 27000 as our high level security strategy. We're using the 20 Critical Security Controls 
(https://www.cisecurity.org/controls/<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.cisecurity.org%2Fcontrols%2F&data=02%7C01%7CVelislavPavlov%40ferris.edu%7Ca6529a1deb6c4c3bf10108d530e8085a%7C64b0362e85c04e95a4ce5651d96cb739%7C1%7C0%7C636468695502484993&sdata=fiJoy7jxjSdI5pdcCQ8AHlF26%2FtAuKrH9PmQfB3WfmM%3D&reserved=0>)
 as the operational plan for achieving the ISO control areas. I've attached a spreadsheet that maps the 20 controls to 
ISO 27000, NIST 800-53, and a whole bunch of other national and international standards. That spreadsheet and 2 others 
on the Critical Controls are at 
http://www.auditscripts.com/free-resources/critical-security-controls/<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.auditscripts.com%2Ffree-resources%2Fcritical-security-controls%2F&data=02%7C01%7CVelislavPavlov%40ferris.edu%7Ca6529a1deb6c4c3bf10108d530e8085a%7C64b0362e85c04e95a4ce5651d96cb739%7C1%7C0%7C636468695502484993&sdata=Qd71awz56bPxLxZsO8LEnXDl2bASNh58Y39dqfUuaIg%3D&reserved=0>.
Hope this helps.
-Randy Marchany
VA Tech IT Security Office and Lab

On Mon, Nov 20, 2017 at 4:09 PM, Snook, Allen <asnook () messiah edu<mailto:asnook () messiah edu>> wrote:
Fellow security minded colleagues,

With the vast list of security frameworks to choose from, ISO/IEC 27000, COBIT 5, NIST SP 800-53, ITIL to name a few,  
I have been tasked to find the best one to use for our institution.  I thought it might be a good idea to see what 
other institutions are using and why.

I leaning toward ISO/IEC 27000 series because of federal grants, and PCI requirements.  Thoughts?

Regards,

Allen A. Snook
ITS Security Analyst
[cid:image002.png@01D30B7E.0621A750]
One College Avenue Suite 3055
Mechanicsburg PA 17055
Tel: (717) 796-5300 x6790<tel:(717)%20796-5300>
Fax: (717) 796-5246<tel:(717)%20796-5246>
Cell: (717) 439-0025<tel:(717)%20439-0025>


**Notice** This message is from a sender outside of the Ferris Office 365 mail system. Use caution when clicking links 
or opening attachments. For assistance determining if this email is safe, please contact TAC.
________________________________