Re: CIS Controls

[Sunil Singh <spsfirst () HOTMAIL COM>]

Hi Cyndie,


We at Iowa State have started keeping our list of approved software.  In 2017 we in IT Services started working with 
procurement to vet all request and renewal for software purchase. For large purchase we request our Vendor form which 
has the question you have asked, to be filled in, plus we look at SOC2 Type 2. As part of assessment our effort is to 
have "Moderate". classified data handling software to be hosted in US.

This is part of our long term planning to have a Configuration Management Data Base. All request for vetting is 
submitted through our change Management system and recorded in Jira.


Sunil Singh


Director

Iowa State University


________________________________
From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of Cyndie Holmes 
<cholmes () TXSTATE EDU>
Sent: Thursday, March 1, 2018 4:44 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] CIS Controls

Has your institution implemented the top 5 CIS Controls?

if so, which ones? I'm particularly interested in Control 2 An Inventory of Software.

If your institution maintains a software inventory, are you tracking whether the software is provided by an external 
vendor (hosted or cloud)?

Thanks
Cyndie Holmes
Sr. IT Auditor
Texas State University