Educause Security Discussion mailing list archives
Re: [External Sender] Re: [SECURITY] CIS vs NIST
From: "Davis, Chris" <CDavis () LOURDES EDU>
Date: Mon, 30 Apr 2018 14:10:12 +0000
Thanks for the clarification. I was thinking the same about CIS vs NIST, but it is good to hear someone with experience in infosec thinking the same way. Chris Christopher Davis, Ph.D. Chief Information Officer Lourdes University 6832 Convent Blvd | REH 003P | Sylvania, OH 43560 cdavis () lourdes edu<mailto:cdavis () lourdes edu> CyberAware – Be aware. Stay Secure. Lourdes University will never ask you to send sensitive information through unsecure channels. Report any message that asks you to provide or confirm personal information such as credit card and/or bank account numbers, Social Security numbers, passwords, etc. or any other suspicious activity to infosec () lourdes edu<mailto:infosec () lourdes edu>. For more information please visit lourdes.edu/cyberaware<http://lourdes.edu/cyberaware>. CONFIDENTIALITY NOTICE: The contents of this email message and any attachments are intended solely for the addressee(s) and may contain confidential and/or privileged information and may be legally protected from disclosure. If you are not the intended recipient of this message or their agent, or if this message has been addressed to you in error, please immediately alert the sender by reply email and then delete this message and any attachments. If you are not the intended recipient, you are hereby notified that any use, dissemination, copying, or storage of this message or its attachments is strictly prohibited. From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of Nicklaus Giacobe <nxg13 () IST PSU EDU> Reply-To: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> Date: Monday, April 30, 2018 at 10:05 AM To: "SECURITY () LISTSERV EDUCAUSE EDU" <SECURITY () LISTSERV EDUCAUSE EDU> Subject: [External Sender] Re: [SECURITY] CIS vs NIST Whoops – my bad – I just re-read your email and you’re talking about the operational side, not the educational side of your organization. Yes, I think the CIS CSCs are probably more digestable and a good place to start. However, you should consider the higher level policy and process recommendations of NIST – but like I said previously, they are more process oriented, rather than things you can more easily perform. If you start doing the things in the CSCs – no one will fault you. If you start with the NIST guidelines, you’ll be stuck in figuring out where to start and what you’re actually supposed to do. --- Nicklaus A. Giacobe, Ph.D. Director of Undergraduate Programs and Assistant Teaching Professor Phone: 814-865-8233 College of Information Sciences and Technology Penn State University E333 Westgate Building University Park, PA 16802 From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Nicklaus Giacobe Sent: Monday, April 30, 2018 10:01 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] CIS vs NIST You have to understand that the two types of frameworks, as you’ve described them, are written for different audiences and for different purposes. The NIST RMF is written for federal government agencies. They are more process oriented. The CIS CSCs are written for businesses and organizations in a response to where breaches have occurred in the past -- and responds to what an organization could/should do to address those immediate concerns to improve their security perspectives. I think that students in information security should have some in-depth experience with both of these frameworks – and understand where guidance comes from and where they might be able to maintain and continue their understanding and compliance. A senior level course in security management should address these frameworks (and several others) so that students know where they should go for guidance. I would encourage those of you developing cybersecurity curricula to review the NSA CAE in Cyber Defense (See https://www.iad.gov/NIETP/index.cfm) – and to develop curricula that lead you to that kind of program-level certification. You’ll find some guidance in https://www.iad.gov/NIETP/documents/Requirements/CAE-CD_2019_Knowledge_Units.pdf for knowledge units (KU’s) in a variety of topics. --- Nicklaus A. Giacobe, Ph.D. Director of Undergraduate Programs and Assistant Teaching Professor Phone: 814-865-8233 College of Information Sciences and Technology Penn State University E333 Westgate Building University Park, PA 16802 From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> On Behalf Of Davis, Chris Sent: Monday, April 30, 2018 9:50 AM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: [SECURITY] CIS vs NIST We are a very small school and are just getting started with infosec. We are evaluating frameworks and seem to be wavering between CIS and NIST 800-171. My thoughts are that CIS will be easier for us to implement and manage long-term given our limited resources. But we have compliance issues to consider just like everyone else – HIPAA, PCI, FEPRA, GLBA, etc. Given those parameters, which do you think would be more successful for us – CIS or 800-171? Thanks! Chris Christopher Davis, Ph.D. Chief Information Officer Lourdes University 6832 Convent Blvd | REH 003P | Sylvania, OH 43560 cdavis () lourdes edu<mailto:cdavis () lourdes edu> CyberAware – Be aware. Stay Secure. Lourdes University will never ask you to send sensitive information through unsecure channels. Report any message that asks you to provide or confirm personal information such as credit card and/or bank account numbers, Social Security numbers, passwords, etc. or any other suspicious activity to infosec () lourdes edu<mailto:infosec () lourdes edu>. For more information please visit lourdes.edu/cyberaware<http://lourdes.edu/cyberaware>. CONFIDENTIALITY NOTICE: The contents of this email message and any attachments are intended solely for the addressee(s) and may contain confidential and/or privileged information and may be legally protected from disclosure. If you are not the intended recipient of this message or their agent, or if this message has been addressed to you in error, please immediately alert the sender by reply email and then delete this message and any attachments. If you are not the intended recipient, you are hereby notified that any use, dissemination, copying, or storage of this message or its attachments is strictly prohibited.
Current thread:
- CIS vs NIST Davis, Chris (Apr 30)
- Re: CIS vs NIST Chad Tracy (Apr 30)
- Re: CIS vs NIST Nicklaus Giacobe (Apr 30)
- Re: CIS vs NIST Nicklaus Giacobe (Apr 30)
- Re: [External Sender] Re: [SECURITY] CIS vs NIST Davis, Chris (Apr 30)
- Re: CIS vs NIST Nicklaus Giacobe (Apr 30)
- Re: CIS vs NIST Adam Menos (Apr 30)
- Re: CIS vs NIST Simanovich, Roman (Apr 30)
- Re: [External Sender] Re: [SECURITY] CIS vs NIST Davis, Chris (Apr 30)
- Re: [External Sender] Re: [SECURITY] CIS vs NIST Edgmand, Craig (Apr 30)
- Re: [External Sender] Re: [SECURITY] CIS vs NIST Davis, Chris (Apr 30)
- Re: CIS vs NIST Menne, Michael S (Apr 30)
- Re: CIS vs NIST Valdis Kletnieks (Apr 30)
- Re: CIS vs NIST Bridges, Robert A. (Apr 30)
- Re: CIS vs NIST Valdis Kletnieks (Apr 30)
- Re: CIS vs NIST Bridges, Robert A. (Apr 30)
- Re: CIS vs NIST Kevin Wilcox (May 02)
- Re: CIS vs NIST Valdis Kletnieks (Apr 30)