Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: CIS vs NIST

From: "Bridges, Robert A." <bridgesra () ORNL GOV>
Date: Mon, 30 Apr 2018 16:12:58 +0000
Michael, 
Thanks for the reply. Just to be clear, I'm a researcher trying to understand the broad state of practice of operations 
to inform new technologies. I'm not trying to configure a security operation. 

So (one of) the questions (that still remains) for anyone willing to chime in, does anyone use audit logs? If so, are 
they default on, and if not, when do you turn them on? 

Thanks, 
Bobby

--
Robert A. Bridges, PhD, Research Mathematician, Cyber & Information Science Research Group, Oak Ridge National 
Laboratory
On 4/30/18, 12:08 PM, "The EDUCAUSE Security Constituent Group Listserv on behalf of Valdis Kletnieks" <SECURITY () 
LISTSERV EDUCAUSE EDU on behalf of valdis.kletnieks () VT EDU> wrote:

    On Mon, 30 Apr 2018 14:30:23 -0000, "Menne, Michael S" said:
    
    > Your list should be based on your own risks. Donâ•˙t worry about quantifying
    > your risks. A qualitative assessment with some simple numbers would be good
    > enough.  Start tracking every event and start developing some simple metrics in
    > order to justify your risk ranking and control priorities.
    
    Also - you *do* have backups of critical systems, they're offsite, and you
    *test* those backups, right?
Previous By Date Next
Previous By Thread Next

Current thread: