Educause Security Discussion mailing list archives
Re: CIS vs NIST
From: "Penn, Blake C" <blake.penn () SECURITY GATECH EDU>
Date: Mon, 30 Apr 2018 17:30:18 +0000
Start with an ISMS framework first (like ISO 27001) and then customize your control/regulatory frameworks to suit that. Your policies and the results of your risk management program will drive what controls are needed and you can pick the control/regulatory frameworks that best suit those control needs. So, if you are a small school then your regulatory risk associated with CUI is likely relatively small and NIST 800-171 is probably not your best bet. However, if you process a lot of credit cards, then the regulatory risk associated with CHD is likely high, so PCI DSS might be a good framework for your high-risk systems, etc. Ultimately managing cybersecurity always comes down to risk. Regards, Blake Penn Information Security Policy and Compliance Manager Cyber Security Georgia Institute of Technology (404) 385-5480 From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Davis, Chris Sent: Monday, April 30, 2018 09:50 To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] CIS vs NIST We are a very small school and are just getting started with infosec. We are evaluating frameworks and seem to be wavering between CIS and NIST 800-171. My thoughts are that CIS will be easier for us to implement and manage long-term given our limited resources. But we have compliance issues to consider just like everyone else – HIPAA, PCI, FEPRA, GLBA, etc. Given those parameters, which do you think would be more successful for us – CIS or 800-171? Thanks! Chris Christopher Davis, Ph.D. Chief Information Officer Lourdes University 6832 Convent Blvd | REH 003P | Sylvania, OH 43560 cdavis () lourdes edu<mailto:cdavis () lourdes edu> CyberAware – Be aware. Stay Secure. Lourdes University will never ask you to send sensitive information through unsecure channels. Report any message that asks you to provide or confirm personal information such as credit card and/or bank account numbers, Social Security numbers, passwords, etc. or any other suspicious activity to infosec () lourdes edu<mailto:infosec () lourdes edu>. For more information please visit lourdes.edu/cyberaware<http://lourdes.edu/cyberaware>. CONFIDENTIALITY NOTICE: The contents of this email message and any attachments are intended solely for the addressee(s) and may contain confidential and/or privileged information and may be legally protected from disclosure. If you are not the intended recipient of this message or their agent, or if this message has been addressed to you in error, please immediately alert the sender by reply email and then delete this message and any attachments. If you are not the intended recipient, you are hereby notified that any use, dissemination, copying, or storage of this message or its attachments is strictly prohibited.
Current thread:
- Re: [External Sender] Re: [SECURITY] CIS vs NIST, (continued)
- Re: [External Sender] Re: [SECURITY] CIS vs NIST Edgmand, Craig (Apr 30)
- Re: CIS vs NIST Menne, Michael S (Apr 30)
- Re: CIS vs NIST Valdis Kletnieks (Apr 30)
- Re: CIS vs NIST Bridges, Robert A. (Apr 30)
- Re: CIS vs NIST Valdis Kletnieks (Apr 30)
- Re: CIS vs NIST Bridges, Robert A. (Apr 30)
- Re: CIS vs NIST Kevin Wilcox (May 02)
- Re: CIS vs NIST Bridges, Robert A. (May 03)
- Re: CIS vs NIST Kevin Wilcox (May 03)
- Re: CIS vs NIST Valdis Kletnieks (Apr 30)
- Re: [External] Re: [SECURITY] CIS vs NIST Bennett, Daniel (May 21)
- Re: [External] Re: [SECURITY] CIS vs NIST Larry K. Emmons (May 21)