Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

NIST 800-53 evidence curating and maintenance

From: Stephen Gay <sgay () KENNESAW EDU>
Date: Wed, 13 Jan 2021 14:53:15 +0000
All,

As part of a recent audit engagement, we have been working toward creating an accurate and timely assessment of the 
institution’s Student Information System using the NIST 800-53 control categories. Areas that are measured at a 
maturity level of 2 (internally or by audit) or below are incorporated into a system risk register maintained in the 
same document and escalated to the enterprise IT risk register as applicable. As we have gone through this exercise, 
there are many control categories which are scoped to the enterprise (Identity and Access Management, Incident 
Response, etc) to specific data centers (Environmental Controls, Physical Access Controls) or are managed via 
contracted relationships with 3rd parties (also managed at an enterprise level).

To that end, it seems reasonable to me that a matrix could be created which could serve as a programmatic backend for 
the creation and maintenance of this data and which would facilitate a larger rollout of 800-53 assessments? For 
example, a replacement of the organization’s fire suppression system could be updated in one location (db table, xlsx, 
etc) which is then referenced and output for all 800-53 system assessments which have the appropriate flags set for 
organizationally hosted and within institutional data centers. Externally hosted systems would reference another entry 
specific to fire protection controls being mitigated through 3rd party contracts.

Has anyone done anything like this and, if so, would you be willing to share your experiences and the areas which I may 
be overlooking?

Thanks,

[Kennesaw State University]
Stephen Gay
Executive Director Cybersecurity, CISO
University Information Technology Services (UITS)
1075 Canton Pl NW
Room 016, MD 3503
Kennesaw, GA 30144
p: 470-578-6620<tel:4705786620>
e: sgay () kennesaw edu<mailto:sgay () kennesaw edu>



**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Previous By Date Next
Previous By Thread Next

Current thread: