Educause Security Discussion mailing list archives

Re: What security framework are you using, and why?

From: Christian Schreiber <chris () CSCHREIBER LLC>
Date: Fri, 17 Sep 2021 19:10:03 +0000

HI Vince - I'd start by understanding your goal from selecting a framework. In the end, you will need one that reflects 
the needs of the institution holistically, so you'll probably end up with a combination of various published standards.

The NIST CSF is a broad but shallow framework designed to spell out the needs of an information security program to 
protect the confidentiality, integrity, and availability of data and systems as well as the privacy of individuals. The 
advantage of the CSF is the 5 functions resonate with non-technical stakeholders and provide a good foundation for 
management reporting. I agree with your consultants that this is a good place to start, and you can align your 
long-term reporting around the Identify - Protect - Detect - Respond - Recover pillars to help communicate with 
executives and the board.

NIST 800-171 is a more narrow framework that focused on protecting the confidentiality of data. It lacks some of the 
broader security program context, but it should be on your radar since the Dept of Education expects schools to follow 
it when protecting student financial data and many research sponsors expect it for protecting sensitive research data.

CMMC goes a little deeper, but is also narrowly focused on protecting data confidentiality. (Likewise HIPAA and PCI 
controls.)

If you're just starting, I would focus on CSF to get a broad assessment of security program capabilities. Once you have 
a handle on that, start also addressing gaps against 800-171.

A tool like the Unified Compliance Framework can help normalize the many regulations and requirements universities are 
subject to, and I've found their 5k annual fee well worth the spend. They have hundreds of frameworks already mapped in 
their database and link the various requirements back to a standardized set of control language.

Feel free to connect off list and I can send a couple slides I've used helping other schools.
- Chris

---
Christian Schreiber, CISM, PMP

Office: 520.497.3614
Email: chris () cschreiber llc
Web: www.cschreiber.llc

C Schreiber LLC
Simplify your university cybersecurity strategy

Sent from a mobile device. Please excuse any typos.
________________________________
From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of Vince Bonura 
<vbonura () FORDHAM EDU>
Sent: Friday, September 17, 2021 1:39:40 PM
To: SECURITY () LISTSERV EDUCAUSE EDU <SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [SECURITY] What security framework are you using, and why?


Hello again!



With the vast list of security frameworks to choose from, ISO/IEC 27000, COBIT 5, NIST SP 800-53, ITIL to name a few,  
I have been tasked to find the best one to use for our institution.  I thought it might be a good idea to see what 
other institutions are using and why.



I would be interested in knowing if you have a case study or a weblink that explains the reasoning for your selection.



We have tried a number over the last 15 years and while we thought NIST 800-53 was the right choice, we find that it 
doesn’t accurately align with our school. Last year a consultant firm we hired for a NIST 800-171 gap assessment, 
recommended NIST CSF.



So, we’re working through the crosswalk exercise and thought we should reach out to our higher education colleagues for 
your feedback.



Don’t be shy!



Thanks in advance!



Vince Bonura



IT Risk Analyst

Fordham University

(718) 817-1875





**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7Cchris%40CSCHREIBER.LLC%7C3270dab392844bd2a82c08d97a0a84e5%7C18c077a173f64e91ac2977b69ff7c44a%7C0%7C0%7C637675007874088646%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=qryGq8yPwuHFXQDJw0yxsnYc5H1JalH4ihJ4dQLuFww%3D&reserved=0>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Current thread:

What security framework are you using, and why? Vince Bonura (Sep 17)
- Re: What security framework are you using, and why? Barton, Robert W. (Sep 17)
  - Re: What security framework are you using, and why? Jay Gallman (Sep 17)
- Re: What security framework are you using, and why? John Virden (Sep 17)
- Re: What security framework are you using, and why? Christian Schreiber (Sep 17)
  - Re: What security framework are you using, and why? Blake Penn (Sep 17)
- Re: What security framework are you using, and why? Foss, Henry L. (Sep 17)
- Re: What security framework are you using, and why? Uday Kiran (Sep 18)