Re: What security framework are you using, and why?

[Blake Penn <bpenn () COLGATE EDU>]

Hi Vince,

I'd echo what Chris said by focusing on your goal first (as many of
the frameworks that you mention are different frameworks designed for
different purposes).

ISO 27001 is an information security management framework (how to
build/operate an effective information security management system (ISMS)
aka cybersecurity program), COBIT is an IT governance framework, ITIL is an
IT service management framework, and NIST 800-53 is a cybersecurity
controls framework.

They all have different (but sometimes overlapping) purposes. You really
need to know the "why" before you start choosing frameworks and you may
want to work with several frameworks instead of choosing just one for the
reasons mentioned above.

Best regards,
Blake

--
Blake Penn (he/him/his)
Chief Information Security Officer
Information Technology Services
Colgate University
bpenn () colgate edu | 315.228.7151
https://www.colgate.edu


On Fri, Sep 17, 2021 at 3:10 PM Christian Schreiber <chris () cschreiber llc>
wrote:

> HI Vince - I'd start by understanding your goal from selecting a
> framework. In the end, you will need one that reflects the needs of the
> institution holistically, so you'll probably end up with a combination of
> various published standards.
>
> The NIST CSF is a broad but shallow framework designed to spell out the
> needs of an information security program to protect the confidentiality,
> integrity, and availability of data and systems as well as the privacy of
> individuals. The advantage of the CSF is the 5 functions resonate with
> non-technical stakeholders and provide a good foundation for management
> reporting. I agree with your consultants that this is a good place to
> start, and you can align your long-term reporting around the Identify -
> Protect - Detect - Respond - Recover pillars to help communicate with
> executives and the board.
>
> NIST 800-171 is a more narrow framework that focused on protecting the
> confidentiality of data. It lacks some of the broader security program
> context, but it should be on your radar since the Dept of Education expects
> schools to follow it when protecting student financial data and many
> research sponsors expect it for protecting sensitive research data.
>
> CMMC goes a little deeper, but is also narrowly focused on protecting data
> confidentiality. (Likewise HIPAA and PCI controls.)
>
> If you're just starting, I would focus on CSF to get a broad assessment of
> security program capabilities. Once you have a handle on that, start also
> addressing gaps against 800-171.
>
> A tool like the Unified Compliance Framework can help normalize the many
> regulations and requirements universities are subject to, and I've found
> their 5k annual fee well worth the spend. They have hundreds of frameworks
> already mapped in their database and link the various requirements back to
> a standardized set of control language.
>
> Feel free to connect off list and I can send a couple slides I've used
> helping other schools.
> - Chris
>
> ---
> Christian Schreiber, CISM, PMP
>
> Office: 520.497.3614
> Email: chris () cschreiber llc
> Web: www.cschreiber.llc
>
> C Schreiber LLC
> Simplify your university cybersecurity strategy
>
> Sent from a mobile device. Please excuse any typos.
> ------------------------------
> *From:* The EDUCAUSE Security Community Group Listserv <
> SECURITY () LISTSERV EDUCAUSE EDU> on behalf of Vince Bonura <
> vbonura () FORDHAM EDU>
> *Sent:* Friday, September 17, 2021 1:39:40 PM
> *To:* SECURITY () LISTSERV EDUCAUSE EDU <SECURITY () LISTSERV EDUCAUSE EDU>
> *Subject:* [SECURITY] What security framework are you using, and why?
>
>
> Hello again!
>
>
>
> With the vast list of security frameworks to choose from, ISO/IEC 27000,
> COBIT 5, NIST SP 800-53, ITIL to name a few,  I have been tasked to find
> the best one to use for our institution.  I thought it might be a good idea
> to see what other institutions are using and why.
>
>
>
> I would be interested in knowing if you have a case study or a weblink
> that explains the reasoning for your selection.
>
>
>
> We have tried a number over the last 15 years and while we thought NIST
> 800-53 was the right choice, we find that it doesn’t accurately align with
> our school. Last year a consultant firm we hired for a NIST 800-171 gap
> assessment, recommended NIST CSF.
>
>
>
> So, we’re working through the crosswalk exercise and thought we should
> reach out to our higher education colleagues for your feedback.
>
>
>
> Don’t be shy!
>
>
>
> Thanks in advance!
>
>
>
> Vince Bonura
>
>
>
> IT Risk Analyst
>
> Fordham University
>
> (718) 817-1875
>
>
>
>
>
> **********
> Replies to EDUCAUSE Community Group emails are sent to the entire
> community list. If you want to reply only to the person who sent the
> message, copy and paste their email address and forward the email reply.
> Additional participation and subscription information can be found at
> https://www.educause.edu/community
> <https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7Cchris%40CSCHREIBER.LLC%7C3270dab392844bd2a82c08d97a0a84e5%7C18c077a173f64e91ac2977b69ff7c44a%7C0%7C0%7C637675007874088646%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=qryGq8yPwuHFXQDJw0yxsnYc5H1JalH4ihJ4dQLuFww%3D&reserved=0>
>
> **********
> Replies to EDUCAUSE Community Group emails are sent to the entire
> community list. If you want to reply only to the person who sent the
> message, copy and paste their email address and forward the email reply.
> Additional participation and subscription information can be found at
> https://www.educause.edu/community

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community