Re: [External] Re: [SECURITY] What security framework are you using, and why?

["Shankar, Anurag" <ashankar () IU EDU>]

Hi Vince,

 

It really depends on what you want to do.  If it is to make individual systems comply with regulations, the NIST RMF 
and 800-53 are still the way to go in my opinion, that is, if you have the resources and gumption to stomach the lot.  
We have used the RMF since 2014, mostly because it gives us a single tool to address pretty much all cyber compliance, 
in particular FISMA, DFARS, and HIPAA.  (We have about 70 central research and enterprise systems for which we maintain 
800-53 SSPs.)  The problem is that, because of its use of a control set like 800-53, the RMF is highly system-centric, 
expensive, and a poor choice for building say a campus security program.  The best framework for that is the newly 
minted Trusted CI Framework (https://www.trustedci.org/framework).  While its implementation guide is for research CI 
providers, the general principles are universal.  800-171 is just a smaller, system-centric control catalog (than 
800-53), but still system-centric.  NIST CSF is ok as a framework, but still too NIST-ish for me.

 

Anurag

--

Anurag Shankar, PhD

Center for Applied Cybersecurity Research

Indiana University

 

From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of Jay Gallman 
<jay.gallman () DUKE EDU>
Reply-To: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU>
Date: Friday, September 17, 2021 at 3:03 PM
To: "SECURITY () LISTSERV EDUCAUSE EDU" <SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [External] Re: [SECURITY] What security framework are you using, and why?

 

This message was sent from a non-IU address. Please exercise caution when clicking links or opening attachments from 
external sources.

 

As Robert mentions the HEISC 800-171 Community Group | EDUCAUSE where I am one of the group leaders, is looking at 
questions like the one raised.  We meet next Tuesday at 10:30, so please feel free to join us.

 

Regards,

-- 

Jay Gallman, GCIH

Risk Management IT Analyst | IT Security Office | Duke University

Phone: 919 684-8060

My Availability:  Microsoft 365

 

From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of Barton, Robert W. 
<bartonrt () LEWISU EDU>
Date: Friday, September 17, 2021 at 2:47 PM
To: SECURITY () LISTSERV EDUCAUSE EDU <SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] What security framework are you using, and why?

With Student Financial Aid requiring agencies to use NIST 800-171, I would use that.  There are a few working groups 
within Educause examining 800-171 and working on tools.

 

Robert W. Barton
Executive Director of Information Security & Policy
Lewis University
1 University Parkway
Romeoville, IL  60446-2200
815-836-5663

 

From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of Vince Bonura 
<vbonura () FORDHAM EDU>
Sent: Friday, September 17, 2021 1:39 PM
To: SECURITY () LISTSERV EDUCAUSE EDU <SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [SECURITY] What security framework are you using, and why? 

 

Hello again!

 

With the vast list of security frameworks to choose from, ISO/IEC 27000, COBIT 5, NIST SP 800-53, ITIL to name a few,  
I have been tasked to find the best one to use for our institution.  I thought it might be a good idea to see what 
other institutions are using and why.

 

I would be interested in knowing if you have a case study or a weblink that explains the reasoning for your selection.

 

We have tried a number over the last 15 years and while we thought NIST 800-53 was the right choice, we find that it 
doesn’t accurately align with our school. Last year a consultant firm we hired for a NIST 800-171 gap assessment, 
recommended NIST CSF.

 

So, we’re working through the crosswalk exercise and thought we should reach out to our higher education colleagues for 
your feedback.

 

Don’t be shy!

 

Thanks in advance!

 

Vince Bonura

 

IT Risk Analyst

Fordham University

(718) 817-1875

 

 

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community 

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community 

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community 


**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Attachment: smime.p7s
Description: