Educause Security Discussion mailing list archives
Re: [External] Re: [SECURITY] What security framework are you using, and why?
From: "Shankar, Anurag" <ashankar () IU EDU>
Date: Fri, 17 Sep 2021 20:49:31 +0000
Hi Vince, It really depends on what you want to do. If it is to make individual systems comply with regulations, the NIST RMF and 800-53 are still the way to go in my opinion, that is, if you have the resources and gumption to stomach the lot. We have used the RMF since 2014, mostly because it gives us a single tool to address pretty much all cyber compliance, in particular FISMA, DFARS, and HIPAA. (We have about 70 central research and enterprise systems for which we maintain 800-53 SSPs.) The problem is that, because of its use of a control set like 800-53, the RMF is highly system-centric, expensive, and a poor choice for building say a campus security program. The best framework for that is the newly minted Trusted CI Framework (https://www.trustedci.org/framework). While its implementation guide is for research CI providers, the general principles are universal. 800-171 is just a smaller, system-centric control catalog (than 800-53), but still system-centric. NIST CSF is ok as a framework, but still too NIST-ish for me. Anurag -- Anurag Shankar, PhD Center for Applied Cybersecurity Research Indiana University From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of Jay Gallman <jay.gallman () DUKE EDU> Reply-To: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> Date: Friday, September 17, 2021 at 3:03 PM To: "SECURITY () LISTSERV EDUCAUSE EDU" <SECURITY () LISTSERV EDUCAUSE EDU> Subject: [External] Re: [SECURITY] What security framework are you using, and why? This message was sent from a non-IU address. Please exercise caution when clicking links or opening attachments from external sources. As Robert mentions the HEISC 800-171 Community Group | EDUCAUSE where I am one of the group leaders, is looking at questions like the one raised. We meet next Tuesday at 10:30, so please feel free to join us. Regards, -- Jay Gallman, GCIH Risk Management IT Analyst | IT Security Office | Duke University Phone: 919 684-8060 My Availability: Microsoft 365 From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of Barton, Robert W. <bartonrt () LEWISU EDU> Date: Friday, September 17, 2021 at 2:47 PM To: SECURITY () LISTSERV EDUCAUSE EDU <SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] What security framework are you using, and why? With Student Financial Aid requiring agencies to use NIST 800-171, I would use that. There are a few working groups within Educause examining 800-171 and working on tools. Robert W. Barton Executive Director of Information Security & Policy Lewis University 1 University Parkway Romeoville, IL 60446-2200 815-836-5663 From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of Vince Bonura <vbonura () FORDHAM EDU> Sent: Friday, September 17, 2021 1:39 PM To: SECURITY () LISTSERV EDUCAUSE EDU <SECURITY () LISTSERV EDUCAUSE EDU> Subject: [SECURITY] What security framework are you using, and why? Hello again! With the vast list of security frameworks to choose from, ISO/IEC 27000, COBIT 5, NIST SP 800-53, ITIL to name a few, I have been tasked to find the best one to use for our institution. I thought it might be a good idea to see what other institutions are using and why. I would be interested in knowing if you have a case study or a weblink that explains the reasoning for your selection. We have tried a number over the last 15 years and while we thought NIST 800-53 was the right choice, we find that it doesn’t accurately align with our school. Last year a consultant firm we hired for a NIST 800-171 gap assessment, recommended NIST CSF. So, we’re working through the crosswalk exercise and thought we should reach out to our higher education colleagues for your feedback. Don’t be shy! Thanks in advance! Vince Bonura IT Risk Analyst Fordham University (718) 817-1875 ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
Attachment:
smime.p7s
Description:
Current thread:
- Re: [External] Re: [SECURITY] What security framework are you using, and why? Shankar, Anurag (Sep 17)
- Re: [External] Re: [SECURITY] What security framework are you using, and why? Powell, Andy (Sep 20)
- Re: [External] Re: [SECURITY] What security framework are you using, and why? Shane Kroening (Sep 21)
- Re: [External] Re: [SECURITY] What security framework are you using, and why? Powell, Andy (Sep 20)