Educause Security Discussion mailing list archives
Re: [External] Re: [SECURITY] What security framework are you using, and why?
From: "Powell, Andy" <ap16 () WILLIAMS EDU>
Date: Mon, 20 Sep 2021 08:44:03 -0400
Hi all, As I am up to my eyeballs in this at the moment, I figured I'd share a bit about my experience and our journey here at Williams. Coming from FinSvcs, I immediately gravitated towards 800-53r4 and developed a Program that aligned to it and mapped activities and controls back to both 800-53r4 and NIST CSF. CSF is the broad framework the college has agreed to align with, leaving me some latitude with lower-level frameworks for realizing the goals. But, 800-53r5 dropped earlier this year around the same time that the Federal Student Aid <https://fsapartners.ed.gov/knowledge-center/library/electronic-announcements/2020-12-18/protecting-student-information-compliance-cui-and-glba> was indicating that they would audit for compliance with NIST 800-171r2. For sanity's sake, it may be important to note that 800-53r4 contained ~240 controls across 18 groups, while 800-53r5, which supersedes r4, has 20 groups, and has ~850 controls and control enhancements. When faced with this uphill, control-based climb, I was relieved to read the advice on 800-171, which feels more like 800-53r4 with 111 controls, covering both "basic" and "derived" areas of concern. To plug 800-171 into the existing CSF/800-53r4 based program, I used NIST's helpful mapping of 800-171 to CSF here <https://csrc.nist.gov/CSRC/media/Publications/sp/800-171/rev-2/final/documents/csf-v1-0-to-sp800-171rev2-mapping.xlsx>. In the notes, it clearly spells out that 800-171 is designed to protect the confidentiality of CUI only, and may not address Integrity or Availability well enough to meet our respective institutions' needs. There are a few 800-171 controls that are not mapped to the CSF directly (4 or 5) but those were manually mapped to corresponding sections of our Program that made logical sense. The caution here is threefold: 1. Don't use superseded frameworks (i.e. 800-53r4) 2. Compliance is not security (i.e. you may need to invite in 800-53r5 or CIS controls selectively to address data integrity and availability for your institution) 3. Know your org and, as Anurag said, know what you are trying to accomplish. 800-53r5 is too heavily control- and control-maturity-based for our college, and we don't govern the program by control effectiveness as much as risk reduction. I suppose it makes sense for Federal Student Aid to "only" care about data confidentiality, but I suspect the college and our board care about more than just that single dimension of information security. I hope this helps! --Andy On Fri, Sep 17, 2021 at 4:50 PM Shankar, Anurag <ashankar () iu edu> wrote:
Hi Vince, It really depends on what you want to do. If it is to make individual systems comply with regulations, the NIST RMF and 800-53 are still the way to go in my opinion, that is, if you have the resources and gumption to stomach the lot. We have used the RMF since 2014, mostly because it gives us a single tool to address pretty much all cyber compliance, in particular FISMA, DFARS, and HIPAA. (We have about 70 central research and enterprise systems for which we maintain 800-53 SSPs.) The problem is that, because of its use of a control set like 800-53, the RMF is highly system-centric, expensive, and a poor choice for building say a campus security program. The best framework for that is the newly minted Trusted CI Framework ( https://www.trustedci.org/framework). While its implementation guide is for research CI providers, the general principles are universal. 800-171 is just a smaller, system-centric control catalog (than 800-53), but still system-centric. NIST CSF is ok as a framework, but still too NIST-ish for me. Anurag -- Anurag Shankar, PhD Center for Applied Cybersecurity Research Indiana University *From: *The EDUCAUSE Security Community Group Listserv < SECURITY () LISTSERV EDUCAUSE EDU> on behalf of Jay Gallman < jay.gallman () DUKE EDU> *Reply-To: *The EDUCAUSE Security Community Group Listserv < SECURITY () LISTSERV EDUCAUSE EDU> *Date: *Friday, September 17, 2021 at 3:03 PM *To: *"SECURITY () LISTSERV EDUCAUSE EDU" <SECURITY () LISTSERV EDUCAUSE EDU> *Subject: *[External] Re: [SECURITY] What security framework are you using, and why? This message was sent from a non-IU address. Please exercise caution when clicking links or opening attachments from external sources. As Robert mentions the HEISC 800-171 Community Group | EDUCAUSE <https://www.educause.edu/community/heisc-800-171-community-group> where I am one of the group leaders, is looking at questions like the one raised. We meet next Tuesday at 10:30, so please feel free to join us. Regards, -- *Jay Gallman, GCIH* Risk Management IT Analyst | IT Security Office | Duke University Phone: 919 684-8060 My Availability: Microsoft 365 <https://outlook.office365.com/owa/calendar/d787a256f208403e9711748e356080af () duke edu/57d1ee81e6ad40daa985f447ef6881ce17105695644070449399/calendar.html> *From: *The EDUCAUSE Security Community Group Listserv < SECURITY () LISTSERV EDUCAUSE EDU> on behalf of Barton, Robert W. < bartonrt () LEWISU EDU> *Date: *Friday, September 17, 2021 at 2:47 PM *To: *SECURITY () LISTSERV EDUCAUSE EDU <SECURITY () LISTSERV EDUCAUSE EDU> *Subject: *Re: [SECURITY] What security framework are you using, and why? With Student Financial Aid requiring agencies to use NIST 800-171, I would use that. There are a few working groups within Educause examining 800-171 and working on tools. Robert W. Barton Executive Director of Information Security & Policy Lewis University 1 University Parkway Romeoville, IL 60446-2200 815-836-5663 ------------------------------ *From:* The EDUCAUSE Security Community Group Listserv < SECURITY () LISTSERV EDUCAUSE EDU> on behalf of Vince Bonura < vbonura () FORDHAM EDU> *Sent:* Friday, September 17, 2021 1:39 PM *To:* SECURITY () LISTSERV EDUCAUSE EDU <SECURITY () LISTSERV EDUCAUSE EDU> *Subject:* [SECURITY] What security framework are you using, and why? Hello again! With the vast list of security frameworks to choose from, ISO/IEC 27000, COBIT 5, NIST SP 800-53, ITIL to name a few, I have been tasked to find the best one to use for our institution. I thought it might be a good idea to see what other institutions are using and why. I would be interested in knowing if you have a case study or a weblink that explains the reasoning for your selection. We have tried a number over the last 15 years and while we thought NIST 800-53 was the right choice, we find that it doesn’t accurately align with our school. Last year a consultant firm we hired for a NIST 800-171 gap assessment, recommended NIST CSF. So, we’re working through the crosswalk exercise and thought we should reach out to our higher education colleagues for your feedback. Don’t be shy! Thanks in advance! Vince Bonura IT Risk Analyst Fordham University (718) 817-1875 ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
Current thread:
- Re: [External] Re: [SECURITY] What security framework are you using, and why? Shankar, Anurag (Sep 17)
- Re: [External] Re: [SECURITY] What security framework are you using, and why? Powell, Andy (Sep 20)
- Re: [External] Re: [SECURITY] What security framework are you using, and why? Shane Kroening (Sep 21)
- Re: [External] Re: [SECURITY] What security framework are you using, and why? Powell, Andy (Sep 20)