Re: [External] Re: [SECURITY] What security framework are you using, and why?

["Powell, Andy" <ap16 () WILLIAMS EDU>]

Hi all,

  As I am up to my eyeballs in this at the moment, I figured I'd share a
bit about my experience and our journey here at Williams.

  Coming from FinSvcs, I immediately gravitated towards 800-53r4 and
developed a Program that aligned to it and mapped activities and controls
back to both 800-53r4 and NIST CSF. CSF is the broad framework the college
has agreed to align with, leaving me some latitude with lower-level
frameworks for realizing the goals.

  But, 800-53r5 dropped earlier this year around the same time that the Federal
Student Aid
<https://fsapartners.ed.gov/knowledge-center/library/electronic-announcements/2020-12-18/protecting-student-information-compliance-cui-and-glba>
was indicating that they would audit for compliance with NIST 800-171r2.

  For sanity's sake, it may be important to note that 800-53r4 contained
~240 controls across 18 groups, while 800-53r5, which supersedes r4, has 20
groups, and has ~850 controls and control enhancements.

  When faced with this uphill, control-based climb, I was relieved to read
the advice on 800-171, which feels more like 800-53r4 with 111 controls,
covering both "basic" and "derived" areas of concern.

  To plug 800-171 into the existing CSF/800-53r4 based program, I used
NIST's helpful mapping of 800-171 to CSF here
<https://csrc.nist.gov/CSRC/media/Publications/sp/800-171/rev-2/final/documents/csf-v1-0-to-sp800-171rev2-mapping.xlsx>.
In the notes, it clearly spells out that 800-171 is designed to protect the
confidentiality of CUI only, and may not address Integrity or Availability
well enough to meet our respective institutions' needs. There are a few
800-171 controls that are not mapped to the CSF directly (4 or 5) but those
were manually mapped to corresponding sections of our Program that made
logical sense.

  The caution here is threefold:

  1. Don't use superseded frameworks (i.e. 800-53r4)
  2. Compliance is not security (i.e. you may need to invite in 800-53r5 or
CIS controls selectively to address data integrity and availability for
your institution)
  3. Know your org and, as Anurag said, know what you are trying to
accomplish. 800-53r5 is too heavily control- and control-maturity-based for
our college, and we don't govern the program by control effectiveness as
much as risk reduction.

  I suppose it makes sense for Federal Student Aid to "only" care about
data confidentiality, but I suspect the college and our board care about
more than just that single dimension of information security. I hope this
helps!

--Andy


On Fri, Sep 17, 2021 at 4:50 PM Shankar, Anurag <ashankar () iu edu> wrote:

> Hi Vince,
>
>
>
> It really depends on what you want to do.  If it is to make individual
> systems comply with regulations, the NIST RMF and 800-53 are still the way
> to go in my opinion, that is, if you have the resources and gumption to
> stomach the lot.  We have used the RMF since 2014, mostly because it gives
> us a single tool to address pretty much all cyber compliance, in particular
> FISMA, DFARS, and HIPAA.  (We have about 70 central research and enterprise
> systems for which we maintain 800-53 SSPs.)  The problem is that, because
> of its use of a control set like 800-53, the RMF is highly system-centric,
> expensive, and a poor choice for building say a campus security program.
> The best framework for that is the newly minted Trusted CI Framework (
> https://www.trustedci.org/framework).  While its implementation guide is
> for research CI providers, the general principles are universal.  800-171
> is just a smaller, system-centric control catalog (than 800-53), but still
> system-centric.  NIST CSF is ok as a framework, but still too NIST-ish for
> me.
>
>
>
> Anurag
>
> --
>
> Anurag Shankar, PhD
>
> Center for Applied Cybersecurity Research
>
> Indiana University
>
>
>
> *From: *The EDUCAUSE Security Community Group Listserv <
> SECURITY () LISTSERV EDUCAUSE EDU> on behalf of Jay Gallman <
> jay.gallman () DUKE EDU>
> *Reply-To: *The EDUCAUSE Security Community Group Listserv <
> SECURITY () LISTSERV EDUCAUSE EDU>
> *Date: *Friday, September 17, 2021 at 3:03 PM
> *To: *"SECURITY () LISTSERV EDUCAUSE EDU" <SECURITY () LISTSERV EDUCAUSE EDU>
> *Subject: *[External] Re: [SECURITY] What security framework are you
> using, and why?
>
>
>
> This message was sent from a non-IU address. Please exercise caution when
> clicking links or opening attachments from external sources.
>
>
>
> As Robert mentions the HEISC 800-171 Community Group | EDUCAUSE
> <https://www.educause.edu/community/heisc-800-171-community-group> where
> I am one of the group leaders, is looking at questions like the one
> raised.  We meet next Tuesday at 10:30, so please feel free to join us.
>
>
>
> Regards,
>
> --
>
> *Jay Gallman, GCIH*
>
> Risk Management IT Analyst | IT Security Office | Duke University
>
> Phone: 919 684-8060
>
> My Availability:  Microsoft 365
> <https://outlook.office365.com/owa/calendar/d787a256f208403e9711748e356080af () duke 
> edu/57d1ee81e6ad40daa985f447ef6881ce17105695644070449399/calendar.html>
>
>
>
> *From: *The EDUCAUSE Security Community Group Listserv <
> SECURITY () LISTSERV EDUCAUSE EDU> on behalf of Barton, Robert W. <
> bartonrt () LEWISU EDU>
> *Date: *Friday, September 17, 2021 at 2:47 PM
> *To: *SECURITY () LISTSERV EDUCAUSE EDU <SECURITY () LISTSERV EDUCAUSE EDU>
> *Subject: *Re: [SECURITY] What security framework are you using, and why?
>
> With Student Financial Aid requiring agencies to use NIST 800-171, I would
> use that.  There are a few working groups within Educause examining 800-171
> and working on tools.
>
>
>
> Robert W. Barton
> Executive Director of Information Security & Policy
> Lewis University
> 1 University Parkway
> Romeoville, IL  60446-2200
> 815-836-5663
>
>
> ------------------------------
>
> *From:* The EDUCAUSE Security Community Group Listserv <
> SECURITY () LISTSERV EDUCAUSE EDU> on behalf of Vince Bonura <
> vbonura () FORDHAM EDU>
> *Sent:* Friday, September 17, 2021 1:39 PM
> *To:* SECURITY () LISTSERV EDUCAUSE EDU <SECURITY () LISTSERV EDUCAUSE EDU>
> *Subject:* [SECURITY] What security framework are you using, and why?
>
>
>
> Hello again!
>
>
>
> With the vast list of security frameworks to choose from, ISO/IEC 27000,
> COBIT 5, NIST SP 800-53, ITIL to name a few,  I have been tasked to find
> the best one to use for our institution.  I thought it might be a good idea
> to see what other institutions are using and why.
>
>
>
> I would be interested in knowing if you have a case study or a weblink
> that explains the reasoning for your selection.
>
>
>
> We have tried a number over the last 15 years and while we thought NIST
> 800-53 was the right choice, we find that it doesn’t accurately align with
> our school. Last year a consultant firm we hired for a NIST 800-171 gap
> assessment, recommended NIST CSF.
>
>
>
> So, we’re working through the crosswalk exercise and thought we should
> reach out to our higher education colleagues for your feedback.
>
>
>
> Don’t be shy!
>
>
>
> Thanks in advance!
>
>
>
> Vince Bonura
>
>
>
> IT Risk Analyst
>
> Fordham University
>
> (718) 817-1875
>
>
>
>
>
> **********
> Replies to EDUCAUSE Community Group emails are sent to the entire
> community list. If you want to reply only to the person who sent the
> message, copy and paste their email address and forward the email reply.
> Additional participation and subscription information can be found at
> https://www.educause.edu/community
>
> **********
> Replies to EDUCAUSE Community Group emails are sent to the entire
> community list. If you want to reply only to the person who sent the
> message, copy and paste their email address and forward the email reply.
> Additional participation and subscription information can be found at
> https://www.educause.edu/community
>
> **********
> Replies to EDUCAUSE Community Group emails are sent to the entire
> community list. If you want to reply only to the person who sent the
> message, copy and paste their email address and forward the email reply.
> Additional participation and subscription information can be found at
> https://www.educause.edu/community
>
> **********
> Replies to EDUCAUSE Community Group emails are sent to the entire
> community list. If you want to reply only to the person who sent the
> message, copy and paste their email address and forward the email reply.
> Additional participation and subscription information can be found at
> https://www.educause.edu/community

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community