Home page logo

educause logo Educause Security Discussion mailing list archives

Re: Veterans Affairs Data Handling
From: "St Clair, Jim" <Jim.StClair () GT COM>
Date: Mon, 9 Jul 2007 10:18:36 -0400

If your application needs to be "certified", you need to complete the
Certification and Accreditation (C&A) process in NIST Special
Publication 800-37. This includes the selection and documentation of
controls under 800-53. 


James A.St.Clair, CISM 
Sr. Manager 
Global Public Sector 
Grant Thornton LLP 
(703) 637-3078 (office) 
(703) 727-6332 (mobile) 
(703) 837-4455 (fax) 


From: Schmidt, Eric W [mailto:erschmid () IUPUI EDU] 
Sent: Monday, July 09, 2007 9:50 AM
Subject: Re: Veterans Affairs Data Handling


We're dealing with a similar issue regarding VA research data and
"certifying" applications that handle that data.  I was informed by the
ISO at our VA center that NIST 800-53 is the security document we need
to follow for "certifying" these applications.  My problem is I need a
checklist the VA would use for this process and the NIST document
doesn't provide this.




Eric W. Schmidt, CISSP, CISM

Chief Security Officer

Indiana University School of Medicine




From: Chris Green
Sent: Fri 7/6/2007 4:56 PM
Subject: [SECURITY] Veterans Affairs Data Handling

Good day,


Does anyone have a pointer to current VA regulations regarding handing
research data?  Searching their site reveals portions here and there but
not a decent set of regulations.  Closest I can find is


but the source document is no longer there which makes me wonder if it
has been obsolete by another document.





Chris Green

UAB Data Security, 205-975-0842


In accordance with applicable professional regulations, please understand that, unless expressly stated otherwise, any 
written advice contained in, forwarded with, or attached to this e-mail is not intended or written by Grant Thornton 
LLP to be used, and cannot be used, by any person for the purpose of avoiding any penalties that may be imposed under 
the Internal Revenue Code. 


 This e-mail is intended solely for the person or entity to which it is addressed and may contain confidential and/or 
privileged information.  Any review, dissemination, copying, printing or other use of this e-mail by persons or 
entities other than the addressee is prohibited.  If you have received this e-mail in error, please contact the sender 
immediately and delete the material from any computer.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]