Home page logo

educause logo Educause Security Discussion mailing list archives

Re: Security Program: NIST, ISO, other?
From: Dan Sarazen <dsarazen () BRANDEIS EDU>
Date: Thu, 17 Jan 2013 09:55:25 -0500

Hi A.J.,

For most of the schools I review that don’t have an IS policy I recommend
they *base* there IS Policy on ISO27001/2. It’s my understanding that ISO
maps to NIST, HIPAA, FERPA, and PCI, but that NIST doesn’t map to HIPAA or
PCI. If your Information Security Policy doesn’t cover PCI or HIPAA
controls, then you would have to create supplemental policies and
procedures to cover those compliance areas, and who really wants to do that?

The attached is about a year old, and I cannot verify it’s accuracy, but
one of the tabs maps NIST to ISO and shows the gaps.

Another reason to use ISO, IMO, is because many risk assessments have
already been developed against the ISO series and can be easily leveraged
without having to create your own.

The link below also contains a discussion on this issue.

Good Luck!

My $.02

Good Luck!

Dan Sarazen

Senior IT Auditor

The Boston Consortium for Higher Education

Phone: 781-736-8703

Cell:     781-296-4444

Fax:     781-736-8706

*From:* The EDUCAUSE Security Constituent Group Listserv [mailto:
*Sent:* Thursday, January 17, 2013 9:37 AM
*Subject:* Security Program: NIST, ISO, other?

Hello all,

At the University of Tennessee, our security program is based on the NIST
800 Series special publications rather than ISO 27001.  While we don’t
claim to implement 100% of it (it wouldn’t be appropriate,) we’re making
heavy use of FIPS199, 800-37, 800-53, 800-66, etc.

I’ve had staff calling and emailing around asking this, but I figured I’d
ask this list also: what is your school’s security program based on?




*A. J. Wright
*Chief Information Security Officer

University of Tennessee – System Administration
2309 Kingston Pike, Suite 131C
Knoxville, TN  37996-1717
Phone:  865-974-0637

Email: ajw () tennessee edu

Attachment: NIST ISO MappingFINAL.xls

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]