Home page logo
/

educause logo Educause Security Discussion mailing list archives

Re: Security Program: NIST, ISO, other?
From: David Curry <david.curry () NEWSCHOOL EDU>
Date: Thu, 17 Jan 2013 10:21:42 -0500

Ours is based on the Information Security Forum's Standard of Good Practice
for Information Security, 2007 edition, which can be mapped back to ISO
27002 and CObIT 4.1. It can be downloaded at no cost from
https://www.securityforum.org/downloadresearch/downloadsogp/.

Unfortunately, ISF decided not to make the 2012 edition of the Standard
available for download; you have to purchase it unless your organization is
a member of the Forum. Having had experience with them in the past I would
love it if we were able to join, but their membership fee structure isn't
really compatible with universities (i.e., it's expensive).

--Dave


--

*DAVID A. CURRY, CISSP* • DIRECTOR OF INFORMATION SECURITY

*THE NEW SCHOOL* • 55 W. 13TH STREET • NEW YORK, NY 10011

+1 212 229-5300 x4728 • david.curry () newschool edu



On Thu, Jan 17, 2013 at 10:07 AM, Dan Sarazen <dsarazen () brandeis edu> wrote:

I know UMass’s official IS Policy is based on ISO27002, but they do use
the SANS top twenty to provide additional procedural guidance.



*From:* The EDUCAUSE Security Constituent Group Listserv [mailto:
SECURITY () LISTSERV EDUCAUSE EDU] *On Behalf Of *Edgmand, Craig
*Sent:* Thursday, January 17, 2013 10:05 AM
*To:* SECURITY () LISTSERV EDUCAUSE EDU
*Subject:* Re: Security Program: NIST, ISO, other?



Not to plug SANS here, as I have no affiliation with them, has anybody
thought about using the SANS 20 Critical Controls?




http://www.sans.org/critical-security-controls/http://www.sans.org/critical-security-controls/<http://www.sans.org/critical-security-controls/http:/www.sans.org/critical-security-controls/>



I know Virginia Tech is implementing these as their guidelines and they
map out to the various NIST SP800-53 controls.



Craig Edgmand

IT Security Manager

Oklahoma State University



*From:* The EDUCAUSE Security Constituent Group Listserv [
mailto:SECURITY () LISTSERV EDUCAUSE EDU <SECURITY () LISTSERV EDUCAUSE EDU>] *On
Behalf Of *McLaughlin, Bryan S.
*Sent:* Thursday, January 17, 2013 8:57 AM
*To:* SECURITY () LISTSERV EDUCAUSE EDU
*Subject:* Re: [SECURITY] Security Program: NIST, ISO, other?



Quinn, I am planning to map our policies to standards and regulations, if
you are willing to share I would love to see what you have developed.



Bryan McLaughlin

Informaiton Security Officer

Creighton University

bmclaughiln () creighton edu



*From:* The EDUCAUSE Security Constituent Group Listserv [
mailto:SECURITY () LISTSERV EDUCAUSE EDU <SECURITY () LISTSERV EDUCAUSE EDU>] *On
Behalf Of *Shamblin, Quinn
*Sent:* Thursday, January 17, 2013 8:45 AM
*To:* SECURITY () LISTSERV EDUCAUSE EDU
*Subject:* Re: [SECURITY] Security Program: NIST, ISO, other?



We do a combination of the various security best practices and standards.
We evaluate our systems using NIST 800-53, etc. mainly because we do a lot
of research for the government and they require data security and
management plans based on those standards.  But we run the larger program
with inputs from ISO27001/2, NIST, COBIT, and even inputs from ITIL (or ISO
20000 if you prefer).  We map our various policies to the
standards/regulations that require that policy.  I have a matrix (partially
complete) that shows that mapping if you are interested.



Quinn R Shamblin

------------------------------------------------------------------------------------------------
Executive Director of Information Security, Boston University
CISM, CISSP, GCFA, PMP  –  O 617-358-6310  M 617-999-7523

*Contact me securely: **https://securecontact.me/qrs () bu edu***



*From:* The EDUCAUSE Security Constituent Group Listserv [
mailto:SECURITY () LISTSERV EDUCAUSE EDU <SECURITY () LISTSERV EDUCAUSE EDU>] *On
Behalf Of *Wright, A J (A. J.)
*Sent:* Thursday, January 17, 2013 9:37 AM
*To:* SECURITY () LISTSERV EDUCAUSE EDU
*Subject:* [SECURITY] Security Program: NIST, ISO, other?



Hello all,



At the University of Tennessee, our security program is based on the NIST
800 Series special publications rather than ISO 27001.  While we don’t
claim to implement 100% of it (it wouldn’t be appropriate,) we’re making
heavy use of FIPS199, 800-37, 800-53, 800-66, etc.



I’ve had staff calling and emailing around asking this, but I figured I’d
ask this list also: what is your school’s security program based on?



Thanks,

ajw

--

*A. J. Wright
*Chief Information Security Officer



University of Tennessee – System Administration
2309 Kingston Pike, Suite 131C
Knoxville, TN  37996-1717
Phone:  865-974-0637

Email: ajw () tennessee edu




  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault