|
Educause Security Discussion
mailing list archives
Re: Security Program: NIST, ISO, other?
From: Blake Penn <BPenn () TRUSTWAVE COM>
Date: Fri, 18 Jan 2013 14:53:24 +0000
The PCI DSS is a good data security standard for the protection of CHD and using PCI DSS standards in part or in whole
to protect other high-value data (SSNs, PHI, etc.) can be useful as well. However, it is not an actual ISMS like ISO
27001 as it is not based on risk management driven program governance.
Blake Penn
CISSP, PCIP, MCSE, MCSD, MCDBA, QSA, ISMS Principal Auditor
Principal Consultant
Trustwave
bpenn () trustwave com<mailto:bpenn () trustwave com>
+1 (678) 685-1277
http://www.trustwave.com<http://www.trustwave.com/>
DISCLAIMER: The views represented in this message reflect the personal opinions of the author alone and do not
neccessarily reflect the opinions of Trustwave.
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of
Christopher Jones
Sent: Thursday, January 17, 2013 11:48 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Security Program: NIST, ISO, other?
When we were conducting a gap analysis for PCI-DSS, our QSA recommended that we adopt the 12 PCI standards as our
overriding security policy. Has anyone had similar advice or considered doing this?
Christopher Jones
IT Security Analyst
University of the Fraser Valley
Christopher.Jones () ufv ca<mailto:Christopher.Jones () ufv ca>
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Wright,
A J (A. J.)
Sent: Thursday, January 17, 2013 6:37 AM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [SECURITY] Security Program: NIST, ISO, other?
Hello all,
At the University of Tennessee, our security program is based on the NIST 800 Series special publications rather than
ISO 27001. While we don't claim to implement 100% of it (it wouldn't be appropriate,) we're making heavy use of
FIPS199, 800-37, 800-53, 800-66, etc.
I've had staff calling and emailing around asking this, but I figured I'd ask this list also: what is your school's
security program based on?
Thanks,
ajw
--
A. J. Wright
Chief Information Security Officer
University of Tennessee - System Administration
2309 Kingston Pike, Suite 131C
Knoxville, TN 37996-1717
Phone: 865-974-0637
Email: ajw () tennessee edu<mailto:ajw () tennessee edu>
________________________________
This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under
applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying,
distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If
you received this transmission in error, please immediately contact the sender and destroy the material in its
entirety, whether in electronic or hard copy format.
 By Date 
By Thread
Current thread:
- Re: Security Program: NIST, ISO, other?, (continued)
- Re: Security Program: NIST, ISO, other? Dan Sarazen (Jan 17)
- Re: Security Program: NIST, ISO, other? Alan (Jan 17)
- Re: Security Program: NIST, ISO, other? Christopher Jones (Jan 17)
- Re: Security Program: NIST, ISO, other? Steven Alexander (Jan 17)
- Re: Security Program: NIST, ISO, other? Blake Penn (Jan 18)
- Re: Security Program: NIST, ISO, other? Stephen C. Gay (Jan 17)
- Re: Security Program: NIST, ISO, other? Davis, Thomas R (Jan 18)
- Re: Security Program: NIST, ISO, other? Payne, Shirley (scp8b) (Jan 18)
|
