Educause Security Discussion mailing list archives
Re: [External Sender] Re: [SECURITY] CIS vs NIST
From: "Edgmand, Craig" <craig.edgmand () OKSTATE EDU>
Date: Mon, 30 Apr 2018 14:44:27 +0000
Chris,
The CIS critical controls is essentially a step by step guide to implementing a security program and they are
even prioritized for you from 1 – 20. They are achievable and measurable and you can map them back to NIST if you need
to. Randy Marchany the CISO from Virginia Tech has done some great presentations about CIS/NIST.
Good luck,
Craig Edgmand
IT Security Engineer
Oklahoma State University
From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Davis, Chris
Sent: Monday, April 30, 2018 9:34 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] [External Sender] Re: [SECURITY] CIS vs NIST
Password Alert! This message may contain a request for your password. NEVER SEND OR RESPOND TO E-MAIL REQUESTS FOR YOUR
PASSWORD. For questions about this alert, please contact the IT HelpDesk at 405-744-4357 or email helpdesk () okstate
edu<mailto:helpdesk () okstate edu>.
________________________________
Thank you, Roman. This makes a lot of sense. I am not a security person, but I am trying to raise awareness on my
campus and come up with the plan to implement a security program. It seems my lack of knowledge in this area is more
of an impediment rather than an asset. I wish we had the resources to get a dedicated security person on staff to run
this.
Thanks for the assistance!
Chris
Christopher Davis, Ph.D.
Chief Information Officer
Lourdes University
6832 Convent Blvd | REH 003P | Sylvania, OH 43560
cdavis () lourdes edu<mailto:cdavis () lourdes edu>
CyberAware – Be aware. Stay Secure.
Lourdes University will never ask you to send sensitive information through unsecure channels. Report any message that
asks you to provide or confirm personal information such as credit card and/or bank account numbers, Social Security
numbers, passwords, etc. or any other suspicious activity to infosec () lourdes edu<mailto:infosec () lourdes edu>. For
more information please visit
lourdes.edu/cyberaware<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Flourdes.edu%2Fcyberaware&data=02%7C01%7Ccraig.edgmand%40okstate.edu%7Ccc05d62203c14511d37408d5aea788f4%7C2a69c91de8494e34a230cdf8b27e1964%7C0%7C0%7C636606956938020213&sdata=v8tznTVUQuXse2zUJegI6SnlwnlmBOlOAoJC4KB85c4%3D&reserved=0>.
CONFIDENTIALITY NOTICE: The contents of this email message and any attachments are intended solely for the addressee(s)
and may contain confidential and/or privileged information and may be legally protected from disclosure. If you are not
the intended recipient of this message or their agent, or if this message has been addressed to you in error, please
immediately alert the sender by reply email and then delete this message and any attachments. If you are not the
intended recipient, you are hereby notified that any use, dissemination, copying, or storage of this message or its
attachments is strictly prohibited.
From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV
EDUCAUSE EDU>> on behalf of "Simanovich, Roman" <rsimanovich () USJ EDU<mailto:rsimanovich () USJ EDU>>
Reply-To: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY ()
LISTSERV EDUCAUSE EDU>>
Date: Monday, April 30, 2018 at 10:17 AM
To: "SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>" <SECURITY () LISTSERV EDUCAUSE
EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>>
Subject: [External Sender] Re: [SECURITY] CIS vs NIST
Chris,
You are trying to compare apples to oranges. CIS top 20 is a set of 20 controls that you should implement. NIST 800-171
is a standard for protecting controlled unclassified information.
What you really need to do is implement a risk management program, this will address most of the requirements of every
compliance regulation. This will also help you prioritize limited security resources to ensure your spending time
securing the weakest parts of your network based on how much risk there is to the organization. FYI, Risk Management is
not the same as Vulnerability Management.
NIST CSF and NIST RMF are good set of standards to follow to get you started toward compliance with all regulations.
https://www.nist.gov/cyberframework<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.nist.gov%2Fcyberframework&data=02%7C01%7Ccraig.edgmand%40okstate.edu%7Ccc05d62203c14511d37408d5aea788f4%7C2a69c91de8494e34a230cdf8b27e1964%7C0%7C0%7C636606956938020213&sdata=xP2pd6OhYPHoJvo%2FuGAMp4zXC7m8qrpQjWTEQ%2Fhiq%2Fc%3D&reserved=0>
https://csrc.nist.gov/projects/risk-management/risk-management-framework-(RMF)-Overview<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcsrc.nist.gov%2Fprojects%2Frisk-management%2Frisk-management-framework-(RMF)-Overview&data=02%7C01%7Ccraig.edgmand%40okstate.edu%7Ccc05d62203c14511d37408d5aea788f4%7C2a69c91de8494e34a230cdf8b27e1964%7C0%7C0%7C636606956938020213&sdata=UiMkhQADSMYKBB4GC0MlKN89Ib1Tk7r8GNIpfRovmqM%3D&reserved=0>
https://csrc.nist.gov/publications/detail/sp/800-39/final<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcsrc.nist.gov%2Fpublications%2Fdetail%2Fsp%2F800-39%2Ffinal&data=02%7C01%7Ccraig.edgmand%40okstate.edu%7Ccc05d62203c14511d37408d5aea788f4%7C2a69c91de8494e34a230cdf8b27e1964%7C0%7C0%7C636606956938020213&sdata=urebcRRrrcYfF3YeLtEkyrCUZQ4kFmR396ZtneCBNYA%3D&reserved=0>
https://csrc.nist.gov/publications/detail/sp/800-37/rev-1/final<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcsrc.nist.gov%2Fpublications%2Fdetail%2Fsp%2F800-37%2Frev-1%2Ffinal&data=02%7C01%7Ccraig.edgmand%40okstate.edu%7Ccc05d62203c14511d37408d5aea788f4%7C2a69c91de8494e34a230cdf8b27e1964%7C0%7C0%7C636606956938020213&sdata=cCS3iGLHcXdXux1Z2%2Ba3%2BV%2BkE5OASm6OtrBhppg%2Bs68%3D&reserved=0>
Thanks,
Roman Simanovich
Information Security Specialist
University of Saint Joseph
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Davis,
Chris
Sent: Monday, April 30, 2018 9:50 AM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [SECURITY] CIS vs NIST
We are a very small school and are just getting started with infosec. We are evaluating frameworks and seem to be
wavering between CIS and NIST 800-171.
My thoughts are that CIS will be easier for us to implement and manage long-term given our limited resources. But we
have compliance issues to consider just like everyone else – HIPAA, PCI, FEPRA, GLBA, etc.
Given those parameters, which do you think would be more successful for us – CIS or 800-171?
Thanks!
Chris
Christopher Davis, Ph.D.
Chief Information Officer
Lourdes University
6832 Convent Blvd | REH 003P | Sylvania, OH 43560
cdavis () lourdes edu<mailto:cdavis () lourdes edu>
CyberAware – Be aware. Stay Secure.
Lourdes University will never ask you to send sensitive information through unsecure channels. Report any message that
asks you to provide or confirm personal information such as credit card and/or bank account numbers, Social Security
numbers, passwords, etc. or any other suspicious activity to infosec () lourdes edu<mailto:infosec () lourdes edu>. For
more information please visit
lourdes.edu/cyberaware<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Flourdes.edu%2Fcyberaware&data=02%7C01%7Ccraig.edgmand%40okstate.edu%7Ccc05d62203c14511d37408d5aea788f4%7C2a69c91de8494e34a230cdf8b27e1964%7C0%7C0%7C636606956938020213&sdata=v8tznTVUQuXse2zUJegI6SnlwnlmBOlOAoJC4KB85c4%3D&reserved=0>.
CONFIDENTIALITY NOTICE: The contents of this email message and any attachments are intended solely for the addressee(s)
and may contain confidential and/or privileged information and may be legally protected from disclosure. If you are not
the intended recipient of this message or their agent, or if this message has been addressed to you in error, please
immediately alert the sender by reply email and then delete this message and any attachments. If you are not the
intended recipient, you are hereby notified that any use, dissemination, copying, or storage of this message or its
attachments is strictly prohibited.
Current thread:
- CIS vs NIST Davis, Chris (Apr 30)
- Re: CIS vs NIST Chad Tracy (Apr 30)
- Re: CIS vs NIST Nicklaus Giacobe (Apr 30)
- Re: CIS vs NIST Nicklaus Giacobe (Apr 30)
- Re: [External Sender] Re: [SECURITY] CIS vs NIST Davis, Chris (Apr 30)
- Re: CIS vs NIST Nicklaus Giacobe (Apr 30)
- Re: CIS vs NIST Adam Menos (Apr 30)
- Re: CIS vs NIST Simanovich, Roman (Apr 30)
- Re: [External Sender] Re: [SECURITY] CIS vs NIST Davis, Chris (Apr 30)
- Re: [External Sender] Re: [SECURITY] CIS vs NIST Edgmand, Craig (Apr 30)
- Re: [External Sender] Re: [SECURITY] CIS vs NIST Davis, Chris (Apr 30)
- Re: CIS vs NIST Menne, Michael S (Apr 30)
- Re: CIS vs NIST Valdis Kletnieks (Apr 30)
- Re: CIS vs NIST Bridges, Robert A. (Apr 30)
- Re: CIS vs NIST Valdis Kletnieks (Apr 30)
- Re: CIS vs NIST Bridges, Robert A. (Apr 30)
- Re: CIS vs NIST Kevin Wilcox (May 02)
- Re: CIS vs NIST Bridges, Robert A. (May 03)
- Re: CIS vs NIST Kevin Wilcox (May 03)
- Re: CIS vs NIST Valdis Kletnieks (Apr 30)
