Main Nav

Just wondering if any other schools have standardized on any of these security management techniques. ISO 17799 / 27001, COBIT, NIST, ENISA, OASIS, OWASP, etc. If so, I'd be interested in your feedback of such. Unless I'm grossly missing something, it seems like one has to pay to get the ISO standards from ISO.org/ANSI. That doesn't make sense... -David

Comments

David, When founded in 2006, we designed our program at Kennesaw State University around NIST's 800-53 classes (technical, operational, and managerial). All projects were mapped into these categories and it was easy to communicate to a technical / InfoSec audience. Even so, we found the classes did not lend themselves to mapping into the mission of the organization nor proactive safeguards. We transitioned our program over to the ISO 27001 framework in 2011 and it has provided for a more complete picture of our information security program. We did pay for the documents (cost is fairly reasonable) but you may want to start with the numerous Educause presentations regarding the framework. They will give you the general idea and touch on advantages / disadvantages. Stephen C Gay CISSP CISA ITS Associate Director - Information Security Office KSU Information Security Officer Kennesaw State University sgay@kennesaw.edu
We're using NIST SP800, and have been pretty happy with it. - Its got a good control catalog (800-53) with good audit instructions (800-53a.) - There are grants that are asking for it (or its related sibling: FISMA.) - It has good risk management (800-37.) - It has the right price (free.) - It has documentation with guidance on many special topics in the area. - Its simple enough to explain with PLENTY (wow) of documentation to back it up. My biggest complaint is that it (and FIPS199) doesn't offer clarification on absolute vs. relative control levels. Just because a service is "high confidentiality" for my institution, does not mean we're going to apply military-grade confidentiality controls. If others are using NIST, I'd love to hear how its going and trade practices. ajw -- A. J. Wright  Chief Information Security Officer University of Tennessee
The University of Massachusetts has adopted ISO27002 as its official IS Policy, and is mapping out its controls and documentation accordingly....and it's all (much of it anyway) available on their website. Full disclosure: I was their IT Auditor for four+ years and helped work on the policy. Dan Sarazen Senior IT Auditor The Boston Consortium for Higher Education Brandeis University, Mailstop 110 Phone: 781-736-8703 Cell: 781-296-4444 Fax: 781-736-8706
Since we are starting to build our program here, we are looking at COBIT, ISO 27001, and NIST for possible implementation.

In reviewing them, I think we're most likely to move towards the ISO 27001 series.  However, we're still investigating.

Shawn
-----
Shawn A. Kohrman, Security Architect

Azusa Pacific University
Information & Media Technology
901 E. Alosta Ave., PO Box 7000
Azusa, CA 91702-7000

P:  626.815.2054 | F:  626.815.2061 | http://www.apu.edu/
-----



Hi A.J., Quick question: Are you using this same standard for your health center? I was under the impression that NIST didn't include the HIPAA requirements, but I'm willing to be wrong. Thanks, Dan
NIST doesn't include any specific HIPAA/PCI/FERPA compliance requirements. My experience is that the compliance requirements fit well into the program as existing or supplemental controls. Oversimplified: if you classify your assets correctly, and apply the controls appropriately, you get compliance "for free." ajw

We standardized under the ISO 27000 series (they have standards around building an effective information security management program based on evaluating risks, best practices for controls integration, how to develop a standardized approach to risk management, etc.)  They aren’t free of charge but there are ways to get the costs reduced.  Feel free to contact me directly if interested.  The ISO 27000 is a comprehensive approach (people, process and technology) and you can then layer in other standards such as NIST or COBIT, based on your needs.

 

Take a look at the HEISC Information Security Guide doing searches and looking at the chapters there will lead  you to a multitude of resources to examine…  www.educause.edu/security/guide

 

Best regards!

 

Tammy L. Clark, CISSP, CISM, CISA, HISP, CRISC, PMP

Chief Information Security Officer

Information Security Coordination

tlclark@gsu.edu

404-413-4509

 

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY@LISTSERV.EDUCAUSE.EDU] On Behalf Of Shawn Kohrman
Sent: Thursday, June 14, 2012 12:58 PM
To: SECURITY@LISTSERV.EDUCAUSE.EDU
Subject: Re: [SECURITY] security management techniques

 

Since we are starting to build our program here, we are looking at COBIT, ISO 27001, and NIST for possible implementation.

 

In reviewing them, I think we're most likely to move towards the ISO 27001 series.  However, we're still investigating.

 

Shawn

-----

Shawn A. Kohrman, Security Architect

Azusa Pacific University
Information & Media Technology

901 E. Alosta Ave., PO Box 7000
Azusa, CA 91702-7000

 

P:  626.815.2054 | F:  626.815.2061 | http://www.apu.edu/

-----



All, At New Mexico State University we are in the process of researching this topic (ISO 17799 / 27001, COBIT, NIST, ENISA, OASIS, OWASP, etc.) and I am leaning towards ISO 27001 & 27002. Not too long ago I reviewed the free resources including COBIT 5 and I just bought this past week the ISO standards 27001 & 27002 for $407.00. Based on what I have seen so far, I think that we will go with the ISO standards. Carlos S. Lobato, CISA, CIA IT Compliance Officer New Mexico State University Information and Communication Technologies MSC 3AT PO Box 30001 Las Cruces, NM 88003-8001 Phone: 575-646-5902 Fax: 575-646-5278 Email: clobato@nmsu.edu From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY@LISTSERV.EDUCAUSE.EDU] On Behalf Of Dan Sarazen Sent: Thursday, June 14, 2012 10:57 AM To: SECURITY@LISTSERV.EDUCAUSE.EDU Subject: Re: [SECURITY] security management techniques The University of Massachusetts has adopted ISO27002 as its official IS Policy, and is mapping out its controls and documentation accordingly....and it's all (much of it anyway) available on their website. Full disclosure: I was their IT Auditor for four+ years and helped work on the policy. Dan Sarazen Senior IT Auditor The Boston Consortium for Higher Education Brandeis University, Mailstop 110 Phone: 781-736-8703 Cell: 781-296-4444 Fax: 781-736-8706 From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY@LISTSERV.EDUCAUSE.EDU] On Behalf Of Shawn Kohrman Sent: Thursday, June 14, 2012 10:58 AM To: SECURITY@LISTSERV.EDUCAUSE.EDU Subject: Re: [SECURITY] security management techniques Since we are starting to build our program here, we are looking at COBIT, ISO 27001, and NIST for possible implementation. In reviewing them, I think we're most likely to move towards the ISO 27001 series. However, we're still investigating. Shawn ----- Shawn A. Kohrman, Security Architect Azusa Pacific University Information & Media Technology 901 E. Alosta Ave., PO Box 7000 Azusa, CA 91702-7000
Hi Tammy, From what I'm seeing in this conversation, the 27000 series is where people are heading. I'm interested in finding out how to get the discount. We aren't exactly a large institution and I'd be hard pressed to get an approval on purchasing content without seeing it first. I'm also going to look over the educause info you suggested as well. Thanks, David Pirolo On Thu, 2012-06-14 at 17:07 +0000, Tammy Lynn Clark wrote: > We standardized under the ISO 27000 series (they have standards around > building an effective information security management program based on > evaluating risks, best practices for controls integration, how to > develop a standardized approach to risk management, etc.) They aren’t > free of charge but there are ways to get the costs reduced. Feel free > to contact me directly if interested. The ISO 27000 is a > comprehensive approach (people, process and technology) and you can > then layer in other standards such as NIST or COBIT, based on your > needs. > > > > Take a look at the HEISC Information Security Guide doing searches and > looking at the chapters there will lead you to a multitude of > resources to examine… www.educause.edu/security/guide > > > > Best regards! > > > > Tammy L. Clark, CISSP, CISM, CISA, HISP, CRISC, PMP > > Chief Information Security Officer > > Information Security Coordination > > tlclark@gsu.edu > > 404-413-4509
UBC has standardised under ISO 27000 as well. We're taking a phased approach of slowly adding in specific controls from 27000 over a period of years to gradually move towards a better culture of security. We're doing it on a risk basis by doing regular gap analysis against systemic issues at the university vs. the controls in 27000. We are also leveraging Educause resources as well as other institutions efforts in 27000 for policy. Regards, Larry Carson Associate Director, Information Security Management, UBC
If you're just looking for a copy of the standards, ansi.org has them for a reasonable price. I picked up a PDF copy of 27002:2005 for $30 a few years ago. Looks like it is still available in their store, along with other 2700x documents. http://webstore.ansi.org/RecordDetail.aspx?sku=ISO%2fIEC+27000%3a2009 http://webstore.ansi.org/RecordDetail.aspx?sku=INCITS%2fISO%2fIEC+27001-... http://webstore.ansi.org/RecordDetail.aspx?sku=INCITS%2fISO%2fIEC+27002-... They also have several bundles that I have not looked at. -- Lou Arminio Senior Information Security Analyst Northern Arizona University Information Technology Services 1300 S Knoles Dr, NAU Box 5100 Flagstaff, Arizona 86011 Lou.Arminio@nau.edu Ph:(928) 523-6462 Fax:(928) 523-7407
I don't know what the current pricing is but several years ago we worked out a license for several floating seats of campus-wide online access to the whole series. Our contact at the time was:

Mark Brown
Director, Sales
American National Standards Institute (ANSI)
25 West 43rd Street
New York, NY 10036
Phone: 212-642-4935 
Fax: 212-719-1679

Bob Kalal
Director (Retired), IT Policy
Office of the CIO
The Ohio State University



My own opinion is that all of these frameworks have their advantages and disadvantages. How and what you choose should be somewhat dependent upon what you're trying to accomplish. The HEISC has formed a project team to build an information security program benchmarking tool, building on previous work done around the information security governance assessment tool (link below). The project team is still chartering its work, but early indications are that the tool will standardize around ISO 27000 series with some cross walking of other standards and regulations where appropriate. The intent is to build a tool off of existing standards that will allow academic institutions to benchmark the maturity of their security programs. More to come on that as the work progresses. http://net.educause.edu/ir/library/pdf/SEC0421.pdf At Carnegie Mellon we leverage ISO, NIST, COBIT and others at different times for different reasons. More recently we have been looking at the Resiliency Management Model, which is a model for operational process improvement that brings together information security, business continuity and IT operations to help organizations achieve operational resilience. It's not a security management framework, but it's worth a look. http://www.cert.org/resilience/rmm.html Don't even get me started on licensing for ISO standards, membership fees associated with ITGI resources, the more recent move to licensing of the Shared Assessments framework, etc. Grrr... >:-| >
> At Carnegie Mellon we leverage ISO, NIST, COBIT and others at different > times for different reasons. More recently we have been looking at the > Resiliency Management Model, which is a model for operational process > improvement that brings together information security, business continuity > and IT operations to help organizations achieve operational resilience. > It's not a security management framework, but it's worth a look. > > http://www.cert.org/resilience/rmm.html I thought I'd correct my previous statement about the Resiliency Management Model being used as a security management framework. What I should have said is that it's not a prescriptive code of practice like ISO 27002 and NIST 800-53, but it could certainly be used as a security management framework. There is a crosswalk to ISO 27002, COBIT, PCI DSS and other standards available as well. Didn't want to misrepresent things.
Thank you all for the great feedback. From what I understand about the 27000 series, it tends to emphasize the business continuity and disaster recovery, but is a bit less stringent on encryption and human resources. To be fair, I haven't actually seen the standards to make that judgment myself; it's just what I have read. If you are using the 27000 series for your overarching plan, how are you adjusting for potential discrepancies? -David On Mon, 2012-06-18 at 20:31 +0000, Doug Markiewicz wrote: > > At Carnegie Mellon we leverage ISO, NIST, COBIT and others at different > > times for different reasons. More recently we have been looking at the > > Resiliency Management Model, which is a model for operational process > > improvement that brings together information security, business continuity > > and IT operations to help organizations achieve operational resilience. > > It's not a security management framework, but it's worth a look. > > > > http://www.cert.org/resilience/rmm.html > > I thought I'd correct my previous statement about the Resiliency Management Model being used as a security management framework. What I should have said is that it's not a prescriptive code of practice like ISO 27002 and NIST 800-53, but it could certainly be used as a security management framework. There is a crosswalk to ISO 27002, COBIT, PCI DSS and other standards available as well. Didn't want to misrepresent things.
Close
Close


Annual Conference
September 29–October 2
Register Now!

Events for all Levels and Interests

Whether you're looking for a conference to attend face-to-face to connect with peers, or for an online event for team professional development, see what's upcoming.

Close

Digital Badges
Member recognition effort
Earn yours >

Career Center


Leadership and Management Programs

EDUCAUSE Institute
Project Management

 

 

Jump Start Your Career Growth

Explore EDUCAUSE professional development opportunities that match your career aspirations and desired level of time investment through our interactive online guide.

 

Close
EDUCAUSE organizes its efforts around three IT Focus Areas

 

 

Join These Programs If Your Focus Is

Close

Get on the Higher Ed IT Map

Employees of EDUCAUSE member institutions and organizations are invited to create individual profiles.
 

 

Close

2014 Strategic Priorities

  • Building the Profession
  • IT as a Game Changer
  • Foundations


Learn More >

Uncommon Thinking for the Common Good™

EDUCAUSE is the foremost community of higher education IT leaders and professionals.