Main Nav

Hello all,


At the University of Tennessee, our security program is based on the NIST 800 Series special publications rather than ISO 27001.  While we don’t claim to implement 100% of it (it wouldn’t be appropriate,) we’re making heavy use of FIPS199, 800-37, 800-53, 800-66, etc.


I’ve had staff calling and emailing around asking this, but I figured I’d ask this list also: what is your school’s security program based on?





A. J. Wright 
Chief Information Security Officer


University of Tennessee – System Administration
2309 Kingston Pike, Suite 131C
Knoxville, TN  37996-1717
Phone:  865-974-0637




We do a combination of the various security best practices and standards.  We evaluate our systems using NIST 800-53, etc. mainly because we do a lot of research for the government and they require data security and management plans based on those standards.  But we run the larger program with inputs from ISO27001/2, NIST, COBIT, and even inputs from ITIL (or ISO 20000 if you prefer).  We map our various policies to the standards/regulations that require that policy.  I have a matrix (partially complete) that shows that mapping if you are interested.


Quinn R Shamblin
Executive Director of Information Security, Boston University
CISM, CISSP, GCFA, PMP  –  O 617-358-6310  M 617-999-7523

Contact me securely:


We were using ISO27001/2 and are/will be using NIST 800-53.



Quentin L. McCallum, CISSP, ITIL-F

Information Security Analyst

Lansing Community College



Hi A.J.,


For most of the schools I review that don’t have an IS policy I recommend they base there IS Policy on ISO27001/2. It’s my understanding that ISO maps to NIST, HIPAA, FERPA, and PCI, but that NIST doesn’t map to HIPAA or PCI. If your Information Security Policy doesn’t cover PCI or HIPAA controls, then you would have to create supplemental policies and procedures to cover those compliance areas, and who really wants to do that?


The attached is about a year old, and I cannot verify it’s accuracy, but one of the tabs maps NIST to ISO and shows the gaps.


Another reason to use ISO, IMO, is because many risk assessments have already been developed against the ISO series and can be easily leveraged without having to create your own.


The link below also contains a discussion on this issue.


Good Luck!


My $.02


Good Luck!


Dan Sarazen

Senior IT Auditor

The Boston Consortium for Higher Education

Phone: 781-736-8703

Cell:     781-296-4444

Fax:     781-736-8706




Quinn, I am planning to map our policies to standards and regulations, if you are willing to share I would love to see what you have developed.


Bryan McLaughlin

Informaiton Security Officer

Creighton University


We had already a comprehensive IS policy in place that was modeled after ISO 27001/2, but our QSA never mentioned that an industry standard such as PCIDSS would be a good model for a university IS policy.

Personally, if you got nothing to start with, I suppose using PCIDSS is a start, but I would be hesitant to model a general IS policy for a higher education institution after a rather narrowly defined set of industry security standards.


Kennesaw State University utilizes ISO27002 while also incorporating the metric requirements included in CoBIT. We have just recently started looking into incorporating the SANS 20 Critical Controls. Stephen C Gay CISSP CISA ITS Associate Director - Information Security Office KSU Information Security Officer Kennesaw State University

I would tend to agree with Eva on that point.  That may be a great starting point for financial firms or business that have transactions at the core of what they do (retail, etc.), but it is not a good fit for the overall program at an educational institution.  It is far too costly, restrictive and far reaching for edu.  It does however provide a good list of things to consider as part of the overall program, but certainly not broad/blind adoption.


Quinn R Shamblin
Executive Director of Information Security, Boston University
CISM, CISSP, GCFA, PMP  –  O 617-358-6310  M 617-999-7523

Contact me securely:


The Information Security Guide ( – developed by members the EDUCAUSE & Internet2 Higher Education Information Security Council (HEISC) – is based on the ISO standard and each chapter focuses on an ISO topic like Risk Management, Security Policy, Organization of Information Security, etc.


Each chapter provides an overview describing the general intent of the ISO topic, as well as a cross-reference to other common standards used in higher education (other relevant ISO standards, NIST, COBIT, and PCI DSS). The Risk Management chapter illustrates this nicely:


Each page of the guide also provides a link to the Symantec IT Controls Reference chart, which provides a comparison of ISO, COBIT, HIPAA, GLBA, and several other standards.


Thank you,



Valerie Vogel Program Manager

Uncommon Thinking for the Common Good
direct: 202.331.5374 | main: 202.872.4200 |


I think your QSA has no clue what he’s talking about; sorry.


The 12 PCI DSS requirements are not meant to be applied that way and several of them refer specifically to cardholder data.  In addition to that, I just don’t think the detailed requirements are very good.  You should just make sure the PCI requirements are addressed as part of a more comprehensive security program.


Steven Alexander Jr.

Online Education Systems Manager

Merced College


The PCI DSS is a good data security standard for the protection of CHD and using PCI DSS standards in part or in whole to protect other high-value data (SSNs, PHI, etc.) can be useful as well.  However, it is not an actual ISMS like ISO 27001 as it is not based on risk management driven program governance.


Blake Penn


Principal Consultant


+1 (678) 685-1277


DISCLAIMER: The views represented in this message reflect the personal opinions of the author alone and do not neccessarily reflect the opinions of Trustwave.


The University of Virginia’s security program is aligned with ISO and incorporates regulatory requirements and best practices from other sources as well. The text below is copied from our formal policy concerning this issue:


“The University’s information technology security program is based upon best practices recommended in the “Code of Practice for Information Security Management” published by the International Organization for Standardization and the International Electrotechnical Commission (ISO/IEC 27002), appropriately tailored to the specific circumstances of the University. The program also incorporates security requirements of applicable regulations, such as the Family Educational Rights and Privacy Act, Gramm-Leach-Bliley Act and Health Insurance Portability and Accountability Act. Professional organizations, such as the national EDUCAUSE Association and the Virginia Alliance for Secure Computing and Networking, serve as resources for additional effective security practices.”




Shirley C. Payne, CISSP, CRISC

Assistant VP for Information Security, Policy, and Records

University of Virginia

(434) 924-4165