Profile

CommunityPlatform_1350x900.jpg

Wendy Epley

Edit My Profile

My Content

1 to 18 of 18 total

RE: CPPC App

Posted By Wendy Epley 05-01-2024 03:35:20 AM
Found In Egroup: Cybersecurity \ view thread
I don't know about Apple product issues, but I initially had similar problems on Android last week. Those have been resolved. You can select more than one session in same time and lunches/breaks that overlap. If you click on each session you will see presenter and topic details. Hope that helps. Kind ...

RE: If you're coming to Minneapolis next week...

Posted By Wendy Epley 04-26-2024 01:09:00 PM
Found In Egroup: NIST 800-171 Compliance \ view thread
That is my understanding as well, Jay. There will be some tables during lunch service set up for "Birds of a Feather" (BoF) discussions. There will be 10 topics already identified, but others can suggest a new topic when they arrive. This will be a way to keep the conversations moving. Kind regards, ...

EDUCAUSE Comments: NIST SP 800-171, Rev 3

Posted By Wendy Epley 02-21-2024 01:09:51 PM
Found In Library: HEISC 800-171 Compliance
The EDUCAUSE Library also now houses the comments that the association submitted to NIST at the end of January regarding the final public draft of NIST SP 800-171, Rev. 3, and the initial public draft of 800-171A, Rev. 3: https://library.educause.edu/resources/2024/2/educause-comments-nist-sp-800- ...

EDUCAUSE Comments: FAR Cyber Incident Reporting

Posted By Wendy Epley 02-21-2024 01:06:38 PM
Found In Library: HEISC 800-171 Compliance
The comments that EDUCAUSE and other groups submitted on the proposed FAR cyber incident reporting regulations in February 2024 are available from the EDUCAUSE library at: https://library.educause.edu/resources/2024/2/educause-comments-far-cyber-incident-reporting The Proposed Rule was published ...

RE: Some Reminders

Posted By Wendy Epley 01-05-2024 09:25:00 AM
Found In Egroup: NIST 800-171 Compliance \ view thread
Mitch - Thank you so much for bringing this to our attention. I had not even noticed it was still listed incorrectly on the home page description. We are working with the EDUCAUSE Administrators to get this corrected. My sincere apologies to you and others who were joining the meeting at the old time ...

Some Reminders

Posted By Wendy Epley 12-19-2023 10:46:00 AM
Found In Egroup: NIST 800-171 Compliance \ view thread
As a reminder - since October 2023, our meeting time moved to 11am EST / 8am PST. If you still have the old time on your calendars - please replace it with the new monthly meeting invite which can be downloaded from the "Library" tab in the community space within EDUCAUSE. The next meeting will be held ...

RE: Couple of control best practice questions

Posted By Wendy Epley 12-13-2023 11:34:00 AM
Found In Egroup: NIST 800-171 Compliance \ view thread
Hi Mike, The Organization Defined Parameters (ODP's) cause a lot of heartburn for some. ODPs are part of the tailoring process, so if there is not a predefined value as part of the control or control enhancement, then the organization should define what that parameter should be. How an organization ...

RE: December meeting poll

Posted By Wendy Epley 11-20-2023 07:05:00 PM
Found In Egroup: NIST 800-171 Compliance \ view thread
sorry for the late reply... been on PTO. I can meet in December for the impromptu SSP discussion/working group, but also happy to see folks in 2024. Kind regards, ------------------------------ Wendy Epley Principal Analyst, Information Security The University of Arizona wepley@arizona.edu ...

RE: Quick Poll: Data Classification

Posted By Wendy Epley 11-20-2023 11:56:00 AM
Found In Egroup: NIST 800-171 Compliance \ view thread
Hi Nathan, UArizona follows the guidance in NIST SP 800-53 (RA-02) and NIST SP 800-60 for its data classification/impact schema. We use 3 classifications that applies to all University Information and Resources: Public, Internal, and Restricted. I think the only thing that would cause ...

RE: How do your institutions handle HECVAT's that seem to contradict SOC2 or official contracts?

Posted By Wendy Epley 11-03-2023 11:55:20 AM
Found In Egroup: HECVAT Users \ view thread
Hi Mike, In my humble opinion, the HECVAT should serve as an aid to Vendor Risk Management. It is not a legally binding document. Sometimes the HECVAT is filled out by sales people, other times it's leadership - there really is not any consistency in who within the vendor's organization complete's ...

New Meeting Time/Link

Posted By Wendy Epley 09-20-2023 10:12:00 AM
Found In Egroup: NIST 800-171 Compliance \ view thread
Hi everyone, For those who attended yesterday's meeting and noted the text in the Library resource had the incorrect day for our meetings; that has now been corrected. The HEISC 800-171 Compliance monthly meeting invite and details can be found on the Community's "Library" tab. There is also ...

RE: GRC Tools

Posted By Wendy Epley 09-19-2023 02:00:00 PM
Found In Egroup: NIST 800-171 Compliance \ view thread
Hi Michael, UArizona explored many third-party solutions, including ISORA, but none of them could provide us with the tools we wanted and needed. So we built our own! The tool was developed in 2018 by our then Director of Information Security and Deputy CISO. The tool has been refined and evolved ...

RE: Multifunctuion device support of NIST SP 800-171 and NIST SP 800-172

Posted By Wendy Epley 09-17-2023 02:12:00 PM
Found In Egroup: Cybersecurity \ view thread
Hi Aaron, You need to consider if those printing devices are in-scope assets or not. Look at the CMMC Level 2 Scoping Guide for how to scope your assets in applying NIST SP 800-171. The documentation can be found at - https://dodcio.defense.gov/CMMC/Documentation/ For NIST SP 800-172, these are more ...

RE: IT Risk Management software

Posted By Wendy Epley 08-23-2023 09:19:30 AM
Found In Egroup: Cybersecurity \ view thread
The University of Arizona explored SaltyCloud's ISORA in 2018... as we started using it we discovered that it really did not fit our needs and we did not renew the contract after 1 year. ------------------------------ Wendy Epley Principal Analyst, Information Security The University of Arizona - ...

RE: IT Risk Management software

Posted By Wendy Epley 08-23-2023 09:13:49 AM
Found In Egroup: Cybersecurity \ view thread
Hi Rusty, The University of Arizona moved away from the death-by-spreadsheet approach in 2018 and developed a software program that evolved our risk management program to a federated risk management strategy. By involving the people (IT and non-IT) from across the organization, we are able to gain ...

RE: Assuming risk form when no HECVAT/Soc2 available?

Posted By Wendy Epley 07-20-2023 10:03:23 AM
Found In Egroup: HECVAT Users \ view thread
At UArizona, using the HECVAT or reviewing a SOC2 Type II is not a requirement, but are encouraged to assess a vendor's security posture through the vendor management lifecycle. Units cannot accept a contract that allows for falling out of compliance with University policy. Where the vendor lacks sufficient ...

UArizona & SibylSoft Story slides

Posted By Wendy Epley 07-18-2023 10:00:00 AM
Found In Egroup: NIST 800-171 Compliance \ view thread
Thank you to all who could attend today's meeting and hear the story of UASecure at the University of Arizona and how Sibylity transformed how the University manages information security and risk. As you may be aware, HEISC meetings are not recorded, so there is no video of the presentation but attached ...

UArizona & SibylSoft Story slides

Posted By Wendy Epley 07-18-2023 09:59:47 AM
Found In Library: HEISC 800-171 Compliance