Profile

CommunityPlatform_1350x900.jpg

Wendy Epley

Edit My Profile

My Content

1 to 20 of 23 total

Horizon Report Exemplars

Posted By Wendy Epley 07-18-2024 04:28:14 PM
Found In Egroup: Data Governance Community Group \ view thread
EDUCAUSE is still accepting applications for Cybersecurity and Privacy Exemplars for the 2024 Horizon Report | Cybersecurity and Privacy Edition. The Horizon Report features institutions doing great work in six key technology and practice areas: AI governance Supporting agency, trust, transparency, ...

Horizon Report Exemplars

Posted By Wendy Epley 07-18-2024 03:36:00 PM
Found In Egroup: NIST 800-171 Compliance \ view thread
EDUCAUSE is still accepting applications for Cybersecurity and Privacy Exemplars for the 2024 Horizon Report | Cybersecurity and Privacy Edition. The Horizon Report features institutions doing great work in six key technology and practice areas: AI governance Supporting agency, trust, transparency, ...

RE: Understanding NIST 800-53

Posted By Wendy Epley 07-17-2024 07:21:57 AM
Found In Egroup: Cybersecurity \ view thread
Laura beat me to noting the use of the Assessment Guide (800-53A). I would like to point out that NIST is moving to using the Cybersecurity and Privacy Reference Tool (CPRT) as publications are updated. Note that 800-53 is in version 5.1.1, so if you are using the PDF copy of v5 you may not have the ...

Survey and June Meeting Agenda

Posted By Wendy Epley 06-11-2024 01:25:00 PM
Found In Egroup: NIST 800-171 Compliance \ view thread
Hi everyone! I hope you are all doing well and will be able to join us next week for our June meeting on Tuesday, June 18th at 11am Eastern / 8am Pacific. You can download the calendar invite from the Library tab on the community group page. Based on our discussion last month, we have created a ...

RE: Quick Poll: Data Classification

Posted By Wendy Epley 05-30-2024 12:19:00 PM
Found In Egroup: NIST 800-171 Compliance \ view thread
Hi Aaron, It's never too late to ask questions - that's the benefit of this group. For UArizona - we have utilized 800-53, 800-60, FIPS 199, and others as our guide. In following the guidelines, we keep our data classification schema simple with "Public", "Internal", and "Restricted". We do ...

RE: CPPC App

Posted By Wendy Epley 05-01-2024 03:35:00 AM
Found In Egroup: Cybersecurity \ view thread
I don't know about Apple product issues, but I initially had similar problems on Android last week. Those have been resolved. You can select more than one session in same time and lunches/breaks that overlap. If you click on each session you will see presenter and topic details. Hope that helps. Kind ...

RE: If you're coming to Minneapolis next week...

Posted By Wendy Epley 04-26-2024 01:09:00 PM
Found In Egroup: NIST 800-171 Compliance \ view thread
That is my understanding as well, Jay. There will be some tables during lunch service set up for "Birds of a Feather" (BoF) discussions. There will be 10 topics already identified, but others can suggest a new topic when they arrive. This will be a way to keep the conversations moving. Kind regards, ...

EDUCAUSE Comments: NIST SP 800-171, Rev 3

Posted By Wendy Epley 02-21-2024 01:09:51 PM
Found In Library: NIST 800-171 Compliance
The EDUCAUSE Library also now houses the comments that the association submitted to NIST at the end of January regarding the final public draft of NIST SP 800-171, Rev. 3, and the initial public draft of 800-171A, Rev. 3: https://library.educause.edu/resources/2024/2/educause-comments-nist-sp-800- ...

EDUCAUSE Comments: FAR Cyber Incident Reporting

Posted By Wendy Epley 02-21-2024 01:06:38 PM
Found In Library: NIST 800-171 Compliance
The comments that EDUCAUSE and other groups submitted on the proposed FAR cyber incident reporting regulations in February 2024 are available from the EDUCAUSE library at: https://library.educause.edu/resources/2024/2/educause-comments-far-cyber-incident-reporting The Proposed Rule was published ...

RE: Some Reminders

Posted By Wendy Epley 01-05-2024 09:25:00 AM
Found In Egroup: NIST 800-171 Compliance \ view thread
Mitch - Thank you so much for bringing this to our attention. I had not even noticed it was still listed incorrectly on the home page description. We are working with the EDUCAUSE Administrators to get this corrected. My sincere apologies to you and others who were joining the meeting at the old time ...

Some Reminders

Posted By Wendy Epley 12-19-2023 10:46:00 AM
Found In Egroup: NIST 800-171 Compliance \ view thread
As a reminder - since October 2023, our meeting time moved to 11am EST / 8am PST. If you still have the old time on your calendars - please replace it with the new monthly meeting invite which can be downloaded from the "Library" tab in the community space within EDUCAUSE. The next meeting will be held ...

RE: Couple of control best practice questions

Posted By Wendy Epley 12-13-2023 11:34:00 AM
Found In Egroup: NIST 800-171 Compliance \ view thread
Hi Mike, The Organization Defined Parameters (ODP's) cause a lot of heartburn for some. ODPs are part of the tailoring process, so if there is not a predefined value as part of the control or control enhancement, then the organization should define what that parameter should be. How an organization ...

RE: December meeting poll

Posted By Wendy Epley 11-20-2023 07:05:00 PM
Found In Egroup: NIST 800-171 Compliance \ view thread
sorry for the late reply... been on PTO. I can meet in December for the impromptu SSP discussion/working group, but also happy to see folks in 2024. Kind regards, ------------------------------ Wendy Epley Principal Analyst, Information Security The University of Arizona wepley@arizona.edu ...

RE: Quick Poll: Data Classification

Posted By Wendy Epley 11-20-2023 11:56:00 AM
Found In Egroup: NIST 800-171 Compliance \ view thread
Hi Nathan, UArizona follows the guidance in NIST SP 800-53 (RA-02) and NIST SP 800-60 for its data classification/impact schema. We use 3 classifications that applies to all University Information and Resources: Public, Internal, and Restricted. I think the only thing that would cause ...

RE: How do your institutions handle HECVAT's that seem to contradict SOC2 or official contracts?

Posted By Wendy Epley 11-03-2023 11:55:00 AM
Found In Egroup: HECVAT Users \ view thread
Hi Mike, In my humble opinion, the HECVAT should serve as an aid to Vendor Risk Management. It is not a legally binding document. Sometimes the HECVAT is filled out by sales people, other times it's leadership - there really is not any consistency in who within the vendor's organization complete's ...

New Meeting Time/Link

Posted By Wendy Epley 09-20-2023 10:12:00 AM
Found In Egroup: NIST 800-171 Compliance \ view thread
Hi everyone, For those who attended yesterday's meeting and noted the text in the Library resource had the incorrect day for our meetings; that has now been corrected. The HEISC 800-171 Compliance monthly meeting invite and details can be found on the Community's "Library" tab. There is also ...

RE: GRC Tools

Posted By Wendy Epley 09-19-2023 02:00:00 PM
Found In Egroup: NIST 800-171 Compliance \ view thread
Hi Michael, UArizona explored many third-party solutions, including ISORA, but none of them could provide us with the tools we wanted and needed. So we built our own! The tool was developed in 2018 by our then Director of Information Security and Deputy CISO. The tool has been refined and evolved ...

RE: Multifunctuion device support of NIST SP 800-171 and NIST SP 800-172

Posted By Wendy Epley 09-17-2023 02:12:00 PM
Found In Egroup: Cybersecurity \ view thread
Hi Aaron, You need to consider if those printing devices are in-scope assets or not. Look at the CMMC Level 2 Scoping Guide for how to scope your assets in applying NIST SP 800-171. The documentation can be found at - https://dodcio.defense.gov/CMMC/Documentation/ For NIST SP 800-172, these ...

RE: IT Risk Management software

Posted By Wendy Epley 08-23-2023 09:20:00 AM
Found In Egroup: Cybersecurity \ view thread
The University of Arizona explored SaltyCloud's ISORA in 2018... as we started using it we discovered that it really did not fit our needs and we did not renew the contract after 1 year. ------------------------------ Wendy Epley Principal Analyst, Information Security The University of Arizona ...

RE: IT Risk Management software

Posted By Wendy Epley 08-23-2023 09:14:00 AM
Found In Egroup: Cybersecurity \ view thread
Hi Rusty, The University of Arizona moved away from the death-by-spreadsheet approach in 2018 and developed a software program that evolved our risk management program to a federated risk management strategy. By involving the people (IT and non-IT) from across the organization, we are able to gain ...