How the University of Pittsburgh Is Using the NIST Cybersecurity Framework

October 2015 • Podcast

Presenter Sean Sweeney (University of Pittsburgh) Interviewer Lisa R. Young

In this podcast, Sean Sweeney, Information Security Officer (ISO) for the University of Pittsburgh (PITT), discusses their use of the NIST (National Institute of Standards and Technology) CSF (Cybersecurity Framework).

Publisher:

CERT

Subjects

Cyber Risk and Resilience ManagementCyber Risk and Resilience Management

Listen

Abstract

In this podcast, Sean Sweeney, Information Security Officer (ISO) for the University of Pittsburgh (Pitt), discusses their use of the NIST (National Institute of Standards and Technology) CSF (Cybersecurity Framework). The University of Pittsburgh is a large, decentralized institution with a diverse population of networks and information types. The challenge of balancing academic freedom with security and protection of research data is put to the test every day.

The use of the CSF, created by NIST as a common starting point for improving the cybersecurity of critical infrastructure providers, has proven valuable to help Pitt understand its baseline security posture, prioritize gaps, and set a target profile for improvement. The flexibility of the five NIST CSF categories (Identify, Protect, Detect, Respond, Recover) provide a solid starting point from which to understand the information security practices that are already in place at Pitt and the practices that are needed to improve the overall program. The podcast is based on a presentation available here.

About the Speaker

Sean Sweeney (University of Pittsburgh)

Sean Sweeney joined the University of Pittsburgh in 2012 as Information Security Officer. Sean directs the security team to respond to information security issues and security-related requests from the University community. He manages security controls and solutions, coordinates security issues and responsibilities between the University’s central IT organization (CSSD) and academic centers, and is responsible for maintaining the University’s information security program strategy.

A graduate of George Mason University, Sean has more than 15 years of experience in information security, computer networking, user support and training, application deployment and maintenance, and project management.

Sean has worked as a Director of Technology for a Pittsburgh-based law practice and founded a consulting company specializing in information technology solutions for the legal industry. Prior to his arrival in Pittsburgh, Sean served as Litigation Support Trainer and Application Manager for the U.S. Department of Justice, Environment and Natural Resources Division and Database Administrator for the U.S. Department of Interior, Bureau of Indian Affairs in Washington, D.C.

Lisa R. Young

Lisa Young, senior member of the technical staff with the Software Engineering Institute of Carnegie Mellon University, has 20+ years of experience in the information technology and telecommunications industry. She holds the designation of Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM), Certified Information Systems Security Professional (CISSP), and is experienced in IT governance, information audit and security, and risk management. Ms. Young teaches the Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE®) risk-based security assessment methodology at the Software Engineering Institute. Her current line of research provides guidelines for improving the way organizations manage the processes of security, IT Operations, business continuity, compliance, and audit to support the organization's mission and critical success factors.

Software Engineering Institute