Auditors love to see the NIST CSF in use as a framework because it simplifies their work. NIST provides a mapping of CSF controls to other "authoritative sources such as COBIT,

ISO/IEC 27000-series of standards, PCI-DSS, and most others. By implementing the controls in the CSF, compliance to these other regulations and standards is simplified and demonstrable. This is what auditors like the best! • How does Family Educational Rights and Privacy Act (FERPA) play into this mapping to the CSF? • How can the CSF support the information security requirements outlined in FERPA? Which security controls seem the most relevant to assure the needed protections? Include controls from any of the CSF categories and explain why you chose those controls.