2 Responses

Actual work where 2 students given their post on this:

Work #1:

Explain in 500 words or more what NIST Is and how it should be used by a dba.

Use at least three sources.   Use the Research Databases available from the Danforth Library, not Google.  Include at least 3 quotes from your sources enclosed in quotation marks and cited in-line by reference to your reference list.  Example: “words you copied” (citation) These quotes should be one full sentence not altered or paraphrased. Cite your sources using APA format. Use the quotes in your paragaphs.

Write in essay format not in bulleted, numbered or other list format.

Reply to two classmates’ posting in a paragraph of at least five sentences by asking questions, reflecting on your own experience, challenging assumptions, pointing out something new you learned, offering suggestions. These peer responses are not ‘attaboys’.  Make your initial post by Thursday 11:59 pm EST. Respond to two of  your classmates by Sunday 11:59 pm EST.

It is important that you use your own words, that you cite your sources, that you comply with the instructions regarding length of your post and that you reply to two classmates in a substantive way (not ‘nice post’ or the like). Do not use spinbot or other word replacement software. Proof read your work or have it edited. Find something interesting and/or relevant to your work to write about. Please do not submit attachments unless requested.

Please find the attachment.

Varun Work:

Many of the country’s most creative organizations depend on the NIST for technical development and protection. As a result, many high-tech companies have made compliance with NIST standards and guidelines a top priority. The NIST is a non-regulatory government agency that develops technology, measurements, and standards to help U.S.-based science and technology companies innovate and compete more effectively. NIST contributes to this initiative by developing principles and recommendations to assist government agencies in meeting the Federal Information Security Management Act’s specifications (FISMA). NIST also offers cost-effective services to help certain agencies secure their information and information systems.

 

NIST, in particular, creates Federal Information Processing Standards (FIPS) that are compliant with FISMA. The Secretary approves FIPS of Commerce, and government agencies must follow it – they cannot opt out of using the requirements. Along with its Special Publications (SP) 800-series, NIST also publishes guidance documents and recommendations. If they are national security programs and services, the Office of Management and Budget (OMB) regulations require agencies to follow NIST guidelines. “In the paper, titled “Mitigating the Risk of Software Vulnerabilities by Adopting a Secure Software Development Framework (SSDF),” NIST provided organizations with solid guidelines to avoid the nasty, not to mention expensive consequences of a data breach” (Danhieux, 2019).

 

NIST guidance, in general, establishes a collection of guidelines for recommended security controls for federal information systems. The NIST Cybersecurity Framework is an example of a commonly accepted NIST standard. The government approves these guidelines, and businesses follow them because they cover security best practices controls across various industries. The NIST guidelines are based on best practices from multiple security manuals, associations, and journals and are intended to serve as a guideline for federal agencies and programs that need rigorous security. “In many cases, complying with NIST guidelines and recommendations will help federal agencies ensure compliance with other regulations, such as HIPAA, FISMA, or SOX” (Lord, 2020).

 

Frequently, NIST guidelines are created to assist agencies in meeting particular regulatory enforcement criteria. NIST, for example, has outlined nine steps for complying with FISMA. Sort the data and information you want to keep safe into categories. Establish a benchmark for the minimum controls needed to safeguard the data. To fine-tune the baseline controls, conduct risk assessments. In a written protection plan, document the baseline controls. Implement protection controls in your data structures. Once security measures have been introduced, keep an eye on them to see how effective they are. Determine the level of risk at the agency level based on the evaluation of security controls. Authorize the collection of information by the information system. Track the security controls regularly.

 

The first advantage of NIST enforcement is that it aids in the protection of an organization’s infrastructure. NIST also sets out the groundwork for businesses to pursue in order to comply with relevant legislation like HIPAA or FISMA. It’s important to remember, though, that complying with NIST does not guarantee that your data is stable. That’s why NIST advises businesses to inventory their cyber assets using a value-based approach, so they can identify their most sensitive data and focus their security efforts on it. “the NIST summed up the dilemma quite nicely. It said that in a data-driven society there is a fine between building innovative products and services that use personal data and still protecting people’s privacy”(Roe, 2020).

 

References

Danhieux, P. (2019, October 31). The New NIST Guidelines for Avoiding a Data Breach: Why customized training is essential to create secure software. Database Trends and Applications. https://www.dbta.com/Editorial/Trends-and-Applications/The-New-NIST-Guidelines-for-Avoiding-a-Data-Breach-Why-customized-training-is-essential-to-create-secure-software-134783.aspx

Lord, N. (2020, December 1). What is NIST Compliance? Digital Guardian. https://digitalguardian.com/blog/what-nist-compliance

Roe, D. (2020, January 27). How The NIST Privacy Framework Will Help Manage Data Safely. CMSWire.Com. https://www.cmswire.com/information-management/how-the-nist-privacy-framework-will-help-manage-data-safely/

 

 

 

 

 

 

 

 

 

Preethi Work:

What is NIST and how does dba use it

According to Sedgewick (2014), “The National Institute of Standards and frameworks (NIST) was published with the aim of “improving Critical Infrastructure Cybersecurity,” a presidential executive order that called for a standardized security framework for critical infrastructure in the United States”. NIST is the best guideline that can help an organization to transform its cybersecurity and risk management from a reactive approach to a proactive. However, it can be a complicated framework for database managers to actually implement and use it in their organization. This NIST framework helps companies to get an understanding of the threats, vulnerabilities, and risks of their cybersecurity framework so that they can reduce any potential risks and develop ways of proactively managing any cybersecurity incidences. It is also important to note that the NIST framework helps organizations to respond and recover from incidents of cybersecurity where they are required to make an analysis of the root cause of the problem and develop ways to ensuring that such a problem does not befall them again in the future.

 

                                                             How the Database Administrators comply with the NIST framework

In order to effectively implement the NIST cybersecurity framework, the dbas need to adhere to three main tenets of the framework and they are: the implementation framework cores, implementation tiers, and profiles. Starting with profiles, Barrett (2018) asserts, “Profiles under the NIST Cybersecurity Framework relate to both the current status of your organization’s cybersecurity measures and the roadmaps you have towards being NIST Cybersecurity Framework compliant.” The profile is basically a cyber risk assessment where the dbas steer the organization to have a baseline of cybersecurity management and integrate those baselines into the NIST cybersecurity framework profile.

 

The next issue for dbas is implementing the Tiers. The database administrators have four tiers to adopt and they include partial, risk-informed, repeatable, and adoptable tiers. For partial tier, it means that the database administrators only embrace reactive measures to cybersecurity and they are limited to the threats and risk management. Tier two means that the dbas are informed and have made cybersecurity policies complying with NIST an organizational policy, although they base their management on the risks as they happen. Tier 3 is repeatable where the dbas form a risk management process that is followed by defined security policy. Tier 4 is the best that the dbas can ever implement. At this stage, the dbas have a comprehensive cybersecurity policy and framework that is proactive in nature and bases on the learnt lessons from past cybersecurity incidents.

 

The core functions are the functions that the NIST cybersecurity framework outlines and need to be followed by organizations to safeguard their cybersecurity space.  The database managers have to start with identifying the loopholes that might cause cybersecurity incidents in the company. This can be done by external auditing and monitoring of their database and systems. The next step is to detect these incidences of cybersecurity incidents. According to Shen (2014) “the third core framework involves dbas protecting the systems and networks. They can do this by implementing software updates, install antivirus and antimalware programs and have policies of access control in place to ensure that no violations of cybersecurity frameworks are committed.” The dbas also have to ensure that the 4th core framework, responding to cybersecurity incidents is implemented. In this case, they have to put policies in place to make sure that they reduce any severity of an incident by either cutting off the affected network areas or having their response team stopping the incident before it spreads further. The last core function is recovery where the dbas have to make sure they have a comprehensive plan of recovering from an incident, either by having offline data storage or third party storage that can return them to normal functioning while they continue dealing with the incident in real time.

 

 

References

 

Barrett, M. P. (2018). Framework for improving critical infrastructure cybersecurity. National     Institute of Standards and Technology, Gaithersburg, MD, USA, Tech. Rep.

Sedgewick, A. (2014). Framework for improving critical infrastructure cybersecurity, version 1.0.

Shen, L. (2014). The NIST cybersecurity framework: Overview and potential impacts. Scitech     Lawyer10(4), 16.