Michele Chubirka


Upcoming Events

Where the Cloud Touches Down: Simplifying Data Center Infrastructure Management

Thursday, July 25, 2013
10:00 AM PT/1:00 PM ET

In most data centers, DCIM rests on a shaky foundation of manual record keeping and scattered documentation. OpManager replaces data center documentation with a single repository for data, QRCodes for asset tracking, accurate 3D mapping of asset locations, and a configuration management database (CMDB). In this webcast, sponsored by ManageEngine, you will see how a real-world datacenter mapping stored in racktables gets imported into OpManager, which then provides a 3D visualization of where assets actually are. You'll also see how the QR Code generator helps you make the link between real assets and the monitoring world, and how the layered CMDB provides a single point of view for all your configuration data.

Register Now!

A Network Computing Webinar:
SDN First Steps

Thursday, August 8, 2013
11:00 AM PT / 2:00 PM ET

This webinar will help attendees understand the overall concept of SDN and its benefits, describe the different conceptual approaches to SDN, and examine the various technologies, both proprietary and open source, that are emerging. It will also help users decide whether SDN makes sense in their environment, and outline the first steps IT can take for testing SDN technologies.

Register Now!

More Events »

Subscribe to Newsletter

  • Keep up with all of the latest news and analysis on the fast-moving IT industry with Network Computing newsletters.
Sign Up

See more from this blogger

Do NIST Information Security Standards Matter?

The National Institute of Standards and Technology (NIST) recently released its Preliminary Cybersecurity Framework with little fanfare. The initiative is a response to President Obama's cybersecurity executive order, which was issued in February due to increased fears of attacks against components of the critical infrastructure: power, transportation and telecommunications. While there are still questions regarding how much of the framework will be mandatory for private industry and exactly what will be classified as “critical infrastructure,” the larger question is how much this or other NIST standards really impact information security outside of the U.S. federal government and the CISSP test?

It’s common to hear someone in governance, risk and compliance (GRC) bring up a NIST standard when discussing the implementation of a security control. Often, it’s quoted like Holy Scripture in hushed tones, “In accordance with NIST SP800-yadda-yadda....” However, in the information security landscape, NIST is only one in a veritable sea of global standards bodies proposing guidelines and frameworks. Along with PCI-DSS, SOX, HIPAA, and international laws that mandate specific cybersecurity requirements, standards from NIST, ISO/IEC (the 27000 series), CobiT, and COSO can feel overwhelming to those unfamiliar with this esoteric part of infosec.

So what is NIST and why should we care? Originally created in 1901 because U.S. industrial infrastructure seemed to be lagging behind the rest of the world, its stated mission is to: "Promote U.S. innovation and industrial competitiveness by advancing measurement science, standards and technology in ways that enhance economic security and improve our quality of life."

Basically, NIST is where the best practice unicorns go to graze. NIST IT standards documents cover everything from managing the security of mobile devices to improving the usability of electronic health records. NIST reports and standards represent research from some of the best super nerds our tax dollars can fund. And even though you may not realize it, NIST output has helped to establish the foundation for many of the principles we use in today’s enterprise security programs.

Consider Special Publication 800-92, Guide to Computer Security Log Management from 2006:

Routine log analysis is beneficial for identifying security incidents, policy violations, fraudulent activity, and operational problems. Logs are also useful when performing auditing and forensic analysis, supporting internal investigations, establishing baselines, and identifying operational trends and long-term problems.

Not only does this document outline the basic concepts of good log correlation, it reads like a log management 101 class. You could use it to create a policy, then hand it to an infrastructure team and say, “Use this as your guide.”

[Why do we keep buying traditional security products that aren't doing much to help us manage risk? Read Michele Chubirka's analysis in "Security Snake Oil For Sale."]

Then there’s Special Publication 800-61, Computer Security Incident Handling Guide Revision 2 from 2012. If your organization doesn’t have a detailed incident response plan, you could use this document as a how-to guide for its creation. It even tells you how to build an incident response team and how to deal with media and law enforcement. This document could save your organization the money you would have spent paying a consultant to come in and write up the plan for you. Could it get any better?

And you know that inevitable pushback you get from senior management when you try to implement policies and procedures? Think of the credibility you have when referencing a document from NIST.

NIST standards and frameworks should -- and do -- have influence on information security practices outside of the federal realm. This work represents the efforts of many researchers to standardize an effective security methodology and informs many of the established policies and procedures in organizations. Although not mandatory, it pervades industry best practices and establishes the principles for proper information security practices.

The proposed cybersecurity framework is a method for managing organizational risk and a solid foundation for programmatically implementing many of those existing NIST standards. It’s like we’ve been given a gift by the federal government. Ignore it at your peril.


Related Reading


More Insights


Network Computing encourages readers to engage in spirited, healthy debate, including taking us to task. However, Network Computing moderates all comments posted to our site, and reserves the right to modify or remove any content that it determines to be derogatory, offensive, inflammatory, vulgar, irrelevant/off-topic, racist or obvious marketing/SPAM. Network Computing further reserves the right to disable the profile of any commenter participating in said activities.

 
Disqus Tips To upload an avatar photo, first complete your Disqus profile. | Please read our commenting policy.
 
Vendor Comparisons
Network Computing’s Vendor Comparisons provide extensive details on products and services, including downloadable feature matrices. Our categories include:

Research and Reports

Network Computing: April 2013



TechWeb Careers