How does the DBA explain NIST standards to a concerned manager?

• A. NIST standards are voluntary recommendations
• B. NIST standards are mandatory regulations
• C. NIST standards do not apply to this company
• D. NIST standards are outdated and irrelevant

Answer: (A)

The correct answer emphasizes that NIST standards are fundamentally voluntary recommendations. This means that while they provide a comprehensive framework and guidelines for best practices regarding information security and risk management, adherence to these standards is not legally required for all organizations. Companies can choose to implement NIST standards based on their specific needs, risk assessments, and compliance requirements.

This approach allows businesses to take advantage of NIST’s extensive resources, encompassing practical advice that can improve their security posture without imposing a rigid regulatory structure. By explaining NIST standards as recommendations, the DBA is then able to convey to the manager that their organization can adopt these practices at their own pace and according to their own particular contexts, thus promoting a better understanding of the flexibility and applicability of these guidelines.