ISC S1

The NIST CSF framework core consists of six components. What are the six components?

1. Govern

2. Identify

3. Protect

4. Detect

5. Respond

6. Recover

State the NIST CSF Tiers that apply to cybersecurity risk governance and cybersecurity risk management

Tier 1: Partial

Tier 2: Risk-Informed

Tier 3: Repeatable

Tier 4: Adaptive

Identify the five framework functions under the NIST privacy framework core

1. Identify-P

2. Govern-P

3. Control-P

4. Communicate-P

5. Protect-P

What are the 3 control implementation approaches that are to be implemented on a per-control basis with respect to the implementation models?

1. common ( inheritable): implement controls at the organizational level, which are adopted by information systems

2. System-specific: implement controls at the information system level

3. Hybrid: Implement controls at the organization level where appropriate and the remainder at the information system level

What are the two general categories of data breaches?

Unintentional data breach: a data breach resulting from negligence or error

Intentional data breach: a breach resulting from bad actors illegally gaining access to data

What are the 3 categories of safeguards for covered entities or business associates under HIPAA?

administrative safeguards, physical safeguards, technical safeguards

What are the principles that must be followed when processing data in compliance with GDPR?

Lawfulness, fairness, transparency

Purpose limitation

Data minimization

Accuracy

Storage limitation

Integrity and confidentiality

What are the six goals of the PCI DSS?

1. Build and maintain a secure network and systems

2. Protect account data

3. Maintain a vulnerability management program

4. Implement strong access control measures

5. Regularly monitor and test networks

6. Maintain an information security policy

Describe the intent of Control 01: Inventory and Control of Enterprise Assets.

Actively manage all enterprise assets connected to the infrastructure physically,

virtually, remotely, and those within cloud environments, to accurately know the

totality of assets that need to be monitored and protected within the enterprise.

Describe the intent of Control 02: Inventory and Control of Software Assets.

Actively manage all software on the network so that only authorized software is

installed and can execute, and that unauthorized and unmanaged software is found

and prevented from installation or execution.

Describe the intent of Control 03: Data Protection.

Develop processes and technical controls to identify, classify, securely handle, retain,

and dispose of data.

Describe the intent of Control 04: Secure Configuration of Enterprise Assets and

Software.

Establish and maintain the secure configuration of enterprise assets and software.

Describe the intent of Control 05: Account Management.

Use processes and tools to assign and manage authorization to credentials for user

accounts, including administrator accounts as well as service accounts, to enterprise

assets and software.

Describe the intent of Control 06: Access Control Management.

Use processes and tools to create, assign, manage, and revoke access credentials

and privileges for user, administrator, and service accounts for enterprise assets and

software.

Describe the intent of Control 07: Continuous Vulnerability Management.

Develop a plan to continuously assess and track vulnerabilities on all enterprise assets

within the enterprise’s infrastructure, in order to remediate and minimize the window

of opportunity for attackers. Monitor public and private industry sources for new

threat and vulnerability information.

Describe the intent of Control 08: Audit Log Management.

Collect, alert, review, and retain audit logs of events that could help detect,

understand, or recover from an attack.

Describe the intent of Control 09: Email and Web Browser Protections.

Improve protections and detections of threats from email and web vectors, as these

are opportunities for attackers to manipulate human behavior through direct

engagement.

Explain the principles by which the CIS Controls were designed.

Context: An enhancement to the scope and practical applicability of safeguards

through incorporation of examples and explanations.

Coexistence: Alignment with evolving industry standards and frameworks,

including NIST's CSF 2.0 framework.

Consistency: Disruption to controls users are minimized, not impacting

implementation groups.

Describe the intent of Control 10: Malware Defenses.

Prevent or control the installation, spread, and execution of malicious applications,

code, or scripts on enterprise assets.

Describe the intent of Control 11: Data Recovery.

Establish and maintain data recovery practices sufficient to restore in-scope

enterprise assets to a pre-incident and trusted state.

Describe the intent of Control 12: Network Infrastructure Management.

Establish, implement, and actively manage network devices in order to prevent

attackers from exploiting vulnerable network services and access points.

Describe the intent of Control 13: Network Monitoring and Defense.

Operate processes and tooling to establish and maintain comprehensive network

monitoring and defense against security threats across the enterprise’s network

infrastructure and user base.

Describe the intent of Control 14: Security Awareness and Skills Training.

Establish and maintain a security awareness program to influence behavior among the

workforce to be security conscious and properly skilled to reduce cybersecurity risks

to the enterprise.

Describe the intent of Control 15: Service Provider Management.

Develop a process to evaluate service providers who hold sensitive data or are

responsible for an enterprise’s critical IT platforms or processes to ensure these

providers are protecting those platforms and data appropriately

Describe the intent of Control 16: Application Software Security.

Manage the security life cycle of in-house developed, hosted, or acquired software to

prevent, detect, and remediate security weaknesses before they can impact the

enterprise.

Describe the intent of Control 17: Incident Response Management.

Establish a program to develop and maintain an incident response capability to

prepare, detect, and quickly respond to an attack.

Describe the intent of Control 18: Penetration Testing.

Test the effectiveness and resiliency of enterprise assets through identifying and

exploiting weaknesses in controls (people, processes, and technology), and simulating

the objectives and actions of an attacker.

Describe the purpose of ISACA’s COBIT framework.

The COBIT framework provides a roadmap that organizations can use to implement

best practices for IT governance and management.

What five components were used for the development of COBIT 2019's foundation?

COBIT 5

Six principles for a governance system

Three principles for a governance framework

Other standards and regulations

Community contribution

What are the six governance system principles under COBIT 2019?

Provide Stakeholder Value

Holistic Approach

Dynamic Governance System

Governance Distinct From Management

Tailored to Enterprise Needs

End-to-End Governance System

Describe the three principles used to develop the COBIT 2019 core model

Based on Conceptual Model: Governance frameworks should identify key components

as well as the relationships between those components.

Open and Flexible: Frameworks should have the ability to change, adding relevant

content and removing irrelevant content, while keeping consistency and integrity.

Aligned to Major Standards: Frameworks should align with regulations, frameworks,

and standards.

What are the seven components to satisfy management and governance objectives

under the COBIT 2019 core model?

Processes

Organizational Structures

Principles, Policies, Frameworks

Information

Culture, Ethics, and Behavior

People, Skills, and Competencies

Services, Infrastructure, and Applications

What are the 11 design factors that should be considered under COBIT?

Enterprise Strategy

Enterprise Goals

Risk Profile

Information and Technology Issues

Threat Landscape

Compliance Requirements

Role of IT

Sourcing Model for IT

IT Implementation Methods

Technology Adoption Strategy

Enterprise Size

List the governance objectives and management objectives according to the COBIT

2019 core model.

Governance Objectives: Evaluate, Direct, and Monitor (EDM)

Management Objectives:

Align, Plan, and Organize (APO)

Build, Acquire, and Implement (BAI)

Deliver, Service, and Support (DSS)

Monitor, Evaluate, and Assess (MEA)

What are the key differences between management and governance under the COBIT

framework?

Management is responsible for the daily planning and administration of company

operations, such as executive officers.

Governance is responsible for evaluating strategic objectives, directing management

to achieve those objectives, and monitoring whether objectives are being met.