ISC S1 - Questions

Questions taken from the Becker ISC Textbook

What are the six functions of the CSF Core?

1. Govern

2. Identify

3. Protect

4. Detect

5. Respond

6. Recover

What are the six categories relating to the CSF Core principle of Govern?

1. Organizational Context

2. Risk Management Strategy

3. Roles, Responsibilities, and Authorities

4. Policy

5. Oversight

6. Cybersecurity Supply Chain Risk Management

What are the three categories relating to the CSF Core principle of Identify?

1. Asset Management

2. Risk Assessment

3. Improvement

What are the five categories relating to the CSF Core principle of Protect?

1. Identify Management, Authentication, and Access Control

2. Awareness and Training

3. Data Security

4. Platform Security

5. Technology Infrastructure Resilience

What are the two categories relating to the CSF Core principle of Detect?

1. Continuous Monitoring

2. Adverse Event Analysis

What are the four categories relating to the CSF Core principle of Respond?

1. Incident Management

2. Incident Analysis

3. Incident Response Reporting and Communication

4. Incident Mitigation

What are the two categories relating to the CSF Core principle of Recover?

1. Incident Recovery Plan Execution

2. Incident Recovery Communication

What are the four CSF Tiers?

1. Partial

2. Risk Informed

3. Repeatable

4. Adaptive

What is the Cybersecurity Risk Governance for Tier 1 (Partial)

Risk Management is ad hoc and reactive where prioritization of information security efforts is not formally based on organizational objectives threat environment

What is the Cybersecurity Risk Governance for Tier 2 (Risk Informed)

Cybersecurity prioritization is based on organizational risk, and management approves cybersecurity efforts; however, cybersecurity policies may be isolated and not be established as organizational-wide policies

What is the Cybersecurity Risk Governance for Tier 3 (Repeatable)

The organization utilizes cybersecurity in planning and has enshrined cybersecurity practices in formal, documented policies. These policies are frequently updated based on shifts in business requirements, threats, and technological landscape

What is the Cybersecurity Risk Governance for Tier 4 (Adaptive)

A risk-informed, organization-wide approach in managing cybersecurity risks.  Senior executives monitor cybersecurity risks in the same context as financial and other organizational risks and cybersecurity risk management is part of the organizational culture

What are the eight functions of the Privacy Framework Core?

1. Identify

2. Govern

3. Control

4. Communicate

5. Protect

6. Detect

7. Respond

8. Recover

What are the four categories associated with the Identify function of the Privacy Framework Core?

1. Inventory and Mapping

2. Business Environment

3. Risk Assessment

4. Data Processing Ecosystem Risk Management

What are the four categories associated with the Govern function of the Privacy Framework Core?

1. Governance Policies, Processes, and Procedures 

2. Risk Management Strategy

3. Awareness and Training

4. Monitoring Review

What are the three categories associated with the Control function of the Privacy Framework Core?

1. Data Processing Policies, Processes, and Procedures

2. Data Processing Management

3. Disassociated Processing

What are the two categories associated with the Communicate function of the Privacy Framework Core?

1. Communication Policies, Processes, and Procedures

2. Data Processing Awareness

What are the five categories associated with the Protect function of the Privacy Framework Core?

1. Data Protection Policies, Processes, and Procedures

2. Identity Management, Authentication, and Access Control

3. Data Security

4. Maintenance

5. Protective Technology

What are the three categories associated with the Detect function of the Privacy Framework Core?

1. Anomalies and Events

2. Security Continuous Monitoring

3. Detection Processing

What are the five categories associated with the Respond function of the Privacy Framework Core?

1. Response Planning

2. Communications

3. Analysis

4. Mitigation

5. Improvements

What are the three categories associated with the Recover function of the Privacy Framework Core?

1. Recovery Planning

2. Improvements

3. Communications

What types of three types of safeguards does HIPAA require?

1. Administrative

2. Physical

3. Technical

What are the six principles of GDPR that must be followed when processing data?

1. Lawfulness, Fairness, and Transparency

2. Purpose Limitation

3. Data Minimization

4. Accuracy

5. Storage Limitation

6. Integrity and Confidentiality

What question does the Identify function of the NIST Privacy Framework help answer?

What are the company’s privacy risks related to data processing activities?

What question does the Govern function of the NIST Privacy Framework help answer?

What is the best governance structure for privacy risks related to data processing activities?

What question does the Control function of the NIST Privacy Framework help answer?

What is the best management structure for privacy risks related to data processing activities?

What question does the Communicate function of the NIST Privacy Framework help answer?

How should the organization drive dialogue around privacy risks related to data processing activities?

What question does the Protect function of the NIST Privacy Framework help answer?

What are the safeguards that should be in place around privacy risks related to data processing activities?

What question does the Detect function of the NIST Privacy Framework help answer?

How should the organization detect data privacy risks and events?

What question does the Respond function of the NIST Privacy Framework help answer?

How should the organization respond to data privacy events?

What question does the Recover function of the NIST Privacy Framework help answer?

How should the company continue business after data privacy events?

What question does the Access Control control family seek to answer?

How does the organization manage application and resource access?

What question does the Awareness and Training control family seek to answer?

How should the company deliver training on information security risk?

What question does the Audit and Accountability control family seek to answer?

How does the company evaluate information security controls?

What question does the Assessment, Authorization, and Monitoring control family seek to answer?

How does the organization collect information security telemetry and use it to hunt for threats?

What question does the Configuration Management control family seek to answer?

How are assets and software configured securely?

What question does the Contingency Planning control family seek to answer?

How is the company prepared for downtime and outages?

What question does the Identity and Authentication control family seek to answer?

How is identification and authentication managed?

What question does the Incident Response control family seek to answer?

How is the organization prepared for information security and events?

What question does the Maintenance control family seek to answer?

How does the company ensure secure maintenance of infrastructure?

What question does the Media Protection control family seek to answer?

How is information on physical media protected?

What question does the Physical and Environmental Protection control family seek to answer?

How are facilities secured from intrusion or harm?

What question does the Planning control family seek to answer?

How does the organization manage information security planning?

What question does the Program Management control family seek to answer?

How does the organization securely manage its information security program?

What question does the Personnel Security control family seek to answer?

How are employees evaluated for potential compromise?

What question does the Processing and Transparency control family seek to answer?

How is PII managed?

What question does the Risk Assessment control family seek to answer?

How is environmental risk evaluated?

What question does the System and Services Acquisition control family seek to answer?

How are systems securely evaluated and acquired?

What question does the System and Communications Protection control family seek to answer?

How is data securely transmitted digitally?

What question does the System and Information Integrity control family seek to answer?

How is the integrity of data in company systems maintained and evaluated?

What question does the Supply Chain Risk Management control family seek to answer?

How does the company secure its supply chain?

What are the four cost categories of data breaches?

1. Detection and Escalation

2. Notification

3. Post-breach Response

4. Loss of Business and Revenue

What is the “Right to Rectification”?

A right under the Accuracy principle of the GDPR, it gives data subjects the right to have inaccurate data corrected and incomplete data completed

What are the six goals of the PCI DSS

1. Build and Maintain a Secure Network and Systems

2. Protect Account Data

3. Maintain a Vulnerability Program

4. Implement Strong Access Control Measures

5. Regularly Monitor and Test Networks

6. Maintain an Information Security Policy

How many CIS controls are there?

18

What are the three design principles each CIS control was designed with

Context, Coexistence, Consistency

What is Control 01?

Inventory and Control of Enterprise Assets

What is Control 02?

Inventory and Control of Software Assets

What is Control 03?

Data Protection

What is Control 04?

Secure Configuration of Enterprise Assets and Software

What is Control 05?

Account Management

What is control 06?

Access Control Management

What is Control 07?

Continuous Vulnerability Management

What is Control 08?

Audit Log Management

What is Control 09?

Email and Web Browser Protections

What is Control 10?

Malware Defenses

What is Control 11?

Data Recovery

What is Control 12?

Network Infrastructure Management

What is Control 13?

Network Monitoring and Defense

What is Control 14?

Security Awareness and Skills Training

What is Control 15?

Service Provider Management

What is Control 16

Application Software Security

What is Control 17?

Incident Response Management

What is Control 18?

Penetration Testing

What is the goal of Control 01?

Actively track and manage all IT assets connected to a company’s IT infrastructure physically or virtually within a cloud environment, allowing companies to know the totality of IT assets that should be monitored

What is a good control example for Control 01?

Inventory Listing

For Control 01, what should companies focus on?

the potential for external devices to connect to a company’s network through means such as guest networks, even if they are segregated from the core network

What is a challenge organizations face with respect to Control 01?

Portable End-User Devices that periodically connect to a company’s network and then disappear, making it hard for organizations to have a holistic view of its inventory when devices are off, paused, or otherwise disconnected from the corporate network

What are the five safeguard recommendations for Control 01?

1. Establish and Maintain Detailed Asset Inventory

2. Address Unauthorized Assets

3. Utilize Active Discovery Tool

4. Use DHCP Logging to Update Company Inventory

5. Use a Passive Asset Discovery Tool

What is the goal of Control 02?

to provide recommendations for organizations to track and manage all software applications so that only authorized software is installed on company devices and provide guidance on finding unmanaged and unauthorized software already installed so that it can be removed and remediated

What control example should be in place for Control 02?

Allowlisting

What is a popular method of managing software applications (Control 02)?

Using tools that provide an inventory check against commonly used applications in other companies

What are the seven safeguard recommendations for Control 02?

1. Establish and Maintain a Software Inventory

2. Ensure Authorized Software is Currently Supported

3. Address Unauthorized Software

4. Utilize Automated Software Inventory Tools

5. Allowlist Authorized Software

6. Allowlist Authorized Libraries

7. Allowlist Authorized Scripts

What is the goal of Control 03?

to help organizations develop ways to securely manage the entire life cycle of their data, from the initial identification and classification data to its disposal

What can be strategically used in Control 03 to further secure data at rest and in transit so that data compromise is avoided?

Encryption

What are the 14 safeguard recommendations for Control 03?

1. Establish and Maintain a Data Management Process

2. Establish and Maintain a Data Inventory

3. Configure Data Access Control Lists

4. Enforce Data Retention

5. Securely Dispose of Data

6. Encrypt Data on End-User Devices

7. Establish and Maintain a Data Classification Scheme

8. Document Data Flows

9. Encrypt Data on Removable Media

10. Encrypt Sensitive Data in Transit

11. Encrypt Sensitive Data at Rest

12. Segment Data Processing and Storage based on Sensitivity

13. Deploy a Data Loss Prevention Solution

14. Log Sensitive Data Access

What is the goal of Control 04?

To help organizations establish and maintain secure baseline configurations for their enterprise assets

What is a weakness in default configurations?

Default configurations often lack specific security settings, making systems vulnerable to exploitation

What are the two publicly available security standards that can be used by organizations as a starting point for asset reconfiguration?

CIS Benchmarks Program and NIST National Checklist Program Repository

What is Security Hardening?

The process of making an organization less vulnerable to attacks

What should happen once target configuration levels have been implemented?

They should be continuously monitored for deviations and necessary updates

What are the 12 safeguard recommendations for Control 04?

1. Establish and Maintain a Secure Configuration Process

2. Establish and Maintain a Secure Configuration Process for Network Infrastructure

3. Configure Automatic Session Locking on Enterprise Assets

4. Implement and Manage a Firewall on Servers

5. Implement and Manage a Firewall on End-User Devices

6. Securely Manage Enterprise Assets and Software

7. Manage Default Accounts on Enterprise Assets and Software

8. Uninstall or Disable Unnecessary Services on Enterprise Assets and Software

9. Configure Trust DNS Servers on Enterprise Assets

10. Enforce Automatic Device Lockout on Portable End-User Devices

11. Enforce Remote Wipe Capabilities on Portable End-User Devices

12. Separate Enterprise Workspaces on Mobile End-User Devices

What is the goal of Control 05?

To outline best practices for companies to manage credentials and authorization for user accounts, privileged user accounts (such as administrator accounts), and service accounts for company hardware and software

How should credentials be treated?

As highly sensitive information

What are the 6 safeguard recommendations for Control 05?

1. Establish and Maintain an Inventory of Accounts

2. Use Unique Passwords

3. Disable Dormant Accounts

4. Restrict Administrator Privileges to Dedicated Administrator Accounts

5. Establish and Maintain an Inventory of Service Accounts

6. Centralize Account Management

What is the goal of Control 06?

To expand on control 05 (Account Management) by specifying the type of access that user accounts should have and to ensure that access rights are granted on a need-to-know basis

What do the principles of “least privilege” and “need to know” role assignments assist with?

They assist in minimizing the risk of unauthorized access to sensitive information by ensuring that users only have access to the information necessary for their specific roles

Access Control Models like Role-Based Access Control (RBAC) and Policy-Based Access Control (PBAC) can be utilized for what?

facilitate the process of granting access and revoking access based on job duties, roles, and responsibilities by defining roles within the organizations and assigning appropriate access to each role to provide separation of duties

For accounts with administrator access or remote access, additional controls such as ____ and ____ can be used as an additional security layer

Multifactor Authentication and Privileged Account Management

What are the 8 safeguard recommendations for Control 06?

1. Establish an Access Granting Process

2. Establish an Access Revoking Process

3. Require Multifactor Authentication for Externally exposed Applications

4. Require Multifactor Authentication for Administrative Access

5. Establish and Maintain an Inventory of Authentication and Authorization Systems

6. Establish an Inventory of Authentication and Authorization Systems

7. Centralize Access Control

8. Define and Maintain Role-Based Access Control