ISC Section 1- Module 1

What does “NIST” stand for?

National Institute of Standards and Technology

What is the purpose of NIST? What year was it formed? What year did it branch out to cybersecurity?

It was established in 1901 to reduce barriers to industrial competitiveness while also improving access to resources to promote U.S. research capabilities.

It branched out into cybersecurity in 1995.

What does “CSF” stand for?

Cybersecurity Framework

What is the purpose of the NIST CSF?

To help any organization manage and reduce their cybersecurity risks.

True or False: The NIST Cybersecurity Framework is a voluntary framework.

True

What are the three primary components of the NIST CSF?

CSF Core

CSF Tiers

CSF Organizational Profiles

What are the six components of the CSF Core?

Govern

Identify

Protect

Detect

Respond

Recover

What are the four tiers associated with the CSF? Which one is the lowest and which one is the highest?

Partial (lowest)

Risk-Informed

Repeatable

Adaptive (highest)

What is a CSF Organizational Profile? What are the two main subcomponents of an Organization Profile?

They are mechanisms by which NIST recommends that companies measure cybersecurity risks. They also provide road-maps to make sure that an organization can minimize said risk.

The two sub-components are Current and Target Profiles.

What is a Current Profile?

a measure of how simple or sophisticated the cybersecurity policies are at this point in time.

What is a Target Profile?

the level of sophistication that a company hopes to reach in the future.

Name the five components used in the five stepped approach in using Organizational Profiles:

1. Scope

2. Gather information needed

3. Create

4. Analyze gaps and create action plan.

5. Implement action plan.

What is the NIST Privacy Framework?

A framework created in early 2020 meant to help protect individuals’ data as used in data processing applications.

What two new “cores” are introduced in the Privacy Framework that were not considered to be in the CSF?

Control and Communicate

What “cores” from CSF are also included in the Privacy Framework?

Identify, Govern, and Protect

Which “cores” are exclusive to the CSF?

Detect, Respond, and Recover

True or False: The Privacy Framework can apply “cores” in practice that are only found in the CSF.

True

What is the NIST SP 800-53 Security and Privacy Controls Framework?

A set of security and privacy controls applicable to all information systems.

What are the controls in NIST SP 800-53 designed for?

for protecting information systems against sophisticated threats.

What are the controls for the CSF and Privacy Framework designed for?

for cost-effectiveness and best practices implementation.

What are controls?

objectives to be implemented for family conformance.

What are control enhancements?

best practices, some of which are recommended, while others are necessary.

What are the three control implementation approaches associated with NIST SP 800-53?

Common

System-Specific

Hybrid