ISC Module 1

M1: What are the NIST Cybersecurity Framework CORES?

Govern, Identify, Protect, Detect, Respond, Recover

M1: What are the NIST Cybersecurity Framework TIERS?

Partial, Risk-Informed, Repeatable, Adaptive

M1: What are the NIST Cybersecurity Framework PROFILES?

Current Profile, Target Profile

M1: _______ _______ is the difference between current profile and target profile.

Gap Analysis

M1: What are the NIST Privacy Framework CORES?

Govern, Identify, Control, Communicate, Protect

M1: What are the control implementation approaches on a per-control basis?

Common (Inheritable), System-specific, Hybrid

M1: Implement controls throughout the ENTIRE organization with ALL the same standards for information systems is…

Common (Inheritable)

M1: Implement controls tailored to EACH information system is…

System-specific

M1: Implement controls throughout the ENTIRE organization AND tailored to EACH system is…

Hybrid

M2: What are three categories of safeguards for covered entities/business associated under HIPPA?

Administrative, physical, and technical safeguards

M2: What safeguard includes security management processes, assigned security responsibility, workforce security, information access management, etc.

Administrative Safeguard

M2: Which safeguard includes facility access controls, workstation security, “Locks on Doors”, etc.?

Physical Safeguard

M2: Which safeguard is access controls, audit controls, data integrity controls, person or entity authentication, “Setting Permissions”, etc.?

Technical Safeguard

M2: What are the PRINCIPLES that must be followed when processing data in compliance with GDPR?

1. Lawfulness, Fairness, Transparency

2. Purpose Limitation

3. Data Minimization

4. Accuracy

5. Storage Limitation

6. Integrity and Confidentiality

M2: What are the GOALS of Payment Card Industry Data Security Standard (PCI DSS)?

1. Build and maintain a secure network and systems

2. Protect account data

3. Maintain a vulnerability management program

4. Implement strong access control measures

5. Regularly monitor and test networks

6. Maintain an information security policy

M3: CIS controls are ____-_______ and ________ ___ ________.

task-focused; organized by activities

M3: Which Center for Internet Security (CIS) Control actively manage all ENTERPRISE ASSETS connected to the infrastructure physically, virtually, remotely, and those within cloud environments, to accurately know the totality of assets that need to be monitored and protected within the enterprise. (EX: IT inventory List)

Control 01: Inventory and Control of Enterprise Assets

M3: Which Center for Internet Security (CIS) Control actively manage all SOFTWARE on the network so that only authorized software is installed and can execute, and that unauthorized and unmanaged software is found and prevented from installation or execution.

Control 02: Inventory and Control of Software Assets

M3: Which Center for Internet Security (CIS) Control develops processes and technical controls to identify, classify, securely handle, retain, and dispose of data.(Manages the entire lifecycle of their data.)

Control 03: Data Protection

M3: Which Center for Internet Security (CIS) Control establishes and maintains the secure configuration of enterprise assets and software.

Control 04: Secure Configuration of Enterprise Assets and Software

M3: Which Center for Internet Security (CIS) Control uses processes and tools to assign and manage authorization to credentials for user accounts to enterprise assets and software.

Control 05: Account Management

M3: Which Center for Internet Security (CIS) Control uses processes and tools to create, assign, manage, and revoke access credentials and privileges for user, administrator, and service accounts for enterprise assets and software.

Controls 06: Access Control Management

M3: Which Center for Internet Security (CIS) Control develops a plan to continuously assess and track vulnerabilities on all enterprise assets within the enterprise’s infrastructure. Monitor public and private industry sources for new threat and vulnerability information.

Control 07: Continuous Vulnerability Management

M3: Which Center for Internet Security (CIS) Control collects, alerts, reviews, and retains audit logs of events that could help detect, understand, or recover from an attack.

Control 08: Audit Log Management

M3: Which Center for Internet Security (CIS) Control improves protections and detections of threats from email and web vectors, as these are opportunities for attackers to manipulate human behavior through direct engagement.

Control 09: Email and Web Browser Protections

M3: CIS Controls were designed with what principles in mind:

Context, Coexistence, Consistency

M3: Which CIS Control Principle enhances the scope and practical applicability of safeguards through providing examples and explanations to better understand.

Context

M3: Which CIS Control Principle aligns with evolving industry standards and frameworks, including NIST’s CSF 2.0 framework.

Coexistence

M3: Which CIS Control Principle include a minimization of disruption to controls.

Consistency

M4: Which Center for Internet Security (CIS) Control prevents or controls the installation, spread, and execution of malicious applications, code, or scripts on enterprise assets.

Control 10: Malware Defenses

M4: Which Center for Internet Security (CIS) Control establishes and maintains data recovery practices sufficient to restore in-scope enterprise assets to a pre-incident and trusted state.

Control 11: Data Recovery

M4: Which Center for Internet Security (CIS) Control establishes, implements, and actively manage network devices in order to prevent attackers from exploiting vulnerable network services and access points.

Control 12: Network Infrastructure Management

M4: Which Center for Internet Security (CIS) Control operates processes and tooling to establish and maintain comprehensive network monitoring and defense against security threats across the enterprise's network infrastructure and user base.

Control 13: Network Monitoring and Defense

M4: Which Center for Internet Security (CIS) Control establishes and maintains a security awareness program to influence behavior among the workforce to be security conscious and properly skilled to reduce cybersecurity risks to the enterprise.

Control 14: Security Awareness and Skills Training

M4: Which Center for Internet Security (CIS) Control develops a process to evaluate service providers who hold sensitive data or are responsible for an enterprise’s critical IT platforms or processes to ensure these providers are protecting those platforms and data appropriately.

Control 15: Service Provider Management

M4: Which Center for Internet Security (CIS) Control manages the security life cycle of in-house developed, hosted, or acquired software to prevent, detect, and remediate security weaknesses before they can impact the enterprise.

Control 16: Application Software Security

M4: Which Center for Internet Security (CIS) Control establishes a program to develop and maintain an incident response capability to prepare, detect, and quickly respond to an attack.

Control 17: Incident Response Management

M4: Which Center for Internet Security (CIS) Control tests the effectiveness and resiliency of enterprise assets through identifying and exploiting weaknesses in controls (people, processes, and technology), and simulating the objectives and actions of an attacker. (a step further than Continuously Vulnerability Management)

Control 18: Penetration Testing

M5: What framework provides a roadmap that organizations can use to implement best practices for IT governance and management

COBIT 2019

M5: What are the six governance system principles under COBIT 2019?

1. Provide Stakeholder Value

2. Holistic Approach

3. Dynamic Governance System

4. Governance Distinct From Management

5. Tailored to Enterprise Needs

6. End-to-End Governance System

M5: What are 3 principles used to develop COBIT 2019 CORE MODEL?

Based on Conceptual Model, Open and Flexible, Aligned to Major Standards

M5: Which COBIT 2019 framework principle is governance frameworks should identify key components as well as the relationships between those components.

Based on Conceptual Model

M5: Which COBIT 2019 framework principle is frameworks should have the ability to change, adding relevant content and removing irrelevant content, while keeping consistency and integrity.

Open and Flexible

M5: Which COBIT 2019 framework principle is frameworks should align with regulations, frameworks, and standards.

Aligned to Major Standards

M5: What are the components to satisfy management and governance objectives under COBIT 2019 core model?

1. Processes

2. Organizational Structures

3. Principles, Policies, Frameworks

4. Information

5. Culture, Ethics, and Behavior

6. People, Skills, and Competencies

7. Services, Infrastructure, and Applications

M5: What are the 11 design factors that could be considered under COBIT?

1. Enterprise Strategy

2. Enterprise Goals

3. Risk Profile

4. Information and Technology Issues

5. Threat Landscape

6. Compliance Requirements

7. Role of IT

8. Sourcing Model for IT

9. IT Implementation Methods

10. Technology Adoption Strategy

11. Enterprise Size

M5: What are the governance objective according to COBIT 2019 core model

Evaluate, Direct, and Monitor (EDM)

M5: What are the management objectives for COBIT 2019 core model?

1. Align, Plan, and Organize (APO)

2. Build, Acquire, and Implement (BAI)

3. Deliver, Service, and Support (DSS)

4. Monitor, Evaluate, and Assess (MEA)

(MEA) oversees 1-3

M5: Which role is responsible for the daily planning and administration of company operations, such as executive officers under COBIT 2019?

Management

M5: Which role is responsible for evaluating strategic objectives, directing management to achieve those objectives, and monitoring whether objectives are being met under COBIT 2019?

Governance