NIST Cybersecurity Framework Components

Questions and Answers

What is the intent of Control 18 in the CIS Critical Security Controls Version 8?

Penetration Testing

What is the purpose of ISACA's COBIT framework?

IT governance and management best practices

What are the key differences between management and stakeholders under the COBIT framework?

Management responsible for daily operations, stakeholders can be internal or external

What five components were used for the development of COBIT 2019's foundation?

Six governance system principles, Three governance framework principles, Other standards and regulations, Community contribution

What are the six governance system principles under COBIT 2019?

Provide Stakeholder Value, Holistic Approach, Dynamic Governance System, Governance Distinct from Management, Tailored to Enterprise Needs, End-to-End Governance System

What are the seven components to satisfy management and governance objectives under the COBIT 2019 core model?

Processes, Organizational Structures, Principles, Policies, Frameworks, Information, Culture, Ethics, and Behavior, People, Skills, and Competencies, Services, Infrastructure, and Applications

What are the 11 design factors that should be considered under COBIT?

Enterprise Strategy, Enterprise Goals, Risk Profile, Information and Technology Issues, Threat Landscape, Compliance Requirements, Role of IT, Sourcing Model for IT, IT Implementation Methods, Technology Adoption Strategy, Enterprise Size

List the governance objectives and management objectives according to the COBIT 2019 core model:

Governance Objectives: Evaluate, Direct, and Monitor (EDM), Management Objectives: Align, Plan, and Organize (APO), Deliver, Service, and Support (DSS), Monitor, Evaluate, and Assess (MEA)

What are the three primary components to manage cybersecurity risk under the NIST Cybersecurity Framework?

Framework Core, Framework Implementation Tiers, Framework Profile

What are the five components of the NIST CSF Framework Core?

Identify, Protect, Detect, Respond, Recover

Which NIST CSF Implementation Tiers apply to risk management process, risk management program integration, and external participation?

Tier 2: Risk-Informed

Explain the difference between a Current Profile and a Target Profile in organizational risk management.

The differences between the current state and future state are identified in a gap analysis.

Identify the eight framework functions under the NIST Privacy Framework Core.

Identify-P, Govern-P, Control-P, Communicate-P, Protect-P, Detect, Respond, Recover

What are the three control implementation approaches at organizational and information system levels?

Common (Inheritable)

What are the two general categories of data breaches?

Unintentional Data Breach

What are three examples of safeguards for covered entities or business associates?

Administrative safeguards, physical safeguards, and technical safeguards

What are the six principles that must be followed when processing data in compliance with GDPR?

1. Lawfulness, Fairness, Transparency, 2. Purpose Limitation, 3. Data Minimization, 4. Accuracy, 5. Storage Limitation, 6. Integrity and Confidentiality

What are the six goals of the PCI DSS?

1. Build and maintain a secure network and systems, 2. Protect account data, 3. Maintain a vulnerability management program, 4. Implement strong access control measures, 5. Regularly monitor and test networks, 6. Maintain an information security policy

Explain the principles by which the CIS Controls were designed.

Controls are drafted based on data from actual cyberattacks and defense against them. Controls should help prioritize the most critical problems. All recommendations should be practical.

Describe the intent of Control 01: Inventory and Control of Enterprise Assets according to CIS Controls.

Actively manage all enterprise assets connected to the infrastructure physically, virtually, remotely, and those within cloud environments to accurately know the totality of assets that need to be monitored and protected.

Describe the intent of Control 02: Inventory and Control of Software Assets according to CIS Controls.

Actively manage all software on the network to ensure only authorized software is installed and executed, and unauthorized software is prevented.

Describe the intent of Control 03: Data Protection.

Develop processes and technical controls to identify, classify, securely handle, retain, and dispose of data.

Describe the intent of Control 04: Secure Configuration of Enterprise Assets and Software.

Establish and maintain the secure configuration of enterprise assets and software.

Describe the intent of Control 05: Account Management.

Use processes and tools to assign and manage authorization to credentials for user accounts, including administrator accounts as well as service accounts, to enterprise assets and software.

Describe the intent of Control 06: Access Control Management.

Use processes and tools to create, assign, manage, and revoke access credentials and privileges for user, administrator, and service accounts for enterprise assets and software.

Describe the intent of Control 07: Continuous Vulnerability Management.

Develop a plan to continuously assess and track vulnerabilities on all enterprise assets within the enterprise’s infrastructure, in order to remediate and minimize the window of opportunity for attackers. Monitor public and private industry sources for new threat and vulnerability information.

Describe the intent of Control 08: Audit Log Management.

Collect, alert, review, and retain audit logs of events that could help detect, understand, or recover from an attack.

Describe the intent of Control 09: Email and Web Browser Protections.

Improve protections and detections of threats from email and web vectors, as these are opportunities for attackers to manipulate human behavior through direct engagement.

Describe the intent of Control 10: Malware Defenses.

Prevent or control the installation, spread, and execution of malicious applications, code, or scripts on enterprise assets.

Describe the intent of Control 11: Data Recovery.

Establish and maintain data recovery practices sufficient to restore in-scope enterprise assets to a pre-incident and trusted state.

Describe the intent of Control 12: Network Infrastructure Management.

Establish, implement, and actively manage network devices in order to prevent attackers from exploiting vulnerable network services and access points.

Describe the intent of Control 13: Network Monitoring and Defense.

Operate processes and tooling to establish and maintain comprehensive network monitoring and defense against security threats across the enterprise’s network infrastructure and user base.

Describe the intent of Control 14: Security Awareness and Skills Training.

Establish and maintain a security awareness program to influence behavior among the workforce to be security conscious and properly skilled to reduce cybersecurity risks to the enterprise.

Describe the intent of Control 15: Service Provider Management.

Develop a process to evaluate service providers who hold sensitive data or are responsible for an enterprise’s critical IT platforms or processes to ensure these providers are protecting those platforms and data appropriately.

Describe the intent of Control 16: Application Software Security.

Manage the security life cycle of in-house developed, hosted, or acquired software to prevent, detect, and remediate security weaknesses before they can impact the enterprise.

Describe the intent of Control 17: Incident Response Management.

Establish a program to develop and maintain an incident response capability to prepare, detect, and quickly respond to an attack.

Study Notes

NIST Cybersecurity Framework

• The NIST Cybersecurity Framework consists of three primary components to manage cybersecurity risk: Identify, Protect, and Detect.
• The framework core consists of five components: Identify, Protect, Detect, Respond, and Recover.
• The framework has four implementation tiers: Partial (Tier 1), Risk-Informed (Tier 2), Repeatable (Tier 3), and Adaptive (Tier 4).
• A Current Profile is the current state of organizational risk management, while a Target Profile is the desired future state of organizational risk management.

NIST Privacy Framework

• The NIST Privacy Framework Core consists of eight functions: Identify, Govern, Control, Communicate, Protect, Detect, Respond, and Recover.
• The framework has three control implementation approaches: Common (Inheritable), System-Specific, and Hybrid.

Data Breaches

• There are two general categories of data breaches: Unintentional Data Breach (resulting from negligence or error) and Intentional Data Breach (resulting from bad actors illegally gaining access to data).

Privacy and Data Security Standards

• Three examples of safeguards for covered entities or business associates are: Administrative safeguards, Physical safeguards, and Technical safeguards.
• The General Data Protection Regulation (GDPR) requires following six principles when processing data: Lawfulness, Fairness, Transparency, Purpose Limitation, Data Minimization, Accuracy, Storage Limitation, and Integrity and Confidentiality.
• The Payment Card Industry Data Security Standard (PCI DSS) has six goals: Build and maintain a secure network and systems, Protect account data, Maintain a vulnerability management program, Implement strong access control measures, Regularly monitor and test networks, and Maintain an information security policy.

Center for Internet Security Critical Security Controls

• The CIS Controls were designed based on five principles: Align, Measurable, Offense Informs Defense, Focus, and Feasible.
• Control 01: Inventory and Control of Enterprise Assets aims to actively manage all enterprise assets connected to the infrastructure.
• Control 02: Inventory and Control of Software Assets aims to manage all software on the network so that only authorized software is installed and can execute.
• Control 03: Data Protection aims to develop processes and technical controls to identify, classify, securely handle, retain, and dispose of data.
• Control 04: Secure Configuration of Enterprise Assets and Software aims to establish and maintain the secure configuration of enterprise assets and software.
• Control 05: Account Management aims to use processes and tools to assign and manage authorization to credentials for user accounts.
• Control 06: Access Control Management aims to use processes and tools to create, assign, manage, and revoke access credentials and privileges for user, administrator, and service accounts.
• Control 07: Continuous Vulnerability Management aims to develop a plan to continuously assess and track vulnerabilities on all enterprise assets.
• Control 08: Audit Log Management aims to collect, alert, review, and retain audit logs of events that could help detect, understand, or recover from an attack.
• Control 09: Email and Web Browser Protections aims to improve protections and detections of threats from email and web vectors.
• Control 10: Malware Defenses aims to prevent or control the installation, spread, and execution of malicious applications, code, or scripts on enterprise assets.
• Control 11: Data Recovery aims to establish and maintain data recovery practices sufficient to restore in-scope enterprise assets to a pre-incident and trusted state.
• Control 12: Network Infrastructure Management aims to establish, implement, and actively manage network devices in order to prevent attackers from exploiting vulnerable network services and access points.### Center for Internet Security (CIS) Critical Security Controls

Control 13: Network Monitoring and Defense

• Establish and maintain comprehensive network monitoring and defense against security threats across the enterprise's network infrastructure and user base.

Control 14: Security Awareness and Skills Training

• Establish and maintain a security awareness program to influence behavior among the workforce to be security conscious and properly skilled to reduce cybersecurity risks to the enterprise.

Control 15: Service Provider Management

• Develop a process to evaluate service providers who hold sensitive data or are responsible for an enterprise's critical IT platforms or processes to ensure these providers are protecting those platforms and data appropriately.

Control 16: Application Software Security

• Manage the security life cycle of in-house developed, hosted, or acquired software to prevent, detect, and remediate security weaknesses before they can impact the enterprise.

Control 17: Incident Response Management

• Establish a program to develop and maintain an incident response capability to prepare, detect, and quickly respond to an attack.

Control 18: Penetration Testing

• Test the effectiveness and resiliency of enterprise assets through identifying and exploiting weaknesses in controls (people, processes, and technology), and simulating the objectives and actions of an attacker.

COBIT 2019 Framework

Purpose

• Provides a roadmap for implementing best practices for IT governance and management.

Key Differences between Management and Stakeholders

• Management: responsible for daily planning and administration of company operations, such as executive officers.
• Stakeholders: can be internal (e.g., lower levels of management) or external (e.g., regulators, investors, business partners, IT vendors).

Components used for Development of COBIT 2019 Foundation

• Six principles for a governance system
• Three principles for a governance framework
• Other standards and regulations
• Community contribution

Governance System Principles under COBIT 2019

• Provide Stakeholder Value
• Holistic Approach
• Dynamic Governance System
• Governance Distinct From Management
• Tailored to Enterprise Needs
• End-to-End Governance System

COBIT 2019 Core Model Components

• Processes
• Organizational Structures
• Principles, Policies, Frameworks
• Information
• Culture, Ethics, and Behavior
• People, Skills, and Competencies
• Services, Infrastructure, and Applications

Design Factors to Consider under COBIT

• Enterprise Strategy
• Enterprise Goals
• Risk Profile
• Information and Technology Issues
• Threat Landscape
• Compliance Requirements
• Role of IT
• Sourcing Model for IT
• IT Implementation Methods
• Technology Adoption Strategy
• Enterprise Size

Governance and Management Objectives according to COBIT 2019

• Governance Objectives: Evaluate, Direct, and Monitor (EDM)
• Management Objectives:
  • Align, Plan, and Organize (APO)
  • Build, Acquire, and Implement (BAI)
  • Deliver, Service, and Support (DSS)
  • Monitor, Evaluate, and Assess (MEA)

Description

This quiz assesses your understanding of the National Institute of Standards and Technology's (NIST) Cybersecurity Framework, specifically the three primary components to manage cybersecurity risk.