Podcast
Questions and Answers
What is the intent of Control 18 in the CIS Critical Security Controls Version 8?
What is the intent of Control 18 in the CIS Critical Security Controls Version 8?
Penetration Testing
What is the purpose of ISACA's COBIT framework?
What is the purpose of ISACA's COBIT framework?
IT governance and management best practices
What are the key differences between management and stakeholders under the COBIT framework?
What are the key differences between management and stakeholders under the COBIT framework?
Management responsible for daily operations, stakeholders can be internal or external
What five components were used for the development of COBIT 2019's foundation?
What five components were used for the development of COBIT 2019's foundation?
Signup and view all the answers
What are the six governance system principles under COBIT 2019?
What are the six governance system principles under COBIT 2019?
Signup and view all the answers
What are the seven components to satisfy management and governance objectives under the COBIT 2019 core model?
What are the seven components to satisfy management and governance objectives under the COBIT 2019 core model?
Signup and view all the answers
What are the 11 design factors that should be considered under COBIT?
What are the 11 design factors that should be considered under COBIT?
Signup and view all the answers
List the governance objectives and management objectives according to the COBIT 2019 core model:
List the governance objectives and management objectives according to the COBIT 2019 core model:
Signup and view all the answers
What are the three primary components to manage cybersecurity risk under the NIST Cybersecurity Framework?
What are the three primary components to manage cybersecurity risk under the NIST Cybersecurity Framework?
Signup and view all the answers
What are the five components of the NIST CSF Framework Core?
What are the five components of the NIST CSF Framework Core?
Signup and view all the answers
Which NIST CSF Implementation Tiers apply to risk management process, risk management program integration, and external participation?
Which NIST CSF Implementation Tiers apply to risk management process, risk management program integration, and external participation?
Signup and view all the answers
Explain the difference between a Current Profile and a Target Profile in organizational risk management.
Explain the difference between a Current Profile and a Target Profile in organizational risk management.
Signup and view all the answers
Identify the eight framework functions under the NIST Privacy Framework Core.
Identify the eight framework functions under the NIST Privacy Framework Core.
Signup and view all the answers
What are the three control implementation approaches at organizational and information system levels?
What are the three control implementation approaches at organizational and information system levels?
Signup and view all the answers
What are the two general categories of data breaches?
What are the two general categories of data breaches?
Signup and view all the answers
What are three examples of safeguards for covered entities or business associates?
What are three examples of safeguards for covered entities or business associates?
Signup and view all the answers
What are the six principles that must be followed when processing data in compliance with GDPR?
What are the six principles that must be followed when processing data in compliance with GDPR?
Signup and view all the answers
What are the six goals of the PCI DSS?
What are the six goals of the PCI DSS?
Signup and view all the answers
Explain the principles by which the CIS Controls were designed.
Explain the principles by which the CIS Controls were designed.
Signup and view all the answers
Describe the intent of Control 01: Inventory and Control of Enterprise Assets according to CIS Controls.
Describe the intent of Control 01: Inventory and Control of Enterprise Assets according to CIS Controls.
Signup and view all the answers
Describe the intent of Control 02: Inventory and Control of Software Assets according to CIS Controls.
Describe the intent of Control 02: Inventory and Control of Software Assets according to CIS Controls.
Signup and view all the answers
Describe the intent of Control 03: Data Protection.
Describe the intent of Control 03: Data Protection.
Signup and view all the answers
Describe the intent of Control 04: Secure Configuration of Enterprise Assets and Software.
Describe the intent of Control 04: Secure Configuration of Enterprise Assets and Software.
Signup and view all the answers
Describe the intent of Control 05: Account Management.
Describe the intent of Control 05: Account Management.
Signup and view all the answers
Describe the intent of Control 06: Access Control Management.
Describe the intent of Control 06: Access Control Management.
Signup and view all the answers
Describe the intent of Control 07: Continuous Vulnerability Management.
Describe the intent of Control 07: Continuous Vulnerability Management.
Signup and view all the answers
Describe the intent of Control 08: Audit Log Management.
Describe the intent of Control 08: Audit Log Management.
Signup and view all the answers
Describe the intent of Control 09: Email and Web Browser Protections.
Describe the intent of Control 09: Email and Web Browser Protections.
Signup and view all the answers
Describe the intent of Control 10: Malware Defenses.
Describe the intent of Control 10: Malware Defenses.
Signup and view all the answers
Describe the intent of Control 11: Data Recovery.
Describe the intent of Control 11: Data Recovery.
Signup and view all the answers
Describe the intent of Control 12: Network Infrastructure Management.
Describe the intent of Control 12: Network Infrastructure Management.
Signup and view all the answers
Describe the intent of Control 13: Network Monitoring and Defense.
Describe the intent of Control 13: Network Monitoring and Defense.
Signup and view all the answers
Describe the intent of Control 14: Security Awareness and Skills Training.
Describe the intent of Control 14: Security Awareness and Skills Training.
Signup and view all the answers
Describe the intent of Control 15: Service Provider Management.
Describe the intent of Control 15: Service Provider Management.
Signup and view all the answers
Describe the intent of Control 16: Application Software Security.
Describe the intent of Control 16: Application Software Security.
Signup and view all the answers
Describe the intent of Control 17: Incident Response Management.
Describe the intent of Control 17: Incident Response Management.
Signup and view all the answers
Study Notes
NIST Cybersecurity Framework
- The NIST Cybersecurity Framework consists of three primary components to manage cybersecurity risk: Identify, Protect, and Detect.
- The framework core consists of five components: Identify, Protect, Detect, Respond, and Recover.
- The framework has four implementation tiers: Partial (Tier 1), Risk-Informed (Tier 2), Repeatable (Tier 3), and Adaptive (Tier 4).
- A Current Profile is the current state of organizational risk management, while a Target Profile is the desired future state of organizational risk management.
NIST Privacy Framework
- The NIST Privacy Framework Core consists of eight functions: Identify, Govern, Control, Communicate, Protect, Detect, Respond, and Recover.
- The framework has three control implementation approaches: Common (Inheritable), System-Specific, and Hybrid.
Data Breaches
- There are two general categories of data breaches: Unintentional Data Breach (resulting from negligence or error) and Intentional Data Breach (resulting from bad actors illegally gaining access to data).
Privacy and Data Security Standards
- Three examples of safeguards for covered entities or business associates are: Administrative safeguards, Physical safeguards, and Technical safeguards.
- The General Data Protection Regulation (GDPR) requires following six principles when processing data: Lawfulness, Fairness, Transparency, Purpose Limitation, Data Minimization, Accuracy, Storage Limitation, and Integrity and Confidentiality.
- The Payment Card Industry Data Security Standard (PCI DSS) has six goals: Build and maintain a secure network and systems, Protect account data, Maintain a vulnerability management program, Implement strong access control measures, Regularly monitor and test networks, and Maintain an information security policy.
Center for Internet Security Critical Security Controls
- The CIS Controls were designed based on five principles: Align, Measurable, Offense Informs Defense, Focus, and Feasible.
- Control 01: Inventory and Control of Enterprise Assets aims to actively manage all enterprise assets connected to the infrastructure.
- Control 02: Inventory and Control of Software Assets aims to manage all software on the network so that only authorized software is installed and can execute.
- Control 03: Data Protection aims to develop processes and technical controls to identify, classify, securely handle, retain, and dispose of data.
- Control 04: Secure Configuration of Enterprise Assets and Software aims to establish and maintain the secure configuration of enterprise assets and software.
- Control 05: Account Management aims to use processes and tools to assign and manage authorization to credentials for user accounts.
- Control 06: Access Control Management aims to use processes and tools to create, assign, manage, and revoke access credentials and privileges for user, administrator, and service accounts.
- Control 07: Continuous Vulnerability Management aims to develop a plan to continuously assess and track vulnerabilities on all enterprise assets.
- Control 08: Audit Log Management aims to collect, alert, review, and retain audit logs of events that could help detect, understand, or recover from an attack.
- Control 09: Email and Web Browser Protections aims to improve protections and detections of threats from email and web vectors.
- Control 10: Malware Defenses aims to prevent or control the installation, spread, and execution of malicious applications, code, or scripts on enterprise assets.
- Control 11: Data Recovery aims to establish and maintain data recovery practices sufficient to restore in-scope enterprise assets to a pre-incident and trusted state.
- Control 12: Network Infrastructure Management aims to establish, implement, and actively manage network devices in order to prevent attackers from exploiting vulnerable network services and access points.### Center for Internet Security (CIS) Critical Security Controls
Control 13: Network Monitoring and Defense
- Establish and maintain comprehensive network monitoring and defense against security threats across the enterprise's network infrastructure and user base.
Control 14: Security Awareness and Skills Training
- Establish and maintain a security awareness program to influence behavior among the workforce to be security conscious and properly skilled to reduce cybersecurity risks to the enterprise.
Control 15: Service Provider Management
- Develop a process to evaluate service providers who hold sensitive data or are responsible for an enterprise's critical IT platforms or processes to ensure these providers are protecting those platforms and data appropriately.
Control 16: Application Software Security
- Manage the security life cycle of in-house developed, hosted, or acquired software to prevent, detect, and remediate security weaknesses before they can impact the enterprise.
Control 17: Incident Response Management
- Establish a program to develop and maintain an incident response capability to prepare, detect, and quickly respond to an attack.
Control 18: Penetration Testing
- Test the effectiveness and resiliency of enterprise assets through identifying and exploiting weaknesses in controls (people, processes, and technology), and simulating the objectives and actions of an attacker.
COBIT 2019 Framework
Purpose
- Provides a roadmap for implementing best practices for IT governance and management.
Key Differences between Management and Stakeholders
- Management: responsible for daily planning and administration of company operations, such as executive officers.
- Stakeholders: can be internal (e.g., lower levels of management) or external (e.g., regulators, investors, business partners, IT vendors).
Components used for Development of COBIT 2019 Foundation
- Six principles for a governance system
- Three principles for a governance framework
- Other standards and regulations
- Community contribution
Governance System Principles under COBIT 2019
- Provide Stakeholder Value
- Holistic Approach
- Dynamic Governance System
- Governance Distinct From Management
- Tailored to Enterprise Needs
- End-to-End Governance System
COBIT 2019 Core Model Components
- Processes
- Organizational Structures
- Principles, Policies, Frameworks
- Information
- Culture, Ethics, and Behavior
- People, Skills, and Competencies
- Services, Infrastructure, and Applications
Design Factors to Consider under COBIT
- Enterprise Strategy
- Enterprise Goals
- Risk Profile
- Information and Technology Issues
- Threat Landscape
- Compliance Requirements
- Role of IT
- Sourcing Model for IT
- IT Implementation Methods
- Technology Adoption Strategy
- Enterprise Size
Governance and Management Objectives according to COBIT 2019
- Governance Objectives: Evaluate, Direct, and Monitor (EDM)
- Management Objectives:
- Align, Plan, and Organize (APO)
- Build, Acquire, and Implement (BAI)
- Deliver, Service, and Support (DSS)
- Monitor, Evaluate, and Assess (MEA)
Studying That Suits You
Use AI to generate personalized quizzes and flashcards to suit your learning preferences.
Related Documents
Description
This quiz assesses your understanding of the National Institute of Standards and Technology's (NIST) Cybersecurity Framework, specifically the three primary components to manage cybersecurity risk.