NIST Cybersecurity Framework Overview

Questions and Answers

Which component of the NIST Cybersecurity Framework focuses on maintaining a record of assets and system users?

• Protect
• Detect
• Recover
• Identify (correct)

What tier of the NIST Implementation Tiers indicates that cybersecurity practices are formal and documented?

• Tier 3 (correct)
• Tier 1
• Tier 2
• Tier 4

In the NIST Cybersecurity Framework, which function is primarily concerned with responding to cybersecurity events?

• Respond (correct)
• Detect
• Protect
• Recover

What does the 'current profile' in a NIST Framework Profile represent?

Existing level of organizational risk management (C)

Which of the following is a characteristic of Tier 2 in the NIST Implementation Tiers?

Management approval of cybersecurity efforts (C)

What are the categories used to classify the role of IT in an organization?

Support, Factory, Turnaround, Strategic (B)

How is the enterprise size defined according to the provided classifications?

Small: 50-249, Medium: 250-499, Large: 500+ (C)

What factors are included in the COBIT Design Factor of Risk Profile?

Current risk exposure and risk appetite (B)

What defines the sourcing model for IT?

The procurement model adopted by the company (D)

Which compliance requirement classification would apply to a large bank?

High compliance requirements (C)

What characterizes an organization with a First Mover Technology Adoption Strategy?

They adopt emerging technologies before they are proven. (B)

In the context of COBIT, who is responsible for settling governance policies?

Board of Directors (BOD) (B)

Which of the following is a common issue identified in the Information and Technology Design Factor?

Insufficient IT resources (C)

What is one of the main components of the NIST Privacy Framework?

Identify privacy risks related to data processing (A)

What defines Tier 3 in the Privacy Framework Tiers?

Repeatable (D)

Which of the following is NOT one of the 20 Control Families in SP 800-53?

Data Transparency and Reporting (C)

What is a consequence of a data breach?

Financial loss (A)

Which type of control is implemented specifically at the information system level according to SP 800-53?

System Specific Control (B)

Which of the following statements about HIPAA is true?

It promotes national standards for health care privacy and security. (C)

What is the average cost of a data breach, according to the content?

$4 million (B)

Which risk management process is NOT a basis of the Privacy Framework Tiers?

Risk Assessment Audits (D)

Who is intended to be the primary audience for SP 800-53?

Individuals with security and privacy assessment responsibilities (A)

What does the HIPAA Security Rule aim to protect?

Confidentiality, integrity, and availability of all PHI (D)

What is the primary purpose of the EDM governance objective in COBIT?

To evaluate strategic objectives and monitor their progress (B)

Which of the following is NOT one of the 4 management objectives in the COBIT Core Model?

IEC: Integrate, Evaluate, and Control (D)

Which component of the COBIT governance system addresses the necessary activities to achieve IT goals?

Processes (B)

What does the 'APO' component in COBIT primarily focus on?

Organizing IT resources for maximum efficiency (C)

Which design factor in COBIT helps organizations assess their approach to technology and adoption?

Technology Adoption Strategy (A)

Which of these best describes the role of the 'Culture, Ethics, and Behavior' component in COBIT governance?

It influences the success of management and governance. (C)

In the context of COBIT, what do the 'Services, Infrastructure, and Applications' include?

Tools needed for IT processing and governance. (D)

What is one of the key components of the BAI management objective in COBIT?

Managed Change (C)

Which design factor would you focus on to understand the compliance obligations an organization faces?

Compliance Requirements (C)

Which of the following is an important component of the MEA governance objective?

Managed Assurance (D)

Which of the following are components of administrative safeguards in HIPAA?

Security management (D)

What is the primary purpose of the HITECH Act?

To increase penalties for HIPAA violations (A)

Which of the following GDPR principles focuses on limiting data storage?

Storage Limitation (A)

What is a requirement under PCI DSS for protecting cardholder data?

Encrypt all data in transit (D)

Which of the following is NOT one of the CIS Controls?

Disaster Recovery Planning (B)

Which CIS Implementation Group describes organizations with security experts in all domains?

IG3 (D)

Under GDPR, what must data processing be for to comply with the Purpose Limitation principle?

Specified, Explicit, and Legitimate (D)

Which goal of PCI DSS involves protecting cardholder data?

Protect Cardholder Data (D)

Which of the following controls emphasizes continuous identification of vulnerabilities?

Continuous Vulnerability Management (A)

Which of the following is one of the six principles of GDPR?

Integrity and Confidentiality (B)

What is a key principle of the CIS Controls design?

Measurable (C)

What is the primary focus of CIS Control 4?

Secure Configuration of Enterprise Assets and Software (B)

What is a feature of the COBIT 2019 governance framework?

Holistic approach to IT governance (A)

Which of the following is a requirement for data processors not based in the EU under GDPR?

GDPR can still apply if they offer goods or services to EU residents (C)

Flashcards

NIST Cybersecurity Framework (CSF)

A standardized set of guidelines for cybersecurity developed by the National Institute of Standards and Technology (NIST) to help organizations manage risk and improve their security posture.

NIST CSF Framework Core

The NIST CSF Core is a set of five functions: Identify, Protect, Detect, Respond, and Recover. These functions represent key cybersecurity activities that need to be addressed by any organization striving for strong security.

NIST CSF Implementation Tiers

A scale used to classify an organization's level of cybersecurity maturity based on factors such as the level of integration of security processes, risk management, and communication.

NIST CSF Framework Profiles

An organization's desired future state of cybersecurity is termed the 'Target Profile' and is compared against its current security posture through a 'gap analysis' to identify improvement areas.

What is the NIST CSF's goal?

The NIST CSF aims to help organizations identify and manage cybersecurity risks by providing a structured approach to creating a secure environment.

NIST Privacy Framework

A framework developed by NIST to guide organizations in protecting sensitive data. It is industry-agnostic and overlaps with the NIST Cybersecurity Framework.

Identify (NIST Privacy Framework)

The first phase of the NIST Privacy Framework. It involves identifying and analyzing privacy risks related to data processing activities.

SP 800-53

A NIST standard that provides a comprehensive set of security and privacy controls for information systems. It is the standard for federal information security systems, requiring stricter controls and a higher level of security.

Access Control (NIST 800-53)

One of the 20 control families outlined in SP 800-53, which encompasses measures to ensure that only authorized individuals have access to specific data and resources.

Common Control (NIST 800-53)

Implementing security controls at the organizational level, covering multiple systems and processes.

HIPAA Covered Entities

The act of transmitting Protected Health Information (PHI) electronically, making a health care provider subject to HIPAA regulations.

HIPAA Security Rule

The section of HIPAA focusing on the security of Protected Health Information (PHI). It mandates safeguarding PHI from unauthorized access, use, or disclosure.

Data Breach Consequences

The detrimental consequences of a data breach, including financial losses, reputational damage, and legal complications.

Cost of a Data Breach

The cost associated with handling a data breach, including investigation, notification, and post-breach mitigation.

HIPAA

The Health Insurance Portability and Accountability Act, a US law designed to protect the privacy and security of Protected Health Information (PHI).

COBIT Focus Areas

A combination of management and governance objectives that address an organization's goals and objectives and can be applied to different governance issues, domains, and topics.

First Mover Strategy

A strategy that prioritizes implementing the latest technologies as soon as they emerge, characterized by taking more risk but potentially gaining an early advantage.

Role of IT in COBIT

A COBIT framework that categorizes IT’s role in an organization based on its impact, ranging from providing general support to driving both innovation and critical operations.

Compliance Requirements

A framework that categorizes compliance requirements based on their level of severity, with low compliance required for simpler businesses and high compliance for heavily regulated industries like banking.

Risk Profile

A COBIT design factor that identifies and evaluates the potential risks a company might face, including internal vulnerabilities and external threats.

IT Implementation Methods

A COBIT framework that outlines different approaches to developing and implementing IT systems, including Agile, DevOps, traditional (waterfall) methods, and hybrids.

Enterprise Goals

A key COBIT design factor that considers the factors influencing an organization's revenue growth and innovative development, often structured around the Balanced Scorecard.

Information and Technology

A COBIT design factor that analyzes the current state of an organization's information and technology infrastructure, addressing common challenges like data quality and resource limitations.

What is COBIT 2019?

COBIT 2019 is a framework for IT governance and management. It helps organizations align IT with business goals and manage risk effectively.

What is EDM?

EDM stands for Evaluate, Direct, and Monitor. It's one of the four governance objectives in COBIT 2019.

What is APO?

APO stands for Align, Plan, and Organize. It's a management objective in COBIT 2019 focused on aligning IT strategy, planning, and organizing resources.

What is BAI?

BAI stands for Build, Acquire, and Implement. It focuses on building, acquiring, and implementing IT systems.

What is DSS?

DSS stands for Deliver, Service, and Support. It focuses on delivering, servicing, and supporting IT services.

What is MEA?

MEA stands for Monitor, Evaluate, and Assess. It emphasizes continuous monitoring, evaluation, and assessment of IT performance.

What are the seven components of the COBIT 2019 framework?

The seven components of COBIT 2019 are Processes, Organizational Structure, Principles, Policies, and Frameworks, Information, Culture, Ethics, and Behavior, People, Skills, and Competencies, and Services, Infrastructure, and Applications.

What are the design factors in COBIT 2019?

COBIT 2019 includes 11 design factors to help create a tailored enterprise governance system for IT.

What is the purpose of COBIT 2019?

COBIT 2019 helps organizations to create a custom governance system for IT based on their specific needs and environment.

What is enterprise strategy in COBIT 2019?

Enterprise strategy in COBIT 2019 involves defining both primary and secondary strategies to guide IT decisions.

HIPAA Safeguards

A set of physical, administrative, and technical controls designed to protect sensitive health information (PHI) from unauthorized access, use, disclosure, alteration, or destruction.

HITECH Act

Enacted in 2009, HITECH promotes the transition from paper to digital medical records, tightens penalties for HIPAA violations, and requires patients to be given the option to receive records electronically.

GDPR

The European Union's general law governing data privacy, known for its stringent regulations and substantial penalties for non-compliance.

Purpose Limitation

One of the six principles of GDPR, emphasizing that data processing must be limited to specified, explicit, and legitimate purposes.

Data Minimization

One of the six principles of GDPR, requiring data processing to be relevant, adequate, and limited to what's necessary for its intended purpose.

PCI DSS

A security standard created by the Payment Card Industry Security Standards Council to protect cardholder data in cashless transactions.

Build and Maintain a Secure Network

One of the six goals of PCI DSS, focusing on maintaining a secure network and system infrastructure for cardholder data.

Protect Cardholder Data

One of the six goals of PCI DSS, ensuring protection of cardholder data from unauthorized access, use, disclosure, alteration, or destruction.

CIS (Center for Internet Security)

A global non-profit organization dedicated to developing and maintaining cybersecurity best practices, providing guidance for organizations to strengthen their cyber defenses.

CIS Controls

A framework designed to help organizations implement a comprehensive cybersecurity program based on a set of 18 controls and 153 subcategories known as "safeguards."

COBIT 2019

A cybersecurity assessment framework developed by the Information Systems Audit and Control Association (ISACA) that provides a comprehensive approach to IT governance and management.

Tailored to Enterprise Needs

One of the six principles for a governance system in COBIT 2019, emphasizing that the governance system should be tailored to the specific needs of the organization.

Conceptual Model

One of the three principles for a governance framework in COBIT 2019, emphasizing that the framework should be conceptually grounded and identify key components and relationships between them.

Alignment

One of the four Management Objectives in COBIT 2019, focusing on the organization's ability to ensure that its information and related technologies are aligned with the organization's strategic goals and objectives.

Value Delivery

One of the four Management Objectives in COBIT 2019, focusing on the organization's ability to ensure that its information and related technologies are used efficiently and effectively, delivering the desired value to the organization and its stakeholders.

Study Notes

NIST Cybersecurity Framework (CSF)

• Established in 1901 to promote research capabilities.
• Improved in 1995 to include cybersecurity.
• Three standardized frameworks from NIST:
  • NIST Cybersecurity Framework (CSF)
  • NIST Privacy Framework
  • NIST SP 800-53 - Security and Privacy Controls

NIST Cybersecurity Framework Components

• Framework Core:

• GOVERN: Identify, keep record of assets, system users, all systems; Protect, deploy safeguards, regular updates, backups; Detect, detect active cyber security attacks, monitor network; Respond, contain cybersecurity event, react, notify affected parties; Recover, support restoration, restore files.

• Five functions, 23 categories, 108 subcategories

• Framework Implementation Tiers:

• Benchmarking the degree to which an organization integrates information security practices throughout.

• Tier 1: Partial

• Tier 2: Risk-informed

• Tier 3: Repeatable

• Tier 4: Adaptive

• Framework Profile:

• Mechanisms for NIST to recommend how companies measure and minimize cybersecurity risk.

• Current profile: Current state of organizational risk management.

• Target profile: Desired future state of organizational risk management.

• Gap analysis: Differences between current and desired state.

NIST Privacy Framework

• Framework on data protection.
• Developed to be industry-agnostic
• Overlaps with NIST Cybersecurity Framework.
• Components:
• Identify: Privacy risks related to data processing
• Govern: Governance structure (new)
• Control: Management structure (new)
• Communicate: Dialogue around privacy risks (new)
• Protect: Safeguards
• Detect: Discovering privacy risks
• Respond: Reacting to privacy breach
• Recover: Continuing business after privacy breach.
• Same Tiers as NIST CSF.

SP 800-53: 20 Control Families (be familiar)

• AC: Access and control
• AT: Awareness and training
• AU: Audit and accountability
• CA: Assessment, authorization, monitoring
• CM: Configuration management
• CP: Contingency planning
• IA: Identity and authentication
• IR: Incident response
• MA: Maintenance
• MP: Media protection
• PE: Physical and environmental protection
• PL: Planning
• PM: Program management
• PS: Personnel security
• PT: PII processing and transparency
• RA: Risk assessment
• SA: System and services acquisition
• SC: Systems and communication protection
• SI: Systems and information integrity
• SR: Supply chain risk management

SP 800-53: Control Implementation Approaches

• Common Control: Implemented at the organizational level
• System Specific Control: Implemented at information system level
• Hybrid Control: Combination of entity and system level controls

GDPR

• General Data Protection Regulation - European Union's general law regarding data privacy, strictest global privacy laws.
• Penalties for violations are steep.
• GDPR applies to data processors either based in EU, offering services to EU citizens or monitoring EU citizens.

GDPR Six Principles

• LPDALC:
  • Lawfulness, Fairness, Transparency
  • Purpose Limitation: Data is for legitimate purposes
  • Data Minimization: Only store necessary data
  • Accuracy: Accurate and updated data
  • Storage Limitation: Store data only as long as necessary
  • Integrity and Confidentiality: Data protected against accidental loss, destruction, or damage.

Purpose Limitation versus Data Minimization

• Purpose Limitation (SEL): Data must be processed for specified, explicit, and legitimate purposes.
• Data Minimization (RAN): Data processing should be relevant, adequate, and limited to what is necessary for the purpose.

Other standards (CIS, HIPAA, HITECH)

• Information about the Center for Internet Security (CIS) controls, HIPAA, and HITECH.

Data Breach Consequences

• Business disruptions, reputation harm, financial loss, data loss, legal/regulatory implications, costs around $4 million average.
• Cost includes expenses for detection, escalation, consumer notification, post-breach response, loss of revenue.

COBIT (Control Objectives for Information and Related Technologies)

• A framework for IT governance and management, originally developed by the Information Systems Audit and Control Association (ISACA).

• COBIT principles, six principles, three guidelines, COBIT core model (1 Governance objective and 4 Management objectives), focus areas, design considerations (enterprise strategy, goals, risk profile, information and technology, threat landscape, factors, compliance requirements, role of IT, implementations, sourcing models, technology adoption, enterprise size, focus areas), and core publications.

• Additional topics like CIS controls, data protection, incident response, etc. are covered too.

Description

This quiz explores the NIST Cybersecurity Framework (CSF), including its core components, implementation tiers, and profiling mechanisms. Test your knowledge on the framework's role in promoting cybersecurity best practices and its historical development since 1901.