S1

Questions and Answers

Which NIST framework component provides a benchmark for integrating information security practices throughout an organization?

• Framework Implementation Tiers (correct)
• Gap Analysis
• Framework Profile
• Framework Core

What is the primary purpose of the 'DETECT' function within the NIST Cybersecurity Framework Core?

• To restore systems following a cybersecurity incident
• To establish formal cybersecurity policies
• To monitor networks and identify active cyber attacks (correct)
• To identify and record all system users

An organization with ad hoc and inconsistent cybersecurity procedures would be classified under which Framework Implementation Tier?

• Tier 1: Partial (correct)
• Tier 2: Risk-Informed
• Tier 3: Repeatable
• Tier 4: Adaptive

What does the 'gap analysis' within the NIST Cybersecurity Framework Profiles determine?

The difference between the organization's current and desired states of risk management (D)

Which of the following is a key element considered when evaluating an organization's implementation tier under the NIST Cybersecurity Framework?

External participation (D)

Which of the following is NOT a component of the NIST Privacy Framework?

Validate (C)

Which NIST framework shares Tiers with the NIST Privacy Framework?

NIST Cybersecurity Framework (A)

Which of these is a System Specific Control according to NIST SP 800-53?

A specific access control for an information system. (C)

According to NIST SP 800-53, which of these is NOT a control family?

Stakeholder Management (SM) (A)

What is the primary focus of the HIPAA Security Rule?

Protecting the confidentiality, integrity, and availability of PHI. (B)

Which of the following is a common consequence of a data breach?

Reputational damage and financial loss. (C)

What is a key difference between SP 800-53 and the NIST Privacy Framework?

SP 800-53 is focused on controls, while the Privacy Framework focuses on risk management. (B)

Which of the following entities is NOT considered a HIPAA covered entity?

Retail stores that sell over the counter medications. (D)

What does the 'PT' control family in NIST SP 800-53 represent?

PII Processing and Transparency (C)

Which of the following is NOT a tier in the NIST Privacy Framework?

Tier 3: Managed (D)

What does the EDM component of COBIT focus on within its governance objectives?

Evaluating strategic objectives and monitoring their outcomes (C)

Which of the following is NOT a management objective in the COBIT Core Model?

Evaluate, Direct, and Monitor (A)

What does the 'APO' in COBIT stand for?

Align, Plan, Organize (D)

Which component focuses on continuous monitoring and compliance with external requirements in COBIT?

Monitor, Evaluate, Assess (C)

Which design factor in COBIT defines the organization's current risk exposure and appetite?

Risk Profile (D)

What is the primary goal of the COBIT framework?

To align IT with governance requirements and business objectives (D)

What is a characteristic of a 'strategic' role for IT according to COBIT?

IT drives innovation and is crucial for operations (A)

Which design factor would address an organization's strategies for emerging technology adoption?

Technology Adoption Strategy (A)

What are the components included in the governance system of COBIT?

Processes, organizational structure, principles, policies, information, culture, people, services (D)

In COBIT, which component is focused on ensuring that decisions made align with governance objectives?

Principles, Policies, and Frameworks (B)

What is the outcome of a well-defined IT implementation method in the COBIT framework?

Improved agility in development processes (B)

Who is primarily responsible for settling governance policies in an organization according to COBIT?

Board of Directors (D)

Which focus area in COBIT is primarily concerned with issues that can be addressed through a combination of governance and management objectives?

Focus Areas (B)

Which of the following is NOT a category of HIPAA safeguards?

Legal safeguards (A)

What is the main purpose of the HITECH Act?

Promote the transition from paper to electronic records (D)

Which GDPR principle emphasizes that data should only be collected for specified and legitimate purposes?

Purpose Limitation (B)

Which goal of PCI DSS focuses on restricting access to cardholder data based on legitimate need?

Implement Strong Access Control Measures (C)

What does CIS Control 1 emphasize regarding IT assets?

Maintaining an inventory of the totality of IT assets (C)

Which principle of CIS Controls focuses on the ability to measure the effectiveness of cybersecurity practices?

Measurable (B)

What is a key requirement for incident response management according to CIS Control 17?

Develop communication plans for incident response (A)

Which of the following components is NOT part of the COBIT governance system principles?

External validation system (D)

Which CIS Control involves establishing an automated backup process?

Data Protection (C)

What does the CIS Control 4 mandate about configurations?

Eliminate unnecessary software and change default passwords (A)

Which of the following is NOT a goal of PCI DSS?

Create a transparent pricing environment (C)

Which CIS Implementation Group represents organizations with security experts and sensitive data likely subject to regulation?

IG3 (A)

Who developed the COBIT framework?

Information Systems Audit and Control Association (ISACA) (A)

Which GDPR principle focuses on ensuring that data is only stored for as long as necessary?

Storage Limitation (A)

Flashcards

NIST Cybersecurity Framework (CSF)

A set of standards and guidelines developed by the National Institute of Standards and Technology (NIST) for organizations to manage and improve their cybersecurity posture.

Framework Core

The core of the NIST Cybersecurity Framework, outlining five functions: Identify, Protect, Detect, Respond, and Recover.

Implementation Tiers

A measure of how well an organization integrates cybersecurity practices into its overall operations. It ranges from Tier 1 (partial) to Tier 4 (adaptive), indicating increasing levels of maturity.

Framework Profiles

Defined goals for an organization's cybersecurity posture, outlining the desired state of its security practices.

Gap Analysis

A process of comparing the current state of an organization's cybersecurity practices with its desired state, as defined by the Framework Profile.

NIST Privacy Framework

A framework designed by NIST to help organizations manage data privacy risks by focusing on identifying, governing, controlling, communicating, protecting, detecting, responding, and recovering from privacy breaches.

Identify (NIST Privacy Framework)

The first step in the NIST Privacy Framework that involves identifying and assessing potential privacy risks associated with data processing activities.

Govern (NIST Privacy Framework)

The process of establishing clear governance structures and processes for overseeing data privacy within the organization.

Control (NIST Privacy Framework)

Developing and implementing control mechanisms to manage and mitigate the identified privacy risks.

Communicate (NIST Privacy Framework)

Establishing communication channels with stakeholders to discuss and address privacy risks effectively.

Protect (NIST Privacy Framework)

Implementing security measures to prevent unauthorized access to and disclosure of sensitive data.

Detect (NIST Privacy Framework)

The act of proactively monitoring for potential privacy breaches and vulnerabilities.

Respond (NIST Privacy Framework)

Developing a plan and taking appropriate actions to address a potential or actual privacy breach.

Recover (NIST Privacy Framework)

Restoring normal business operations and recovering from a data breach effectively.

NIST Privacy Framework Tiers

The various levels of data protection maturity within the NIST frameworks, indicating the organization's ability to manage privacy risks effectively.

HIPAA Safeguards

Administrative, physical, and technical safeguards implemented to protect sensitive health information.

HITECH Act

A law enacted in 2009 to encourage electronic health records, increase HIPAA violations, and require notifying patients about breaches.

GDPR

The European Union's comprehensive data privacy regulation, known for its strict privacy standards and hefty penalties.

Purpose Limitation

One of the six GDPR principles, requiring data processing to have a clear and legitimate purpose.

Data Minimization

One of the six GDPR principles, requiring only the necessary data to be collected and processed.

PCI DSS

A set of standards developed by the Payment Card Industry Security Standards Council to protect cardholder data.

Build and Maintain a Secure Network

One of the six goals of PCI DSS, ensuring that networks and systems are secure and properly configured.

EDM (Evaluate, Direct, and Monitor)

Evaluating IT alignment with strategic objectives, directing management activities, and monitoring performance against goals.

Risk Optimization

A core COBIT principle that focuses on optimizing risk levels within an organization's IT environment.

Protect Cardholder Data

One of the six goals of PCI DSS, securing sensitive cardholder data both at rest and in transit.

Stakeholder Engagement

The process of actively engaging stakeholders throughout the IT governance process.

CIS - Center for Internet Security

A non-profit organization that provides cybersecurity best practices and recommendations for organizations.

COBIT 2019

A framework developed by the Information Systems Audit and Control Association (ISACA) for IT governance and management.

APO (Align, Plan, and Organize)

A COBIT framework objective that involves aligning IT strategy with business goals, planning how to use technology effectively, and organizing IT resources for optimal performance.

Holistic Approach

A principle of COBIT 2019, emphasizing a holistic approach to IT governance that considers all aspects of the IT landscape.

BAI (Build, Acquire, and Implement)

A COBIT objective that focuses on building, acquiring, and implementing IT systems and infrastructure.

Dynamic Governance System

A principle of COBIT 2019, emphasizing the dynamic nature of IT governance, requiring flexibility and adaptation to change.

DSS (Deliver, Service, and Support)

A COBIT objective that involves delivering IT services, managing problems, and ensuring continuity of operations.

MEA (Monitor, Evaluate, and Assess)

A COBIT objective that emphasizes continuous monitoring, evaluation, and assessment of IT performance.

Tailored to Enterprise Needs

One of the six principles for a governance system in COBIT 2019, highlighting the importance of tailoring governance practices to specific organizational needs.

Managed Data

A COBIT concept that emphasizes managing data security and integrity.

Governance Distinct from Management

A principle of COBIT 2019, emphasizing the importance of a clear separation between governance and management responsibilities.

End-to-End Governance System

A principle of COBIT 2019, emphasizing the need for governance to encompass all aspects of the IT function, from strategy to operations.

Managed Security

A COBIT concept that refers to managing security risks and implementing appropriate controls to protect IT systems and data.

Managed Risk

A COBIT concept that focuses on managing and mitigating IT risks.

Managed Knowledge

A COBIT concept that refers to organizing and managing knowledge within the IT organization.

Managed Change

A COBIT concept related to managing changes to IT systems in a controlled and organized manner.

Managed Availability and Capacity

A COBIT concept that emphasizes managing IT availability and capacity to meet business needs.

Managed Solutions and Build

A COBIT concept that focuses on managing the complete lifecycle of IT solutions, from design to development and deployment.

Managed Service Requests and Incidents

A COBIT concept that involves managing incidents and service requests from users.

Managed Compliance

A COBIT concept that focuses on managing IT compliance with external regulations and standards.

Study Notes

NIST Cybersecurity Framework

• Established in 1901 to enhance research capabilities, improved in 1995 to include cybersecurity.
• Three standardized frameworks: CSF, Privacy Framework, and SP 800-53.

NIST Cybersecurity Framework Components

• Framework Core: GOVERN, IDENTIFY, PROTECT, DETECT, RESPOND, RECOVER (5 functions, 23 categories, 108 subcategories).
• Framework Implementation Tiers: Benchmarks the degree of information security practices.
• Tier 1 (Partial): Ad hoc, inconsistent actions.
• Tier 2 (Risk-Informed): Growing company, cybersecurity separated from risk management. Limited consistent response to risk.
• Tier 3 (Repeatable): Formal documented policies, integrated into planning, communicated regularly.
• Tier 4 (Adaptive): Evolving threats, organization-wide.
• Framework Profiles: Mechanisms to measure and minimize cybersecurity risk.
• Current Profile: Current risk state.
• Target Profile: Desired future risk state.
• Gap Analysis: Identifies differences between current and desired states.

NIST Privacy Framework

• Framework on data protection, industry agnostic, overlaps with CSF.
• Components: Identify, Govern, Control, Communicate, Protect, Detect, Respond, Recover.
• Tiers: Identical to NIST CSF tiers (1-4).

NIST SP 800-53

• NIST Security and Privacy Controls, applicable to all information systems, standards for federal systems.
• Stricter standards, less cost-effective.
• 20 Control Families: (AC, AT, AU, CA, CM, CP, IA, IR, MA, MP, PE, PL, PM, PS, PT, RA, SA, SC, SI, SR).
• Control Implementation Approaches: Common, System-Specific, Hybrid.
• Intended Audience: Security and privacy assessors, logisticians, system developers.
• Purpose: Aimed at OMB Circular A-130 and FISMA.

Data Breach Consequences

• Business disruptions, reputation harm, financial loss, data loss, legal/regulatory implications.

Cost of a Data Breach

• Average cost: $4 million.
• Expenses can include detection, escalation, notification, post-breach response, and lost revenue.

HIPAA

• Health Insurance Portability and Accountability Act, promoting health care privacy and security.
• PHI: Protected health information.
• Covered Entities: Health care providers, health plans, clearinghouses, service providers.

HIPAA Security Rule

• Confidentiality, integrity, and availability of all protected health information (PHI), Reasonable Anticipated Threat and Reasonable Anticipated Impermissible use.

HIPAA Safeguards:

• Administrative: Security management, training, information access, contingency plans.
• Physical: Facility and workstation security.
• Technical: Access controls, audit controls, data integrity, authentication.

HITECH

• Enacted in 2009 for electronic record transition, increased HIPAA penalties, required electronic records option, added "business associates."
• Significant change: 60-day breach notice to impacted individuals.

GDPR

• General Data Protection Regulation, EU's data privacy law.
• Strictest privacy law globally, imposing heavy penalties.
• Scope extends beyond EU to data processors based within. or offering services to those within the EU.
• Six Principles: Lawfulness, Fairness, Transparency; Purpose Limitation; Data Minimization; Accuracy; Storage Limitation; Integrity and Confidentiality

PCI DSS

• Payment Card Industry Data Security Standard.
• For data security in cashless transactions, created by PCI Security Standards Council.
  • 6 Goals: Secure network and systems, protect cardholder data, manage vulnerabilities, strong access controls, monitor networks regularly, maintain security policy.

Center for Internet Security (CIS)

• Recommended actions, processes, and best practices for strengthening cybersecurity defenses (supported by SANS).

CIS Controls Version 8

• 18 controls, 153 subcategories, organized by who manages a device, and task-focused activities.
• Design Principles: Align, Measurable, Offense Informs Defense, Focus, Feasible.
• Implementation Groups (IGs): 1 (partial), 2 (repeatable), and 3 (adaptive) based on cybersecurity expertise and sensitivity of data handled.

CIS Controls (1-18)

• Detailed descriptions and required actions for each CIS Control. (Too lengthy to summarize in bullet points)

COBIT 2019 Framework

• Control Objectives for Information and Related Technologies, developed by ISACA, now used for IT governance and management.
• 6 Governance System Principles, 3 Governance Framework Principles, Core Model (Governance+4 Management), 7 Components, & 11 Design Factors.

COBIT Principles and Objectives

• Detailed descriptions of COBIT principles, objectives, design factors, and components. (Too lengthy to summarize in bullet points)

Description

Dive into the NIST Cybersecurity Framework, established to bolster both research and cybersecurity practices. This quiz explores its core components, implementation tiers, and how organizations can measure and manage their cybersecurity risks effectively.