NIST Cybersecurity Framework Overview

Questions and Answers

Which NIST framework component focuses on the current and desired states of organizational risk management?

Framework Profile (correct)

Framework Core

Risk Management Process

Framework Implementation Tiers

According to the NIST Cybersecurity Framework, which function is primarily concerned with detecting active cyber attacks?

Respond

Detect (correct)

Identify

Protect

Which of the following best describes an organization operating at Tier 2 of the NIST Cybersecurity Framework Implementation Tiers?

Cybersecurity is isolated from risk management with some awareness of risks. (correct)

Formal, documented policies are in place and integrated into planning.

The organization is highly responsive to evolving cyber threats and adapts accordingly.

Cybersecurity is ad hoc with inconsistent actions.

Which of the following is NOT a core function within the NIST Cybersecurity Framework?

Analyze

What is the purpose of performing a gap analysis within the NIST Cybersecurity Framework?

To identify the differences between an organization's current cybersecurity state and its desired future state.

Which component of the NIST Privacy Framework involves establishing a dialogue around privacy risks?

Communicate

Which NIST publication provides a catalog of security and privacy controls applicable to all information systems, but serves as the STANDARD for federal information security systems?

SP 800-53

In SP 800-53, which control family deals with the management of security configurations?

CM

Which of these is NOT a tier in the NIST Privacy Framework?

Proactive

Which of these is a type of vulnerability that patch management addresses?

Software bugs

What is the main goal of the "Staging" environment in a DTSPD change environment?

To ensure that new applications are properly integrated with existing systems

According to the content, what is the average cost of a data breach?

$4 million

Which of the following is NOT a consequence of a data breach?

Increased stock price

Which of these is NOT considered a key component of a Patch Management Program?

Developing new features and functionality

Which category of individuals is NOT considered the intended audience for SP 800-53?

Marketing personnel

Which type of testing is performed to ensure diverse components of an application function as designed?

System testing

What type of control is implemented at the organizational level according to SP 800-53?

Common Control

What is the primary purpose of 'baseline configuration' in documenting systems controls?

To establish a starting point before implementing changes to a system

In the Waterfall Model, which stage primarily involves evaluating and approving changes?

Testing and Change Review

Which Act aims to adopt national standards to promote healthcare privacy and security?

Health Insurance Portability and Accountability Act (HIPAA)

What does PHI stand for in the context of HIPAA?

Protected Healthcare Information

Which type of data collection involves gathering information without direct consent?

Passive data collection

What is the main benefit of using a Parallel conversion method when implementing a new system?

It offers the highest degree of safety and risk reduction

Which type of change environment is used to test applications in their final phases before deployment?

Staging

Which of the following is NOT a risk associated with integration?

Inability to meet deadlines

A vulnerability tool is primarily used to:

Track security controls and identify weaknesses in systems

What is the purpose of data integration during the Preparation phase of the Data Lifecycle?

To ensure data is accurate and consistent

What is a key characteristic of the Agile method in comparison to the Waterfall Model?

Focus on customer feedback throughout the process

Which type of data logging focuses on recording access to files?

Event logs

What is the main purpose of archiving data in the Data Lifecycle?

To free up storage and resources in active systems

Which of these is a type of change that is typically considered routine as part of Change Management?

Performing system upgrades

What is the primary advantage of a full backup compared to other types of backups?

It provides the quickest restoration to functionality.

Which type of disaster recovery site has equipment on site but not plugged in?

Warm Site

What does a differential backup do?

Copies all changes since the last full backup.

What is the most important step in developing a disaster recovery plan?

Testing the plan.

Which type of backup copies data items that have changed since the last backup?

Incremental Backup

What is the primary concern when moving from a private to a public cloud computing model?

Higher risk due to increased reliance on external providers

Which of the following is NOT a type of processing control in an information system?

Data encryption

What is a key benefit of using an Enterprise Resource Planning (ERP) system?

Reduced data input complexity due to a central data repository

Which of the following is a valid concern associated with adopting a Cloud Service Provider (CSP)?

Possible concentration of risk in a single provider

What is the purpose of a reasonableness test in an accounting information system?

To detect potential errors by comparing transaction totals

What is the primary focus of risk assessment in all SOC engagements?

Inherent Risk

Which of the following is a qualitative factor considered when assessing materiality for SOC1?

The nature and cause of deviations

What is a 'Deviation or Exception' in the context of a SOC engagement?

A failure of a control to operate effectively in a specific instance

What is a 'Service Commitment' in the context of a SOC engagement?

A declaration made to user entities about a system used to provide a service

What is the auditor's responsibility when a security breach is identified?

Inquire with management about controls in place to identify, report, and obtain evidence of the breach

Which of the following is NOT an additional auditor responsibility when planning a SOC2 or SOC3 engagement?

Assessing RMM (Risk and Materiality)

Which of the following is considered a 'System Requirement' in the context of a SOC engagement?

A specification about how the system should function to meet the service commitment

Which of the following is an example of a 'Description Misstatement' in a SOC engagement?

An error or omission in the description of the system

What is the role of professional skepticism in addressing RMM in an audit?

Maintaining a questioning mind and critically evaluating evidence

What is the auditor's responsibility regarding subsequent events in a SOC engagement?

Address events that come to their attention only if they are material

Which of the following is NOT a HIPAA safeguard category?

Financial

What was the primary goal of the HITECH Act of 2009?

To promote the transition to electronic health records

Which of the following best describes the scope of GDPR's applicability?

It can apply to data processors outside the EU if they offer goods or services to those in the EU or monitor behavior in the EU.

In the context of GDPR, what does the principle of 'Purpose Limitation' primarily ensure?

That data is processed for specific, explicit, and legitimate purposes.

What does the acronym 'RAN' stand for in the context of GDPR's principle of Data Minimization?

Relevant, Adequate, Necessary

Which of the following is NOT one of the six goals of PCI DSS?

Implement Stringent Background Checks on All Employees

What does CIS stand for in the context of cybersecurity?

Center for Internet Security

According to the CIS Controls, what does the design principle Offense Informs Defense primarily mean?

Controls should be drafted based on observed attacker behavior

Which CIS implementation group is most suited for organizations that handle highly sensitive data and are subject to regulatory oversight?

IG3

What is the primary purpose of CIS Control 3?

To manage the entire life cycle of data securely

Which of these is NOT a common feature of CIS Control 5

Ensuring credentials are not treated as sensitive information

What is the goal of penetration testing (CIS Control 18), according to the text?

To simulate attacks and test an organization’s defenses against cyber threats

What does COBIT stand for?

Control Objectives for Information and Related Technologies

Which of the following is NOT a governance system principle of COBIT 2019?

To only address the needs of the IT function

What are the design principles of CIS, according to the text?

Align, Measurable, Offense Informs Defense, Focus, Feasible

What shape represents a Process in a Data Flow Diagram?

Circle

Which of the following is an example of a Network-Based Attack?

Denial of Service (DoS)

What is a common method used in Spoofing attacks?

Address Resolution Spoofing

Which type of cyberattack manipulates a system to execute operations in an incorrect order?

Race Condition

In a System Interface Diagram, what type of flow does it represent?

Both Logical and Physical Flow

What characteristic defines Host-Based Attacks?

They target a single host device.

Which attack involves an intermediary intercepting communications?

Man-in-the-Middle

Which of the following is NOT a form of Cyberattack?

Database Backup

What kind of virus changes its structure to avoid detection?

Polymorphic Virus

What method is typically used to disrupt server functionality in a Denial of Service attack?

Repetitive Requests

What characterizes an Operational Data Store (ODS)?

It holds information on operational activities and is often interim.

Which of the following is a defining feature of a Data Warehouse?

It must be continuously updated to remain relevant.

What is a primary key in a relational database?

A unique identifier for each record in a table.

In which normal form does every cell contain only one piece of information, and each table has a primary key?

First Normal Form (1NF)

What does a Snowflake Schema mostly depend on?

Highly normalized dimension tables.

What is the function of the SQL JOIN command?

It connects data from multiple tables based on related attributes.

In BPMN models, what does a 'pool' represent?

An organization participating in a process.

Which of the following SQL statements is used to filter results after aggregation?

HAVING

Which of these accurately describes a Data Mart?

A focused subset of a data warehouse tailored for a specific purpose.

What is the role of a Data Dictionary?

To provide information about the database structure.

What is the primary purpose of a Security Assessment Report (SAR)?

To issue evidence of controls complying or not complying with security goals

Which method is NOT typically included in security assessment methodologies?

Random sampling

What does tokenization accomplish in data security?

It replaces production data with a surrogate value

Which type of Data Loss Prevention (DLP) system scans files on endpoint devices?

Endpoint-Based DLP

What is the primary function of obfuscation in data protection?

To replace sensitive data with less valuable information

Which encryption method uses a single shared private key for both encryption and decryption?

Symmetric Encryption

What does 'champion density' refer to in the context of security program champions?

The concentration of champions across different departments

What type of ciphers uses symbols or letters to replace actual letters in a message?

Substitution ciphers

What is the main goal of a phishing simulation?

To educate employees on recognizing phishing attempts

Which of the following is NOT a safeguard for data at rest?

Increasing website traffic

What is the primary function of the Presentation Layer in the OSI model?

Transforms and formats data for interpretation

Which layer of the OSI model is mainly associated with adding Media Access Control (MAC) addresses?

Data Link Layer

Which of the following is an example of a service offered under Platform as a Service (PaaS)?

Building an e-commerce platform

What does the acronym CSP stand for in cloud computing contexts?

Cloud Service Provider

What best defines Software as a Service (SaaS)?

Offering of applications to customers over the internet

Which cloud computing deployment model is designed for use by a specific organization?

Private

What is one of the main responsibilities of the Network Layer in the OSI model?

Adding routing address headers

Which of the following is NOT a component of the COSO Enterprise Risk Management framework?

Application Development

In which layer of the OSI model does encryption occur?

Presentation Layer

What does the SPRIG framework relate to in the context of COSO Enterprise Risk Management?

Risk and Performance Management

Which cloud computing model allows companies to rent only the infrastructure components like servers and networking?

Infrastructure as a Service (IaaS)

What is the key function of the Session Layer in the OSI model?

Establishes and maintains communication sessions

What type of network architecture is typically referred to as a WAN?

Wide-Area Network that connects multiple offices and locations

Which of the following is a disadvantage of cloud computing?

Dependence on internet connectivity

What type of opinion is issued when there are material but not pervasive issues?

Qualified Opinion

Which of the following components is NOT included in a SOC report?

Service Organization's Financial Statements

What must a service auditor ensure when using the Inclusive method?

The services provided by the subservice organization are addressed.

What is the key difference in wording between a Qualified SOC 1 Report and a Qualified SOC 2 Report?

Qualified Opinion Section

What should be included in the auditors test of controls?

A description of the test of control and the results

What type of report is issued when a service auditor cannot reach an opinion?

Disclaimer Opinion

Which of the following describes Complementary User Entity Controls (CUECs)?

Controls necessary to be implemented by the user entity

Which statement describes an Adverse Opinion?

Reflects that controls were not operating effectively.

Which of the following correctly identifies what constitutes a Subservice Organization?

Services are relevant to understanding the service organization system

What is required in the description of the test of controls for Type 2 reports?

Describing in detail the nature and results of the tests performed

Which device is responsible for managing network traffic and assigning IP addresses?

Router

What is the primary function of a modem in an internet connection?

To connect a computer to the internet

Which topology connects nodes in a circular path and minimizes collisions?

Ring Topology

Which component is considered the 'brain' of the computer?

Microprocessor

Which type of firewall combines packet filtering and network address translation?

Stateful Multilayer Inspection Firewall

Which is NOT a function of edge-enabled devices?

Enabling high traffic management

Which of the following steps comes first in the Incident Response Plan process?

Preparation

What is the advantage of using a star topology in a network?

Easy identification of cable damage

What distinguishes an adverse event from a computer security incident?

An adverse event may not always indicate malicious intent.

What type of device can act as an intermediary between networks and convert protocols?

Gateway

Which type of incident response team is best suited for widespread organizations?

Distributed Incident Response Team

Which OSI Layer serves as the interface between applications?

Application Layer

Which type of firewall specifically inspects the packets themselves, which can impact performance?

Application-Level Gateway Firewall

In the context of testing incident response plans, what is the purpose of simulations?

To test procedures against hypothetical situations

Which of the following metrics indicates the time taken to recognize that an incident is a threat?

Mean Time to Acknowledge

What is a key component of all incident response plans?

Human capital involved in the response

How does a Type 2 SOC report differ from a Type 1 SOC report?

Type 2 evaluates controls over a specific period.

Which cycle focuses on the company's interaction with vendors to manage procurement and payments?

Purchasing and Disbursements Cycle

What type of costs do organizations typically seek to recover through cyber insurance?

Business Interruption Losses

In the AIS process, what is the purpose of filing source documents?

To serve as evidence for transactions

Which cycle is concerned with tracking and managing employee compensation?

Payroll Cycle

Which of the following is NOT a part of the General Incident Response Plan?

Modification

What is the primary goal of the Management Reporting System (MRS)?

To solve day-to-day business problems

What aspect does the COSO component 'Risk Assessment' focus on?

Analyzing potential risks

What is meant by 'Mean Time Between Failures' in IRP metrics?

The period between subsequent failures

Which document helps organizations identify how quickly they can recover after a disaster?

Business Impact Analysis

In the AIS process, what follows after transactions are posted to the General Ledger?

Trial balances are prepared

Which trust service primarily focuses on unauthorized access protection?

Security

Which cycle focuses on the financial interactions and payment processing associated with customer sales?

Revenue and Collections Cycle

Which organization is recognized for creating a recovery framework related to incident response?

NIST

What is the main purpose of business continuity plans?

To ensure continuous operation during and after a disaster

What is the primary purpose of the EDM governance objective in COBIT?

To evaluate strategic objectives and ensure they are met

Which of the following is NOT one of the main components of the BAI management objective?

Managed security

Which concept involves the estimation of losses and the classification of risk impacts in BIA?

Disruption Impacts

Which of the following best describes Robotic Process Automation (RPA)?

Employs software to handle high-volume, repeatable tasks

In the context of COBIT, what does the MEA objective primarily focus on?

Continuous monitoring and evaluation of processes

Which design factor refers to the classification of an organization's compliance requirements?

Compliance Requirements

Which key function is included in the Fixed Asset Cycle?

Creating depreciation schedules

Which COSO principle emphasizes the acquisition and use of quality information?

COSO Principle 13

What are the four management objectives in the COBIT Core Model?

APO, BAI, DSS, MEA

Which design factor indicates a business's strategy towards adopting technology?

Technology Adoption Strategy

What does Recovery Point Objective (RPO) signify?

The maximum threshold for lost data or downtime

What is the primary function of the processes in the COBIT governance system?

To achieve set IT goals

Which component is considered essential for successful governance in COBIT?

Cultural attitudes of the organization

Which role of IT is categorized as 'not critical for operations'?

Support

What does the APO objective primarily entail?

Aligning and planning IT strategy

What is the primary purpose of piggybacking in physical attacks?

To gain unauthorized access by following someone into a secure location

Which of the following is a design factor that deals with the classification of potential risks to an organization?

Risk Profile

In the context of cyber threats, what does spear phishing specifically target?

Specific employees of an organization

Which aspect of governance does the 'Organizational Structure' component address?

Decision-making entities within the organization

Which of the following describes the process of pharming?

Redirecting users from legitimate websites to fraudulent ones

What is the characteristic of a 'First Mover Strategy' in technology adoption?

Taking risks by adopting emerging technologies early

What is the primary goal of network segmentation?

To enhance security by isolating network traffic

In COBIT, which component provides guidance for implementing desired behaviors into practice?

Principles, Policies, and Frameworks

Which of the following is a characteristic of rogue mobile apps?

They appear legitimate while being malicious

Which risk is NOT associated with cloud computing?

Physical theft of data centers

What is the main purpose of Network Hardening?

To remove unused ports and block unnecessary protocols

What does the STRIDE threat modeling methodology focus on?

Categorizing different types of threats to systems

What does Zero Trust assume about a company's network?

It is always at risk despite user authentication

Which of the following is a characteristic of vishing?

Using telephone systems to deceive individuals

Which of the following best describes 'Need to Know' access control?

Access limited to data necessary for tasks

What is the first phase in the stages of a cyberattack?

Reconnaissance

What is the primary function of Whitelisting in cybersecurity?

To create a list of authorized applications

Which control is part of the COSO framework for governance?

Risk Assessment

Which authentication technology uses physical human characteristics?

Biometrics

What is the main purpose of a Risk-Based Access Control strategy?

To apply controls based on the asset's risk level

Which of the following best defines an Acceptable Use Policy?

An outline of acceptable behavior and consequences

What is a significant risk related to IoT devices?

Lack of device mismanagement

How does Multi-Factor Authentication increase security?

By requiring more than one method of verification

Which measure is considered a Corrective Control?

Patches and upgrades

What is the function of a Virtual Private Network (VPN)?

To encrypt communications and ensure data security

What role do Access Control Lists (ACL) serve in cybersecurity?

They outline permissions for user access to resources

Which one of the following is NOT a phase in threat modeling?

Conduct Training

What does layered security combine to enhance protection?

Personnel, policies, and technology

What is the purpose of Context Aware Authentication?

To authenticate users based on relevant data points

Which access control method allows data owners to manage their own data?

Discretionary Access Control

What does the NIST Cybersecurity Framework's 'Recover' component entail?

Transition from a vulnerable state to a mitigated state

Which of the following is NOT a preventative control?

Virus quarantining

Study Notes

NIST Cybersecurity Framework

• Established in 1901, improved in 1995 to include cybersecurity.
• Three standardized frameworks: CSF, Privacy Framework, SP 800-53.
• Framework Core: GOVERN, IDENTIFY, PROTECT, DETECT, RESPOND, RECOVER.
• 5 functions, 23 categories, 108 subcategories.
• Implementation Tiers: Tier 1 (partial), Tier 2 (risk-informed), Tier 3 (repeatable), Tier 4 (adaptive). Based on risk management process, program integration, and external participation.
• Framework Profiles: current and target profiles, gap analysis between them.

NIST Privacy Framework

• Data protection framework, industry-agnostic.
• Overlaps with NIST CSF.
• Components: Identify, Govern, Control, Communicate, Protect, Detect, Respond, Recover.
• Tiers identical to NIST CSF Tiers (1-4). Based on Risk Management, Program Integration, External Participation and Workforce.

NIST SP 800-53

• Security and Privacy Controls for information systems.
• Standard for federal information security systems.
• 20 Control families (e.g., Access and Control, Awareness and Training).
• Control implementation approaches: Common, System-Specific, Hybrid.
• Intended for security and privacy assessment and monitoring personnel, logistical/disposition roles and system developers.

Data Breach Consequences

• Business disruptions, reputation harm, financial loss, data loss, legal and regulatory implications.
• Average cost: $4 million.

HIPAA

• Health Insurance Portability and Accountability Act.
• Promotes health care privacy and security with standards for PHI (protected health information).
• Covered entities include health care providers, health plans, and health care clearing houses.
• Security Rule protects confidentiality, integrity, and availability of PHI.

HITECH

• Increased HIPAA penalties, required electronic record options for patients, added "business associates" as covered entities.
• Requires notification of breaches within 60 days of discovery.

GDPR

• General Data Protection Regulation (European Union).
• Strictest privacy law, with steep penalties.
• Scope extended to data processors in or serving the EU even if not based there.
• Six principles: Lawfulness, Fairness, Transparency; Purpose Limitation; Data Minimization; Accuracy; Storage Limitation; Integrity and Confidentiality.

PCI DSS

• Payment Card Industry Data Security Standard for cashless transactions and data security.
• 6 Goals - Build/Maintain network, Protect Cardholder Data, Maintain Vulnerability Management, Implement Strong Access Control, Regularly Monitor and Test Networks, Maintain an Information Security Policy.

Center for Internet Security (CIS) Controls

• Recommended set of actions, processes, and best practices for strengthening cybersecurity defenses.
• Supported by the SANS Institute.
• CIS Controls Version 8 - 18 controls and 153 subcategories.
• Implementation Groups (IG1-IG3) – varying degrees of cybersecurity defense and sophistication.
• Key Controls include 1-18
• Design Principles including AMOFF (Align, Measurable, Offense, Focus, Feasible)

COBIT 2019 Framework

• Control Objectives for Information and related Technologies. Developed by ISACA.
• 6 Governance System Principles (VHDDTE), 3 Governance Framework Principles (CFA).
• Core Model of 1 Governance, 4 Management Objectives (APO, BAI, DSS, MEA).
• 7 Components of Governance Systems (POPICPS), 11 Design Factors.

IT Infrastructure

• Computer Hardware (internal and external peripherals).
• Network Infrastructure Hardware (modems, routers, switches, gateways, edge-enabled devices, servers and firewalls).
• Network Protocols (TCP/IP).
• Network Topologies (Bus, Mesh, Ring, Star).
• OSI Model (7 layers).
• Operating Systems (OS).
• Mobile Technology.
• Cloud Computing (IaaS, PaaS, SaaS, Deployment Models).
• CSPs (Cloud Service Providers).
• COSO Enterprise Risk Management Framework (components).

Enterprise and Accounting Information Systems

• Types of Processing Controls (input, output, processing, access)
• Enterprise Resource Planning (ERP) systems.
• Accounting Information systems (AIS).
• Reasonableness Tests.
• AIS Subsystems (TPS, FRS, MRS).
• Goals of AIS Subsystems.
• Processes of purchasing, treasury, payroll, revenue, and collections cycles.
• AIS process: input, source document filing, transaction recording, general/subsidiary ledger posting, preparing trial balance, adjusting entries, financial reporting.
• Benefits of Application Software Providers (ASPs).
• Processes driven by IT Systems (automation, shared services, outsourcing).
• Offshore Operations. Risks in outsourcing
• Technology forms like RPA, NLP, Neural networks.
• Blockchain, COSO Principles related to blockchain.

Availability, Resiliency, and Disaster Recovery

• Business Resiliency, Business Continuity plans (BIA process).
• System Availability Controls (redundancy, backups).
• Crisis Management.
• Disaster Recovery (different sites), Backup Types.
• Recovery Point Objective (RPO), Recovery Time Objective (RTO), Mean Time To Repair (MTTR).

Change Management

• Change Management policies, procedures, and resources.
• Change Management Process (11 steps).
• Documenting systems controls (baseline, inventory, acceptance criteria)
• Change Management Controls.
• Types of Change Environments (development, testing, staging, production, disaster recovery)
• Integration risks (user resistance, management/stakeholder support, resources, and disruptions).
• Testing change implications, logging (application, change, event, firewall, network, proxy).
• Different models (Waterfall, Agile ).
• Patch Management, Patch Management Programs, Conversion Methods, Testing Methods (Unit, Integration, System, Acceptance).

Data Collection and Data Lifecycle

• Data Lifecycle Process (DCP, SAPAP, stages in detail).
• Data Collection Types (active, passive).
• ETL processes.
• Complexities of external data sources (copyright, safety, integrity).

Data Storage and Database Design

• Operational Data Store (ODS).
• Data Warehouse, Data Mart.
• Data Lake.
• Relational Databases (tables, attributes, records, fields).
• Database keys (primary, composite, foreign).
• Data Dictionary.
• Data Normalization.
• Data Model (Conceptual, Logical, Physical), Database Schemas (Fact, Dimension, Star, Snowflake).

Data Extraction, Integration, and Process Documentation

• SQL (SELECT, FROM, JOIN, WHERE, GROUP BY, HAVING),
• Data Flow Diagrams (logical flow, process, data flow, data store, external entity).
• Flowcharts (logical and physical flow).
• System Interface Diagrams, BPMN Activity models (events, tasks, flows, gateways).

Threats and Attacks

• Threat Agents (attacker, hacker, adversary, government-sponsored, hacktivists, insiders).
• Types of Cyberattacks (Network-Based, Application-Based, Host-Based, Social Engineering, Physical, Supply Chain).
• Specific techniques (DoS, DDoS, MITM, port scanning, reverse shell, return-oriented attacks, spoofing).
• Stages of an attack.
• Risks related to cloud computing, mobile technologies, and IoT.

Mitigation

• COSO - Business Objectives (operations, record-keeping, compliance).
• COSO - Five Components of Internal Control (control environment, risk assessment, information and communication, monitoring activities, existing control activities).
• Security Policies (acceptable use, BYOD).
• Network Segmentation/Isolation.
• System Hardening.
• Authorization and Authentication (zero trust, least privilege, need-to-know, whitelisting).
• Authentication Technologies (context aware, digital signatures, SSO, MFA, PIN, smartcards, token, biometrics).
• Password Management.
• Provisioning.
• NIST Cybersecurity Framework - Vulnerability (Identify, Protect, Detect, Respond, Recover).
• Common Vulnerabilities and Exposures (CVE) Dictionary.
• Layered Security (Defense in Depth.)

Incident Response

• Incident Response Plan (IRP), Timeline.
• NIST Response Team Models.
• Events versus Incidents.
• General Incident Response Plan (PDCERRL).
• Testing IRP plans (simulations, metrics).
• Insurable losses.

SOC Engagements

• Types of SOC reports (SOC1, SOC2, SOC3).
• Type 1 vs. Type 2.
• Trust Services criteria (Confidentiality, Availability, Processing Integrity, Privacy, Security).
• Alignment of Trust services to COSO.
• Complementary Subservice or User Entity Controls (CSOC, CUEC).
• Planning and Risk assessment considerations.
• Auditor responsibilities.
• Materiality considerations.

Reporting on SOC Engagements

• Opinions (unmodified, qualified, adverse, disclaimer).
• Key components of SOC reports.
• Scope (carve-out, inclusive).
• Responsibility of service organization, service auditor, and user entity.
• Subsequent Events.
• Misstatements, Modified Opinions, and Disclaimers.

Description

Test your knowledge on the NIST Cybersecurity Framework components, including functions, tiers, and publications. This quiz covers critical aspects of organizational risk management and privacy considerations as outlined by NIST. Examine your understanding of the framework's purpose and core functions.