NIST Cybersecurity Framework Overview

Questions and Answers

Which NIST framework component focuses on the current and desired states of organizational risk management?

• Framework Profile (correct)
• Framework Core
• Risk Management Process
• Framework Implementation Tiers

According to the NIST Cybersecurity Framework, which function is primarily concerned with detecting active cyber attacks?

• Respond
• Detect (correct)
• Identify
• Protect

Which of the following best describes an organization operating at Tier 2 of the NIST Cybersecurity Framework Implementation Tiers?

• Cybersecurity is isolated from risk management with some awareness of risks. (correct)
• Formal, documented policies are in place and integrated into planning.
• The organization is highly responsive to evolving cyber threats and adapts accordingly.
• Cybersecurity is ad hoc with inconsistent actions.

Which of the following is NOT a core function within the NIST Cybersecurity Framework?

Analyze (B)

What is the purpose of performing a gap analysis within the NIST Cybersecurity Framework?

To identify the differences between an organization's current cybersecurity state and its desired future state. (A)

Which component of the NIST Privacy Framework involves establishing a dialogue around privacy risks?

Communicate (D)

Which NIST publication provides a catalog of security and privacy controls applicable to all information systems, but serves as the STANDARD for federal information security systems?

SP 800-53 (A)

In SP 800-53, which control family deals with the management of security configurations?

CM (B)

Which of these is NOT a tier in the NIST Privacy Framework?

Proactive (A)

Which of these is a type of vulnerability that patch management addresses?

Software bugs (D)

What is the main goal of the "Staging" environment in a DTSPD change environment?

To ensure that new applications are properly integrated with existing systems (B)

According to the content, what is the average cost of a data breach?

$4 million (A)

Which of the following is NOT a consequence of a data breach?

Increased stock price (B)

Which of these is NOT considered a key component of a Patch Management Program?

Developing new features and functionality (A)

Which category of individuals is NOT considered the intended audience for SP 800-53?

Marketing personnel (C)

Which type of testing is performed to ensure diverse components of an application function as designed?

System testing (A)

What type of control is implemented at the organizational level according to SP 800-53?

Common Control (C)

What is the primary purpose of 'baseline configuration' in documenting systems controls?

To establish a starting point before implementing changes to a system (C)

In the Waterfall Model, which stage primarily involves evaluating and approving changes?

Testing and Change Review (A)

Which Act aims to adopt national standards to promote healthcare privacy and security?

Health Insurance Portability and Accountability Act (HIPAA) (D)

What does PHI stand for in the context of HIPAA?

Protected Healthcare Information (D)

Which type of data collection involves gathering information without direct consent?

Passive data collection (A)

What is the main benefit of using a Parallel conversion method when implementing a new system?

It offers the highest degree of safety and risk reduction (B)

Which type of change environment is used to test applications in their final phases before deployment?

Staging (D)

Which of the following is NOT a risk associated with integration?

Inability to meet deadlines (C)

A vulnerability tool is primarily used to:

Track security controls and identify weaknesses in systems (B)

What is the purpose of data integration during the Preparation phase of the Data Lifecycle?

To ensure data is accurate and consistent (C)

What is a key characteristic of the Agile method in comparison to the Waterfall Model?

Focus on customer feedback throughout the process (C)

Which type of data logging focuses on recording access to files?

Event logs (A)

What is the main purpose of archiving data in the Data Lifecycle?

To free up storage and resources in active systems (A)

Which of these is a type of change that is typically considered routine as part of Change Management?

Performing system upgrades (C)

What is the primary advantage of a full backup compared to other types of backups?

It provides the quickest restoration to functionality. (B)

Which type of disaster recovery site has equipment on site but not plugged in?

Warm Site (D)

What does a differential backup do?

Copies all changes since the last full backup. (D)

What is the most important step in developing a disaster recovery plan?

Testing the plan. (B)

Which type of backup copies data items that have changed since the last backup?

Incremental Backup (D)

What is the primary concern when moving from a private to a public cloud computing model?

Higher risk due to increased reliance on external providers (A)

Which of the following is NOT a type of processing control in an information system?

Data encryption (C)

What is a key benefit of using an Enterprise Resource Planning (ERP) system?

Reduced data input complexity due to a central data repository (B)

Which of the following is a valid concern associated with adopting a Cloud Service Provider (CSP)?

Possible concentration of risk in a single provider (D)

What is the purpose of a reasonableness test in an accounting information system?

To detect potential errors by comparing transaction totals (A)

What is the primary focus of risk assessment in all SOC engagements?

Inherent Risk (C)

Which of the following is a qualitative factor considered when assessing materiality for SOC1?

The nature and cause of deviations (D)

What is a 'Deviation or Exception' in the context of a SOC engagement?

A failure of a control to operate effectively in a specific instance (D)

What is a 'Service Commitment' in the context of a SOC engagement?

A declaration made to user entities about a system used to provide a service (A)

What is the auditor's responsibility when a security breach is identified?

Inquire with management about controls in place to identify, report, and obtain evidence of the breach (B)

Which of the following is NOT an additional auditor responsibility when planning a SOC2 or SOC3 engagement?

Assessing RMM (Risk and Materiality) (B)

Which of the following is considered a 'System Requirement' in the context of a SOC engagement?

A specification about how the system should function to meet the service commitment (C)

Which of the following is an example of a 'Description Misstatement' in a SOC engagement?

An error or omission in the description of the system (C)

What is the role of professional skepticism in addressing RMM in an audit?

Maintaining a questioning mind and critically evaluating evidence (D)

What is the auditor's responsibility regarding subsequent events in a SOC engagement?

Address events that come to their attention only if they are material (C)

Which of the following is NOT a HIPAA safeguard category?

Financial (A)

What was the primary goal of the HITECH Act of 2009?

To promote the transition to electronic health records (B)

Which of the following best describes the scope of GDPR's applicability?

It can apply to data processors outside the EU if they offer goods or services to those in the EU or monitor behavior in the EU. (A)

In the context of GDPR, what does the principle of 'Purpose Limitation' primarily ensure?

That data is processed for specific, explicit, and legitimate purposes. (B)

What does the acronym 'RAN' stand for in the context of GDPR's principle of Data Minimization?

Relevant, Adequate, Necessary (D)

Which of the following is NOT one of the six goals of PCI DSS?

Implement Stringent Background Checks on All Employees (D)

What does CIS stand for in the context of cybersecurity?

Center for Internet Security (D)

According to the CIS Controls, what does the design principle Offense Informs Defense primarily mean?

Controls should be drafted based on observed attacker behavior (A)

Which CIS implementation group is most suited for organizations that handle highly sensitive data and are subject to regulatory oversight?

IG3 (C)

What is the primary purpose of CIS Control 3?

To manage the entire life cycle of data securely (B)

Which of these is NOT a common feature of CIS Control 5

Ensuring credentials are not treated as sensitive information (C)

What is the goal of penetration testing (CIS Control 18), according to the text?

To simulate attacks and test an organization’s defenses against cyber threats (B)

What does COBIT stand for?

Control Objectives for Information and Related Technologies (A)

Which of the following is NOT a governance system principle of COBIT 2019?

To only address the needs of the IT function (D)

What are the design principles of CIS, according to the text?

Align, Measurable, Offense Informs Defense, Focus, Feasible (A)

What shape represents a Process in a Data Flow Diagram?

Circle (D)

Which of the following is an example of a Network-Based Attack?

Denial of Service (DoS) (C)

What is a common method used in Spoofing attacks?

Address Resolution Spoofing (B)

Which type of cyberattack manipulates a system to execute operations in an incorrect order?

Race Condition (B)

In a System Interface Diagram, what type of flow does it represent?

Both Logical and Physical Flow (C)

What characteristic defines Host-Based Attacks?

They target a single host device. (C)

Which attack involves an intermediary intercepting communications?

Man-in-the-Middle (C)

Which of the following is NOT a form of Cyberattack?

Database Backup (C)

What kind of virus changes its structure to avoid detection?

Polymorphic Virus (D)

What method is typically used to disrupt server functionality in a Denial of Service attack?

Repetitive Requests (A)

What characterizes an Operational Data Store (ODS)?

It holds information on operational activities and is often interim. (C)

Which of the following is a defining feature of a Data Warehouse?

It must be continuously updated to remain relevant. (A)

What is a primary key in a relational database?

A unique identifier for each record in a table. (B)

In which normal form does every cell contain only one piece of information, and each table has a primary key?

First Normal Form (1NF) (A)

What does a Snowflake Schema mostly depend on?

Highly normalized dimension tables. (D)

What is the function of the SQL JOIN command?

It connects data from multiple tables based on related attributes. (B)

In BPMN models, what does a 'pool' represent?

An organization participating in a process. (A)

Which of the following SQL statements is used to filter results after aggregation?

HAVING (B)

Which of these accurately describes a Data Mart?

A focused subset of a data warehouse tailored for a specific purpose. (A)

What is the role of a Data Dictionary?

To provide information about the database structure. (A)

What is the primary purpose of a Security Assessment Report (SAR)?

To issue evidence of controls complying or not complying with security goals (B)

Which method is NOT typically included in security assessment methodologies?

Random sampling (D)

What does tokenization accomplish in data security?

It replaces production data with a surrogate value (D)

Which type of Data Loss Prevention (DLP) system scans files on endpoint devices?

Endpoint-Based DLP (D)

What is the primary function of obfuscation in data protection?

To replace sensitive data with less valuable information (A)

Which encryption method uses a single shared private key for both encryption and decryption?

Symmetric Encryption (D)

What does 'champion density' refer to in the context of security program champions?

The concentration of champions across different departments (A)

What type of ciphers uses symbols or letters to replace actual letters in a message?

Substitution ciphers (D)

What is the main goal of a phishing simulation?

To educate employees on recognizing phishing attempts (B)

Which of the following is NOT a safeguard for data at rest?

Increasing website traffic (C)

What is the primary function of the Presentation Layer in the OSI model?

Transforms and formats data for interpretation (C)

Which layer of the OSI model is mainly associated with adding Media Access Control (MAC) addresses?

Data Link Layer (D)

Which of the following is an example of a service offered under Platform as a Service (PaaS)?

Building an e-commerce platform (C)

What does the acronym CSP stand for in cloud computing contexts?

Cloud Service Provider (A)

What best defines Software as a Service (SaaS)?

Offering of applications to customers over the internet (D)

Which cloud computing deployment model is designed for use by a specific organization?

Private (B)

What is one of the main responsibilities of the Network Layer in the OSI model?

Adding routing address headers (C)

Which of the following is NOT a component of the COSO Enterprise Risk Management framework?

Application Development (C)

In which layer of the OSI model does encryption occur?

Presentation Layer (A)

What does the SPRIG framework relate to in the context of COSO Enterprise Risk Management?

Risk and Performance Management (A)

Which cloud computing model allows companies to rent only the infrastructure components like servers and networking?

Infrastructure as a Service (IaaS) (B)

What is the key function of the Session Layer in the OSI model?

Establishes and maintains communication sessions (D)

What type of network architecture is typically referred to as a WAN?

Wide-Area Network that connects multiple offices and locations (B)

Which of the following is a disadvantage of cloud computing?

Dependence on internet connectivity (D)

What type of opinion is issued when there are material but not pervasive issues?

Qualified Opinion (C)

Which of the following components is NOT included in a SOC report?

Service Organization's Financial Statements (D)

What must a service auditor ensure when using the Inclusive method?

The services provided by the subservice organization are addressed. (B)

What is the key difference in wording between a Qualified SOC 1 Report and a Qualified SOC 2 Report?

Qualified Opinion Section (A)

What should be included in the auditors test of controls?

A description of the test of control and the results (B)

What type of report is issued when a service auditor cannot reach an opinion?

Disclaimer Opinion (C)

Which of the following describes Complementary User Entity Controls (CUECs)?

Controls necessary to be implemented by the user entity (A)

Which statement describes an Adverse Opinion?

Reflects that controls were not operating effectively. (D)

Which of the following correctly identifies what constitutes a Subservice Organization?

Services are relevant to understanding the service organization system (C)

What is required in the description of the test of controls for Type 2 reports?

Describing in detail the nature and results of the tests performed (B)

Which device is responsible for managing network traffic and assigning IP addresses?

Router (B)

What is the primary function of a modem in an internet connection?

To connect a computer to the internet (A)

Which topology connects nodes in a circular path and minimizes collisions?

Ring Topology (C)

Which component is considered the 'brain' of the computer?

Microprocessor (A)

Which type of firewall combines packet filtering and network address translation?

Stateful Multilayer Inspection Firewall (C)

Which is NOT a function of edge-enabled devices?

Enabling high traffic management (D)

Which of the following steps comes first in the Incident Response Plan process?

Preparation (C)

What is the advantage of using a star topology in a network?

Easy identification of cable damage (D)

What distinguishes an adverse event from a computer security incident?

An adverse event may not always indicate malicious intent. (B)

What type of device can act as an intermediary between networks and convert protocols?

Gateway (A)

Which type of incident response team is best suited for widespread organizations?

Distributed Incident Response Team (B)

Which OSI Layer serves as the interface between applications?

Application Layer (A)

Which type of firewall specifically inspects the packets themselves, which can impact performance?

Application-Level Gateway Firewall (B)

In the context of testing incident response plans, what is the purpose of simulations?

To test procedures against hypothetical situations (C)

Which of the following metrics indicates the time taken to recognize that an incident is a threat?

Mean Time to Acknowledge (D)

What is a key component of all incident response plans?

Human capital involved in the response (B)

How does a Type 2 SOC report differ from a Type 1 SOC report?

Type 2 evaluates controls over a specific period. (C)

Which cycle focuses on the company's interaction with vendors to manage procurement and payments?

Purchasing and Disbursements Cycle (B)

What type of costs do organizations typically seek to recover through cyber insurance?

Business Interruption Losses (C)

In the AIS process, what is the purpose of filing source documents?

To serve as evidence for transactions (C)

Which cycle is concerned with tracking and managing employee compensation?

Payroll Cycle (B)

Which of the following is NOT a part of the General Incident Response Plan?

Modification (B)

What is the primary goal of the Management Reporting System (MRS)?

To solve day-to-day business problems (B)

What aspect does the COSO component 'Risk Assessment' focus on?

Analyzing potential risks (D)

What is meant by 'Mean Time Between Failures' in IRP metrics?

The period between subsequent failures (B)

Which document helps organizations identify how quickly they can recover after a disaster?

Business Impact Analysis (A)

In the AIS process, what follows after transactions are posted to the General Ledger?

Trial balances are prepared (B)

Which trust service primarily focuses on unauthorized access protection?

Security (A)

Which cycle focuses on the financial interactions and payment processing associated with customer sales?

Revenue and Collections Cycle (A)

Which organization is recognized for creating a recovery framework related to incident response?

NIST (A)

What is the main purpose of business continuity plans?

To ensure continuous operation during and after a disaster (A)

What is the primary purpose of the EDM governance objective in COBIT?

To evaluate strategic objectives and ensure they are met (C)

Which of the following is NOT one of the main components of the BAI management objective?

Managed security (D)

Which concept involves the estimation of losses and the classification of risk impacts in BIA?

Disruption Impacts (B)

Which of the following best describes Robotic Process Automation (RPA)?

Employs software to handle high-volume, repeatable tasks (C)

In the context of COBIT, what does the MEA objective primarily focus on?

Continuous monitoring and evaluation of processes (A)

Which design factor refers to the classification of an organization's compliance requirements?

Compliance Requirements (B)

Which key function is included in the Fixed Asset Cycle?

Creating depreciation schedules (C)

Which COSO principle emphasizes the acquisition and use of quality information?

COSO Principle 13 (A)

What are the four management objectives in the COBIT Core Model?

APO, BAI, DSS, MEA (A)

Which design factor indicates a business's strategy towards adopting technology?

Technology Adoption Strategy (C)

What does Recovery Point Objective (RPO) signify?

The maximum threshold for lost data or downtime (B)

What is the primary function of the processes in the COBIT governance system?

To achieve set IT goals (C)

Which component is considered essential for successful governance in COBIT?

Cultural attitudes of the organization (A)

Which role of IT is categorized as 'not critical for operations'?

Support (A)

What does the APO objective primarily entail?

Aligning and planning IT strategy (B)

What is the primary purpose of piggybacking in physical attacks?

To gain unauthorized access by following someone into a secure location (D)

Which of the following is a design factor that deals with the classification of potential risks to an organization?

Risk Profile (D)

In the context of cyber threats, what does spear phishing specifically target?

Specific employees of an organization (A)

Which aspect of governance does the 'Organizational Structure' component address?

Decision-making entities within the organization (A)

Which of the following describes the process of pharming?

Redirecting users from legitimate websites to fraudulent ones (C)

What is the characteristic of a 'First Mover Strategy' in technology adoption?

Taking risks by adopting emerging technologies early (D)

What is the primary goal of network segmentation?

To enhance security by isolating network traffic (B)

In COBIT, which component provides guidance for implementing desired behaviors into practice?

Principles, Policies, and Frameworks (A)

Which of the following is a characteristic of rogue mobile apps?

They appear legitimate while being malicious (D)

Which risk is NOT associated with cloud computing?

Physical theft of data centers (D)

What is the main purpose of Network Hardening?

To remove unused ports and block unnecessary protocols (A)

What does the STRIDE threat modeling methodology focus on?

Categorizing different types of threats to systems (D)

What does Zero Trust assume about a company's network?

It is always at risk despite user authentication (D)

Which of the following is a characteristic of vishing?

Using telephone systems to deceive individuals (C)

Which of the following best describes 'Need to Know' access control?

Access limited to data necessary for tasks (D)

What is the first phase in the stages of a cyberattack?

Reconnaissance (B)

What is the primary function of Whitelisting in cybersecurity?

To create a list of authorized applications (C)

Which control is part of the COSO framework for governance?

Risk Assessment (B)

Which authentication technology uses physical human characteristics?

Biometrics (C)

What is the main purpose of a Risk-Based Access Control strategy?

To apply controls based on the asset's risk level (D)

Which of the following best defines an Acceptable Use Policy?

An outline of acceptable behavior and consequences (D)

What is a significant risk related to IoT devices?

Lack of device mismanagement (A)

How does Multi-Factor Authentication increase security?

By requiring more than one method of verification (C)

Which measure is considered a Corrective Control?

Patches and upgrades (B)

What is the function of a Virtual Private Network (VPN)?

To encrypt communications and ensure data security (B)

What role do Access Control Lists (ACL) serve in cybersecurity?

They outline permissions for user access to resources (D)

Which one of the following is NOT a phase in threat modeling?

Conduct Training (A)

What does layered security combine to enhance protection?

Personnel, policies, and technology (D)

What is the purpose of Context Aware Authentication?

To authenticate users based on relevant data points (B)

Which access control method allows data owners to manage their own data?

Discretionary Access Control (B)

What does the NIST Cybersecurity Framework's 'Recover' component entail?

Transition from a vulnerable state to a mitigated state (A)

Which of the following is NOT a preventative control?

Virus quarantining (C)

Flashcards

What is the NIST Cybersecurity Framework (CSF)?

The NIST Cybersecurity Framework (CSF) is a standardized guide designed to help organizations manage cybersecurity risk.

What are the five core functions of the NIST CSF?

It's the five core functions of the NIST CSF: Identify, Protect, Detect, Respond, and Recover. Each function encompasses specific categories and subcategories that help organizations manage cybersecurity risks systematically.

What are the Implementation Tiers in the NIST CSF?

The Implementation Tiers in the NIST CSF represent the degree to which an organization has integrated information security practices. They range from "Tier 1: Partial" (ad hoc) to "Tier 4: Adaptive" (responsive to evolving threats).

What are Framework Profiles in the NIST CSF?

Framework Profiles within the NIST CSF represent the current state of organizational risk management (Current Profile) and the desired future state (Target Profile). By comparing these profiles, organizations can identify gaps in their security posture.

What is the importance of the NIST CSF?

The NIST Cybersecurity Framework (CSF) is a comprehensive guide for managing cybersecurity risks through a systematic and structured approach. It is a vital tool for organizations of all sizes, enabling them to improve their cybersecurity posture and protect their critical data and systems.

NIST Privacy Framework

A framework developed by NIST to help organizations manage and protect sensitive data, regardless of industry. It aligns with the NIST Cybersecurity Framework, offering a comprehensive approach to privacy.

Identify (NIST Privacy Framework)

A core component of the NIST Privacy Framework that identifies potential privacy risks related to data processing. This step helps organizations understand their vulnerabilities and prioritize mitigation strategies.

Govern (NIST Privacy Framework)

The NIST Privacy Framework's approach to data protection includes establishing a robust governance structure. This involves defining roles, responsibilities, and decision-making processes related to privacy.

Control (NIST Privacy Framework)

A key component of the NIST Privacy Framework that focuses on managing risks through effective controls. This involves implementing safeguards, assessing and monitoring these measures, and ensuring they are effective.

Communicate (NIST Privacy Framework)

The process of communicating about privacy risks is crucial in the NIST Privacy Framework. This involves engaging with stakeholders, transparency about data handling practices, and fostering clear communication regarding privacy issues.

Protect (NIST Privacy Framework)

One of the framework's core components, Protect involves implementing safeguards like encryption, access controls, and data minimization to secure sensitive information.

Detect (NIST Privacy Framework)

The NIST Privacy Framework emphasizes the importance of detecting privacy risks early. This can be achieved through regular monitoring, data analysis, and risk assessment.

Respond (NIST Privacy Framework)

A key step in the NIST Privacy Framework that focuses on responding to privacy breaches effectively. This includes incident response plans, communication strategies, and actions to mitigate damage.

Recover (NIST Privacy Framework)

The final stage of the NIST Privacy Framework involves recovering from a privacy breach, ensuring business continuity. This includes restoring data, rebuilding systems, and implementing corrective actions.

Privacy Framework Tiers

This refers to the different maturity levels within the NIST Privacy Framework, similar to the framework's cybersecurity counterpart. Organizations can progress through tiers as they enhance their privacy practices.

What are Administrative Safeguards?

Administrative safeguards focus on policies and procedures for managing security.

What are Physical Safeguards?

Physical safeguards are about securing access to physical locations and devices.

What are Technical Safeguards?

Technical safeguards use technology to control access and protect data.

What are the key changes HITECH brought to HIPAA?

HITECH expanded HIPAA by increasing penalties, requiring electronic record access, adding 'business associates' as covered entities, and requiring breach notification to impacted individuals.

What is GDPR?

GDPR is the EU's general data protection law, known for its strict privacy regulations and high violation penalties.

When does GDPR apply outside the EU?

Even if outside the EU, GDPR might apply to data processors based in the EU, those offering services in the EU, and those monitoring data subjects in the EU.

What are the six principles of GDPR?

LPDALC - Lawfulness, Purpose Limitation, Data Minimization, Accuracy, Storage Limitation, Integrity and Confidentiality.

What is Purpose Limitation?

Purpose Limitation focuses on processing data for specified, explicit, and legitimate purposes (SEL).

What is Data Minimization?

Data Minimization requires processing only the data relevant, adequate, and necessary for the purpose (RAN).

What is PCI DSS?

PCI DSS is a data security standard created specifically for cashless transactions.

What are the six goals of PCI DSS?

BPVSTP - Build a secure network, protect cardholder data, vulnerability management, strong access control, network monitoring, information security policy.

What is CIS?

CIS is a set of recommended actions, processes, and best practices for strengthening cybersecurity defenses.

How is CIS Controls structured?

CIS Controls Version 8 has 18 controls and 153 safeguards, organized by device management and task-focused activities.

What are the design principles of CIS Controls?

AMOFF - Align with other standards, Measurable, Offense-informed, Focus on critical issues, Feasible to implement.

What are the different CIS Implementation Groups?

IG1 has limited defense mechanisms, limited expertise, and non-sensitive data. IG2 has IT staff supporting multiple departments and sensitive data. IG3 has security experts in all domains, sensitive data, and regulatory oversight.

Create Steering Committee

The process of creating a team responsible for guiding and overseeing the adoption of cloud computing services within an organization.

Assess Risk of Adding CSP

Evaluating the potential risks associated with adopting a cloud service provider, including security, reliability, and vendor lock-in.

Define CSP Systems & Structure

Clearly outlining the systems and infrastructure provided by a cloud service provider, such as storage, computing power, and network capabilities.

Integrate CSP Governance

Ensuring that your organization's existing risk management policies integrate smoothly with the security and compliance regulations associated with the chosen cloud service provider.

Reasonableness Test

Tests that verify if the data entered into a system falls within a reasonable range, preventing errors like entering a negative amount for a sales transaction.

Computer Hardware

Physical components of a computer system, including internal parts like the microprocessor and external peripherals like keyboards and monitors.

End-User Devices

Devices that allow direct user interaction, such as laptops, tablets, and wearables.

Microprocessor

The brain of a computer, responsible for processing instructions and data.

External Peripheral Devices

Devices that connect to a computer but are not part of its core functionality, like keyboards, mice, and printers.

Router

A network device that connects multiple devices and routes data packets to their destinations.

Hub

A network device that connects multiple devices, but it doesn't route data packets based on destination.

Gateway

A device that connects a network to another network, potentially using different protocols.

Protocol

A set of rules governing the format and transmission of data over a network. TCP/IP is a common example.

Firewall

A software or hardware system that acts as a barrier between a network and external threats. They control access and monitor traffic.

Network Topology

A layout or arrangement of devices and connections in a network, such as a bus, mesh, ring, or star topology.

File Transfer Protocol (FTP)

A protocol that transfers files between computers.

Simple Mail Transfer Protocol (SMTP)

A protocol that sends emails between computers.

Electronic Data Interchange (EDI)

A standardized format for exchanging electronic documents between businesses.

Presentation Layer

The sixth layer of the OSI model, responsible for transforming data for interpretation by other devices.

American Standard Code for Information Interchange (ASCII)

A standard character encoding that uses 7 bits to represent 128 characters, including letters, numbers, and symbols.

Joint Photographic Experts Group (JPEG)

A standard image compression format, known for its lossy compression.

Moving Pictures Expert Group (MPEG)

A standard for compressing and encoding digital video and audio.

Session Layer

The fifth layer of the OSI model, responsible for managing communication sessions between devices.

Structured Query Language (SQL)

A standard language for communicating with databases.

Remote Procedure Call (RPC)

A method of communication where a program on one computer can call a procedure on another computer.

Network File System (NFS)

A network file system that allows devices on a network to share files and resources.

Transport Layer

The fourth layer of the OSI model, responsible for managing communication connections between devices.

Transmission Control Protocol (TCP)

A reliable and connection-oriented protocol that guarantees data delivery in order.

User Datagram Protocol (UDP)

A connectionless protocol that provides fast but unreliable data delivery.

Network Layer

The third layer of the OSI model, responsible for routing data packets between networks.

Cold Site

A disaster recovery site with only basic infrastructure (no equipment), requiring 1-3 days to become operational. It's the cheapest option, but requires significant setup time.

Warm Site

A disaster recovery site with equipment already installed but not plugged in, requiring 0-3 days to be operational. It's moderately expensive, offering a quicker recovery time than a Cold Site.

Hot Site

A fully equipped and operational disaster recovery site, offering seamless transition in case of disruption. It's the most expensive option, but delivers the fastest recovery time - immediate operation.

Full Backup

A backup process that creates a complete copy of an entire database. While time consuming, it allows for rapid database recovery. Most organizations implement this weekly.

Incremental Backup

A backup method where only changes since the last backup are copied. It's time-efficient but requires a full backup for complete restoration.

What is a TPS?

A transaction processing system (TPS) is a type of information system used to record and process routine business transactions.

What is an FRS?

Financial reporting systems (FRS) aggregate daily financial information from other sources, like TPS, to produce financial statements and reports for external users.

What is an MRS?

A management reporting system (MRS) provides internal management with information for decision-making purposes, such as budgeting and variance analysis.

Explain the AIS process in a few words.

The AIS process involves capturing data, recording transactions, and producing financial statements.

What is the purchasing and disbursements cycle?

The purchasing and disbursements cycle covers the process of purchasing goods or services, receiving them, and making payment.

What is the treasury cycle?

The treasury cycle handles the management of cash and other liquid assets, such as investments.

What is the payroll cycle?

The payroll cycle tracks the process of paying employees for their work, including calculating wages, deductions, and taxes.

What is the revenue and collections cycle?

The revenue and collections cycle tracks the process of selling goods or services and collecting payment from customers.

What is the production cycle?

The production cycle tracks the process of manufacturing goods, including the costs associated with materials, labor, and overhead.

What is the fixed asset cycle?

The fixed asset cycle tracks the acquisition, depreciation, and disposal of long-term assets, such as property, plant, and equipment.

What are the benefits of ASPs for ERP?

Application service providers (ASPs) can provide ERP software on a subscription basis, offering lower costs and greater flexibility.

Explain automation and shared services.

Automation involves using technology to perform repetitive tasks, while shared services aim to centralize and standardize redundant services.

What is outsourcing and offshore operations?

Outsourcing involves contracting services to an external provider, often located in another country, known as offshore operations.

What is RPA?

Robotic process automation (RPA) uses software with AI and ML capabilities to automate high-volume tasks.

What is NLP?

Natural language processing (NLP) software enables computers to understand and interpret human language.

What is a neural network?

A neural network is a type of AI system modeled after the human brain, consisting of interconnected nodes that process information.

What is a Data Warehouse?

A database containing vast amounts of data, often from various sources, used for reporting and analysis. It must be regularly updated to maintain relevance.

What is an Operational Data Store (ODS)?

A type of database frequently used as a temporary holding area for a data warehouse. It stores data about operational activities like customer purchases and supplier payments.

What is a Data Mart?

A specialized data warehouse focusing on a specific business area, such as marketing. Different departments often have tailored data marts.

What is a Data Lake?

A repository storing both structured and unstructured data in its raw format. Think of it as a large data lake.

What is a Relational Database?

The most prevalent method for storing structured data. It organizes data in a structured model for efficient retrieval.

What is a Primary Key?

A unique identifier for each record in a table. It ensures that every record can be easily distinguished.

What is a Composite Primary Key?

A combination of attributes that jointly act as a unique identifier for a record when a single attribute cannot be used.

What is a Foreign Key?

An attribute in one table that references the primary key of another table. It creates links between related data.

What is a Data Dictionary?

A document containing information about the structure of a database. It outlines each data element and its characteristics.

What is Data Normalization?

A process of organizing data to eliminate redundancy and improve data integrity. Different forms exist, each with specific rules.

Mirroring

The process of copying a database onto a machine at the same site.

Change Management

Policies, procedures, and resources used to manage changes within an organization.

Baseline Configuration

A documented starting point for a system before any changes are applied.

System Component Inventory

A list that catalogs all the IT assets within an organization.

Acceptance Criteria

Criteria used to measure the success of a change, covering aspects like performance, functionality, and compliance.

Pre-Implementation Testing

Testing a system change before implementing it in a live environment.

Reversion Access

The ability to revert a system back to its original state after a failed change.

Development Environment

The environment where application code is first written and developed.

Testing Environment

The environment where developers test and debug application code to identify errors.

Staging Environment

The environment used to test applications in their final stages, mimicking real-world conditions.

Production Environment

The environment where a finished application is launched and made available to users.

Agile Method

A method for developing software where different teams work on different phases or tasks simultaneously.

Patch Management

The process of identifying and addressing vulnerabilities or bugs in software using patches or fixes.

Active Data Collection

A method of data collection that involves gathering data directly from employees, customers, or users.

Passive Data Collection

A method of data collection that gathers information passively, without direct permission, such as website analytics.

Data Flow Diagram (DFD)

A standardized tool for creating diagrams that depict the logical flow of data through a system.

Flowchart

A visual representation of how documents and information flow through a process, showing both logical and physical flow.

System Interface Diagram

A diagram showcasing the interaction between logical and physical flow, demonstrating how users and internal/external functions interface with systems.

Network-Based Attack

A cyberattack that exploits network infrastructure to disrupt operations.

Covert Channels

A method of data transmission that uses unintended pathways, hidden within legitimate channels.

Buffer Overflow

An attack where an attacker intentionally overloads a program's buffer with more input than it can handle, potentially injecting malicious code.

Denial of Service (DoS)

An attack that floods a network with excessive traffic, overwhelming it and preventing it from responding to service requests.

Distributed Denial of Service (DDoS)

A type of DoS attack where multiple attackers simultaneously flood a network with traffic.

Man-in-the-Middle (MITM) Attack

An attack where an attacker intercepts communications between two parties, eavesdropping and potentially intercepting the information.

Replay Attack

An attack where a cybercriminal eavesdrops on a communication, intercepts it, and then replays the message at a later time.

What are COBIT's core model objectives?

COBIT's core model consists of one governance objective (EDM) and four management objectives (APO, BAI, DSS, MEA) that help organizations effectively govern and manage their IT resources.

What is the EDM Objective?

EDM focuses on evaluating strategic objectives, directing management towards achieving them, and monitoring their progress.

What are the management objectives in COBIT's core model?

APO, BAI, DSS, and MEA are the four management objectives that provide guidance on various aspects of IT management. These objectives are interconnected and work together to create a robust IT framework.

What is the APO objective?

Align, Plan, and Organize (APO) involves aligning IT strategy with business goals, planning IT usage, and organizing resources effectively. It emphasizes the importance of aligning IT with the overall business strategy.

What is the BAI objective?

Build, Acquire, and Implement (BAI) focuses on acquiring, building, and implementing IT systems. It encompasses vital aspects of IT infrastructure and deployment.

What is the DSS objective?

Deliver, Service, and Support (DSS) revolves around providing ongoing IT services, resolving problems, and ensuring business continuity. It focuses on the day-to-day operation and support of IT systems.

What is the MEA objective?

Monitor, Evaluate, and Assess (MEA) involves continuously monitoring IT performance, evaluating its effectiveness, and assessing risks. It ensures that IT processes align with the intended goals and that any issues are addressed promptly.

What are the seven components of COBIT 2019?

COBIT 2019 outlines seven components that together create a comprehensive IT governance system. These components form the framework for effective governance and management of IT resources.

What are the Processes within COBIT 2019?

Processes are the set of activities that help achieve IT goals. They define the steps involved in managing and governing IT resources.

What is the Organizational Structure within COBIT 2019?

Organizational Structure outlines the decision-making entities within the organization related to IT. It clarifies roles and responsibilities.

What are Principles, Policies, and Frameworks within COBIT 2019?

Principles, Policies, and Frameworks are the guidelines that turn desired behavior into practice. They provide direction and consistency in IT governance.

What is Information within COBIT 2019?

Information is the data needed for the governance system to function effectively. It includes relevant information about IT processes, risks, and performance.

What are Culture, Ethics, and Behavior within COBIT 2019?

Culture, Ethics, and Behavior are influential factors that impact the success of IT governance and management. They encompass the values and behaviors that guide individuals and organizations in their IT practices.

What are People, Skills, and Competencies within COBIT 2019?

People, Skills, and Competencies refer to the human resources needed for effective IT governance. It emphasizes the importance of employees who can make sound decisions, take corrective actions, and contribute to achieving critical objectives.

What are Services, Infrastructure, and Applications within COBIT 2019?

Services, Infrastructure, and Applications are the tools and resources required for the governance system to operate. They include the hardware, software, and networks that support IT processing.

What are the design factors in COBIT 2019?

COBIT 2019 offers 11 design factors that help organizations tailor their IT governance systems to their specific needs and circumstances.

What is Enterprise Strategy in COBIT 2019?

Enterprise Strategy defines the organization's overall direction. It includes primary and secondary strategies such as growth, innovation, cost leadership, or client service.

What are Enterprise Goals within COBIT 2019?

Enterprise Goals are objectives that organizations strive to achieve. They are often structured based on the balanced scorecard, considering financial, customer, internal, and growth perspectives.

What is Risk Profile within COBIT 2019?

Risk Profile assesses the current risk exposure of the organization and its risk appetite. It helps identify the level of risks the organization is willing to take or mitigate.

Reconnaissance

Attackers collect information about their target before launching an attack.

Gaining Access

Attackers gain unauthorized access to a system or network.

Escalation of Privileges

Attackers escalate their access to gain higher-level privileges.

Maintaining Access

Attackers maintain their foothold in the system for a duration.

Network Exploitation and Exfiltration

Attackers use the compromised system to carry out the attack.

Covering Tracks

Attackers attempt to cover their tracks by erasing evidence.

Worm

A type of malicious software that spreads to other computers.

Trojan Horse

A program that appears legitimate but contains malicious code.

Adware

Software that displays unwanted ads.

Spyware

Software that secretly gathers information about a user.

Rogue Mobile Apps

A malicious app disguised as something legitimate.

Social Engineering

Using social tactics to manipulate people into revealing information.

Phishing

Sending authentic-looking emails to trick users into giving up personal information.

WiFi Protected Access (WPA)

A security protocol that encrypts Wi-Fi connections.

System Hardening

The process of reducing security risks by minimizing access points.

Examination (Security Assessment)

A process of analyzing, observing, and reviewing assessment objectives to evaluate security controls.

Interviewing (Security Assessment)

Gathering information about a system's security posture by having individual or group discussions with relevant personnel.

Testing (Security Assessment)

Testing how a system or object performs in its current state compared to its intended security goals. It involves simulating real-world attacks to identify vulnerabilities and weaknesses.

Security Assessment Report (SAR)

A document issued as evidence of whether security controls are complying with stated security goals and objectives.

Obfuscation

The process of replacing production data or sensitive information with less valuable data to protect it from unauthorized access.

Phishing Simulations

A security awareness program initiative that involves sending out fake phishing emails to teach employees to identify and avoid such scams.

Security Program Champions

A security awareness program initiative that involves identifying and training employees to become advocates and ambassadors for cybersecurity practices.

Tokenization

A technique that involves replacing real data with a random value or token, preventing unauthorized access to the original information.

Masking

A technique that replaces certain characters in data with other characters (like asterisks) to disguise sensitive information while still maintaining a structure.

Encryption

The most secure method of protecting data where information is scrambled using a key to make it unreadable without the appropriate key.

Inherent Risk

The risk that a control will not prevent or detect a misstatement.

Service Commitment

A statement made by management about the design and operation of a service organization's system.

System Requirement

A specification about how the system should function to meet the service commitment.

Deviation or Exception

An instance where a control does not operate as intended.

Deficiency in Design

A control that is missing or improperly designed.

Deficiency in Operating Effectiveness

A control that is properly designed but not operating correctly.

Written Assertion

A statement by management or a third party that provides reasonable assurance about the reliability of an assertion.

Description Misstatement

A type of misstatement that occurs when there is an error or omission in the description of a system.

Control Risk

The risk that a misstatement that could occur will not be prevented or detected by the service organization's internal control.

Detection Risk

The risk that a misstatement that could occur and is not prevented or detected by the service organization's internal control will not be prevented or detected by the auditor's procedures.

Least Privilege

A security practice that limits access to systems and data based on the minimum necessary for an individual's job role.

Zero Trust

A security principle that assumes a company's network is always at risk, even after authentication.

Multi-Factor Authentication (MFA)

A security practice that requires users to prove their identity through multiple factors, such as a password and a one-time code.

Biometrics

A method of authentication that uses unique biological characteristics to verify identity, such as fingerprints or facial recognition.

Whitelisting

A security practice that involves creating a list of approved applications that are allowed to run on a system. All other applications are blocked.

NIST Cybersecurity Framework (CSF)

A standardized guide for managing cybersecurity risk in organizations, comprised of five core functions: Identify, Protect, Detect, Respond, and Recover.

Common Vulnerabilities and Exposures (CVE) Dictionary

A database maintained by MITRE that catalogs security vulnerabilities and helps standardize their recognition and naming.

Layered Security

A security concept that involves combining multiple layers of security controls, including physical, logical, and administrative measures, to protect critical assets.

Defense in Depth

A security strategy that combines personnel, policies, technology, physical access controls, and logical access controls to strengthen overall security.

Preventative Controls

A security control that aims to prevent unauthorized access or actions, often by employing mechanisms like access controls, encryption, and firewalls.

Detective Controls

A security control that focuses on detecting security incidents or breaches after they occur, such as log analysis, intrusion detection systems, and antivirus monitoring.

Corrective Controls

A security control that aims to rectify or mitigate a security vulnerability or breach, involving actions like quarantining malware, patching vulnerabilities, or restoring systems.

Role-Based Access Control (RBAC)

A method of managing access based on a user's assigned role within an organization. It dynamically adjusts access based on the user's current responsibilities.

Access Control List (ACL)

A set of rules outlining which users are permitted to access specific resources, like files, folders, directories, or other IT assets.

Provisioning

A process that involves creating user accounts and assigning appropriate privileges based on their job roles.

SOC 2 Opinion

The auditor's opinion on the effectiveness of the service organization's controls, considering whether the controls were properly designed and operating effectively.

Qualified SOC 2 Report

A type of SOC report where the auditor expresses a qualified opinion on the effectiveness of controls due to identified material issues that are not pervasive.

Adverse SOC 2 Report

A type of SOC report where the auditor expresses an adverse opinion on the effectiveness of controls due to identified material issues that are pervasive and significant.

Disclaimer SOC 2 Report

A type of SOC report where the auditor cannot form an opinion on the effectiveness of controls due to insufficient evidence or scope limitations.

SOC 2 Type 2 Report

A type of SOC report specifically focused on the effectiveness of security, availability, processing integrity, confidentiality, and privacy controls.

Management's Description of System

Detailed descriptions of the service organization's system that are crucial for understanding the scope of the SOC report.

Management's Assertion

A written statement from the service organization affirming that they are responsible for the effectiveness of their controls.

Complementary Subservice Organization Controls (CSOC)

Controls implemented by a vendor (sub-service organization) that are necessary to achieve the service organization's control objectives.

Carve Out Method

An auditing approach where the auditor examines the service organization's controls and excludes any relevant controls at the sub-service organization.

Inclusive Method

An auditing approach where the auditor examines the service organization's controls, including any relevant controls at the sub-service organization.

Incident Response Plan (IRP)

A plan that defines how an organization will respond to a cyberattack, outlining procedures, personnel, and information.

Incident Response Timeline

A chart that depicts the timeline of an IRP, highlighting key stages like detection, containment, and recovery.

Incident Response Team

A team responsible for handling cybersecurity incidents within an organization.

Event

Any observable event that may or may not pose a threat to an organization.

Adverse Event

An event that has negative consequences for an organization, regardless of intention.

Computer Security Incident

A security-related adverse event with malicious intent.

PDCERRL Incident Response Framework

A framework for responding to cyberattacks, emphasizing preparation, detection, containment, eradication, reporting, recovery, and learning.

Mean Time to Detect (MTTD)

The average time taken to detect an incident.

Mean Time to Contain (MTTC)

The average time taken to contain an incident and prevent further damage.

Cybersecurity Simulation

A simulated attack against an organization's systems to test its response capabilities.

Cyber Insurance

A type of insurance policy designed to cover losses associated with cyberattacks.

SOC 1 Report

A report that provides assurance about an organization's internal controls over specific financial reporting processes.

SOC 2 Report

A report that provides assurance about an organization's internal controls over specific non-financial trust services.

Study Notes

NIST Cybersecurity Framework

• Established in 1901, improved in 1995 to include cybersecurity.
• Three standardized frameworks: CSF, Privacy Framework, SP 800-53.
• Framework Core: GOVERN, IDENTIFY, PROTECT, DETECT, RESPOND, RECOVER.
• 5 functions, 23 categories, 108 subcategories.
• Implementation Tiers: Tier 1 (partial), Tier 2 (risk-informed), Tier 3 (repeatable), Tier 4 (adaptive). Based on risk management process, program integration, and external participation.
• Framework Profiles: current and target profiles, gap analysis between them.

NIST Privacy Framework

• Data protection framework, industry-agnostic.
• Overlaps with NIST CSF.
• Components: Identify, Govern, Control, Communicate, Protect, Detect, Respond, Recover.
• Tiers identical to NIST CSF Tiers (1-4). Based on Risk Management, Program Integration, External Participation and Workforce.

NIST SP 800-53

• Security and Privacy Controls for information systems.
• Standard for federal information security systems.
• 20 Control families (e.g., Access and Control, Awareness and Training).
• Control implementation approaches: Common, System-Specific, Hybrid.
• Intended for security and privacy assessment and monitoring personnel, logistical/disposition roles and system developers.

Data Breach Consequences

• Business disruptions, reputation harm, financial loss, data loss, legal and regulatory implications.
• Average cost: $4 million.

HIPAA

• Health Insurance Portability and Accountability Act.
• Promotes health care privacy and security with standards for PHI (protected health information).
• Covered entities include health care providers, health plans, and health care clearing houses.
• Security Rule protects confidentiality, integrity, and availability of PHI.

HITECH

• Increased HIPAA penalties, required electronic record options for patients, added "business associates" as covered entities.
• Requires notification of breaches within 60 days of discovery.

GDPR

• General Data Protection Regulation (European Union).
• Strictest privacy law, with steep penalties.
• Scope extended to data processors in or serving the EU even if not based there.
• Six principles: Lawfulness, Fairness, Transparency; Purpose Limitation; Data Minimization; Accuracy; Storage Limitation; Integrity and Confidentiality.

PCI DSS

• Payment Card Industry Data Security Standard for cashless transactions and data security.
• 6 Goals - Build/Maintain network, Protect Cardholder Data, Maintain Vulnerability Management, Implement Strong Access Control, Regularly Monitor and Test Networks, Maintain an Information Security Policy.

Center for Internet Security (CIS) Controls

• Recommended set of actions, processes, and best practices for strengthening cybersecurity defenses.
• Supported by the SANS Institute.
• CIS Controls Version 8 - 18 controls and 153 subcategories.
• Implementation Groups (IG1-IG3) – varying degrees of cybersecurity defense and sophistication.
• Key Controls include 1-18
• Design Principles including AMOFF (Align, Measurable, Offense, Focus, Feasible)

COBIT 2019 Framework

• Control Objectives for Information and related Technologies. Developed by ISACA.
• 6 Governance System Principles (VHDDTE), 3 Governance Framework Principles (CFA).
• Core Model of 1 Governance, 4 Management Objectives (APO, BAI, DSS, MEA).
• 7 Components of Governance Systems (POPICPS), 11 Design Factors.

IT Infrastructure

• Computer Hardware (internal and external peripherals).
• Network Infrastructure Hardware (modems, routers, switches, gateways, edge-enabled devices, servers and firewalls).
• Network Protocols (TCP/IP).
• Network Topologies (Bus, Mesh, Ring, Star).
• OSI Model (7 layers).
• Operating Systems (OS).
• Mobile Technology.
• Cloud Computing (IaaS, PaaS, SaaS, Deployment Models).
• CSPs (Cloud Service Providers).
• COSO Enterprise Risk Management Framework (components).

Enterprise and Accounting Information Systems

• Types of Processing Controls (input, output, processing, access)
• Enterprise Resource Planning (ERP) systems.
• Accounting Information systems (AIS).
• Reasonableness Tests.
• AIS Subsystems (TPS, FRS, MRS).
• Goals of AIS Subsystems.
• Processes of purchasing, treasury, payroll, revenue, and collections cycles.
• AIS process: input, source document filing, transaction recording, general/subsidiary ledger posting, preparing trial balance, adjusting entries, financial reporting.
• Benefits of Application Software Providers (ASPs).
• Processes driven by IT Systems (automation, shared services, outsourcing).
• Offshore Operations. Risks in outsourcing
• Technology forms like RPA, NLP, Neural networks.
• Blockchain, COSO Principles related to blockchain.

Availability, Resiliency, and Disaster Recovery

• Business Resiliency, Business Continuity plans (BIA process).
• System Availability Controls (redundancy, backups).
• Crisis Management.
• Disaster Recovery (different sites), Backup Types.
• Recovery Point Objective (RPO), Recovery Time Objective (RTO), Mean Time To Repair (MTTR).

Change Management

• Change Management policies, procedures, and resources.
• Change Management Process (11 steps).
• Documenting systems controls (baseline, inventory, acceptance criteria)
• Change Management Controls.
• Types of Change Environments (development, testing, staging, production, disaster recovery)
• Integration risks (user resistance, management/stakeholder support, resources, and disruptions).
• Testing change implications, logging (application, change, event, firewall, network, proxy).
• Different models (Waterfall, Agile ).
• Patch Management, Patch Management Programs, Conversion Methods, Testing Methods (Unit, Integration, System, Acceptance).

Data Collection and Data Lifecycle

• Data Lifecycle Process (DCP, SAPAP, stages in detail).
• Data Collection Types (active, passive).
• ETL processes.
• Complexities of external data sources (copyright, safety, integrity).

Data Storage and Database Design

• Operational Data Store (ODS).
• Data Warehouse, Data Mart.
• Data Lake.
• Relational Databases (tables, attributes, records, fields).
• Database keys (primary, composite, foreign).
• Data Dictionary.
• Data Normalization.
• Data Model (Conceptual, Logical, Physical), Database Schemas (Fact, Dimension, Star, Snowflake).

Data Extraction, Integration, and Process Documentation

• SQL (SELECT, FROM, JOIN, WHERE, GROUP BY, HAVING),
• Data Flow Diagrams (logical flow, process, data flow, data store, external entity).
• Flowcharts (logical and physical flow).
• System Interface Diagrams, BPMN Activity models (events, tasks, flows, gateways).

Threats and Attacks

• Threat Agents (attacker, hacker, adversary, government-sponsored, hacktivists, insiders).
• Types of Cyberattacks (Network-Based, Application-Based, Host-Based, Social Engineering, Physical, Supply Chain).
• Specific techniques (DoS, DDoS, MITM, port scanning, reverse shell, return-oriented attacks, spoofing).
• Stages of an attack.
• Risks related to cloud computing, mobile technologies, and IoT.

Mitigation

• COSO - Business Objectives (operations, record-keeping, compliance).
• COSO - Five Components of Internal Control (control environment, risk assessment, information and communication, monitoring activities, existing control activities).
• Security Policies (acceptable use, BYOD).
• Network Segmentation/Isolation.
• System Hardening.
• Authorization and Authentication (zero trust, least privilege, need-to-know, whitelisting).
• Authentication Technologies (context aware, digital signatures, SSO, MFA, PIN, smartcards, token, biometrics).
• Password Management.
• Provisioning.
• NIST Cybersecurity Framework - Vulnerability (Identify, Protect, Detect, Respond, Recover).
• Common Vulnerabilities and Exposures (CVE) Dictionary.
• Layered Security (Defense in Depth.)

Incident Response

• Incident Response Plan (IRP), Timeline.
• NIST Response Team Models.
• Events versus Incidents.
• General Incident Response Plan (PDCERRL).
• Testing IRP plans (simulations, metrics).
• Insurable losses.

SOC Engagements

• Types of SOC reports (SOC1, SOC2, SOC3).
• Type 1 vs. Type 2.
• Trust Services criteria (Confidentiality, Availability, Processing Integrity, Privacy, Security).
• Alignment of Trust services to COSO.
• Complementary Subservice or User Entity Controls (CSOC, CUEC).
• Planning and Risk assessment considerations.
• Auditor responsibilities.
• Materiality considerations.

Reporting on SOC Engagements

• Opinions (unmodified, qualified, adverse, disclaimer).
• Key components of SOC reports.
• Scope (carve-out, inclusive).
• Responsibility of service organization, service auditor, and user entity.
• Subsequent Events.
• Misstatements, Modified Opinions, and Disclaimers.

Description

Test your knowledge on the NIST Cybersecurity Framework components, including functions, tiers, and publications. This quiz covers critical aspects of organizational risk management and privacy considerations as outlined by NIST. Examine your understanding of the framework's purpose and core functions.