50 Questions
What does the people layer of cybersecurity involve?
CISOs/Security Officers, domain experts, and employee awareness
What role do CISOs/Security Officers play in cybersecurity?
Strategic and tactical leaders
What is the estimated cost of cybercrime in 2021?
$6 trillion
What type of attack involves mass infection of systems and demands payment in exchange for restoring access to data?
Ransomware
What method do living-off-the-land attacks use to conduct attacks?
Trusted system tools
Which technological weakness allows hackers to exploit it before a fix is available?
Zero-day vulnerability
What is the average return per attack for hackers?
$4,500
What are some common cybersecurity threats mentioned in the text?
Spear phishing and ransomware
Which layer of cybersecurity forms the hygiene layer?
People layer
What is the primary focus of domain experts in cybersecurity?
Operating technology and solving cybersecurity issues
What do hackers use to influence their target selection?
Return on investment (ROI)
What is an ISMS?
A systematic approach for managing an organization's information security
What is ISO27002 primarily focused on?
Implementing security controls
Which of the following is a pillar of a security strategy?
Risk management
What does ISO27001:2017 mainly focus on?
Leadership and planning
What is the 'Fog of More' related to in cybersecurity?
Technical maturity
What is a threat in the context of cybersecurity?
A potential cause of an unwanted incident
What is the main focus of an ISMS?
Managing information security risk
What does an ISO27k family of standards mainly include?
Security controls and risk assessments
What does developing a cybersecurity strategy involve?
Defining tailored security strategy and roadmap
What does Cyber Compliance act as in the context of trade?
An essential barrier for trade in the context of security trends and security management.
What are the opportunities presented by cybersecurity?
Avoidance of direct damage and customer/investor confidence
Which Implementation Group (IG) is characterized by small to medium-sized organizations with limited IT and cybersecurity expertise?
IG1
Which Implementation Group (IG) prioritizes addressing the confidentiality and integrity of sensitive data?
IG3
Which Implementation Group (IG) supports multiple departments with varying risk profiles and may have regulatory compliance burdens?
IG2
Which Implementation Group (IG) must summarize findings and risks after a maturity assessment using the chosen governance standard?
IG3
Which Implementation Group (IG) employs individuals responsible for managing and protecting IT infrastructure?
IG2
Which Implementation Group (IG) is concerned about keeping business operational and protecting employee and financial information?
IG1
Which Implementation Group (IG) employs security experts specializing in different cybersecurity facets?
IG3
Which Implementation Group (IG) aims to thwart general attacks with sub-controls implementable with limited expertise?
IG1
What is the definition of risk as per ISO31000 and ISO27001:2017?
The potential harm or threat to an organization, determined by the impact and likelihood
What does Risk management for CI/CD servers, such as JIRA and Confluence, involve?
Assessing and protecting critical information assets
What are RTOs and RPOs in the context of risk management for assets like Active Directory Servers?
Recovery Time Objectives and Recovery Point Objectives
How many controls are outlined in ISO27001:2017 for effective risk management?
114 controls in 14 clauses and 35 control categories
What does the NIST Cyber Security Framework (CSF) provide guidelines for?
Developing a cyber security strategy
What are the two tracks focused on by the NIST CSF?
Governance and Technical tracks
What are the essential components of an effective cyber security strategy according to the NIST CSF?
Continuous diagnostics and mitigation, automation, and measurements and metrics
What do ISO27002:2017 and other standards provide additional controls and guidelines for?
Operational security governance, procedural guidelines, and technical controls
What does NIST do in relation to cyber security programs?
Validates cyber security programs and offers certifications for individuals as NIST CSF Practitioners
What is the purpose of the high-level description of the actions to take to mitigate the risk associated with finding A, B, and C?
To specify the more detailed actions to take for each high-level risk mitigating action
How can one set a target maturity over 3 years?
Based on benchmark figures within the same sector
What is suggested to be documented for each detailed action to take to mitigate risks?
Stakeholders, budget estimate, and timing
What is recommended to gain overall security maturity and make it demonstrable towards interested stakeholders during the 'Repeatable, Scalable & Profitable Growth' phase?
Adopt security standards (ISO27k, NIST, ...)
What is the purpose of dividing and conquering the cybersecurity task according to the text?
To divide the cybersecurity task among multiple persons
What is part of the essential security & compliance projects in the Ecosystem of partners?
Continuous vulnerability scanning
What is recommended to focus on during the 'Product/Market Fit' phase in terms of security objectives?
During which phase should one define basic non-functional requirements, manually threat model, validate security of MVP, and use subsidized security services to minimize costs?
"Product/Market Fit" phase
What is suggested as an example deliverable in "HOW TO DEVELOP A PROPER CYBER SECURITY STRATEGY"?
What should be prioritized and detailed over the coming (3) years according to the text?
What is suggested during the 'Repeatable, Scalable & Profitable Growth' phase in terms of security objectives?
Study Notes
- Risk is defined as the potential harm or threat to an organization, determined by the impact and probability. (ISO31000, ISO27001:2017)
- Risk management for CI/CD servers, such as JIRA and Confluence, involves assessing and protecting critical information assets.
- Example assets include Active Directory Servers, with different risk profiles, RTOs (Recovery Time Objectives), and RPOs (Recovery Point Objectives).
- ISO27001:2017 outlines 114 controls in 14 clauses and 35 control categories for effective risk management, including controls for information security policies, human resource security, and access control.
- The NIST Cyber Security Framework (CSF) provides guidelines for developing a cyber security strategy, with easy-to-understand categories and maturity levels for risk management.
- The NIST CSF focuses on options for both the Governance and Technical tracks, including the use of community support networks and prioritized controls for effective cyber defense systems.
- Continuous diagnostics and mitigation, automation, and measurements and metrics are essential components of an effective cyber security strategy, according to the NIST CSF.
- ISO27002:2017 and other standards provide additional controls and guidelines for operational security governance, procedural guidelines, and technical controls.
- NIST validates cyber security programs and offers certifications for individuals as NIST CSF Practitioners.
- The CIS Controls (V7.1) are recommended for the Technical Track, offering a prioritized set of actions that are community-supported, implementable, scalable, and compliant with industry and government security requirements.
- The 5 critical tenets of an effective cyber defense system, according to the NIST CSF, include offense informs defense, prioritization, measurements and metrics, and continuous diagnostics and mitigation.
Test your knowledge of risk management with this quiz. Evaluate your understanding of ISO31000, ISO27001:2017, CI/CD, servers, JIRA/Confluence, business impact assessment, and more.
Make Your Own Quizzes and Flashcards
Convert your notes into interactive study material.
Get started for free
