NIST Cybersecurity Frameworks PDF
Document Details
Uploaded by ThumbUpMountain
Tags
Related
- NIST Cybersecurity Framework 2.0: Resource & Overview Guide PDF
- SECOP Unit 0 - Introduction PDF
- Certified Cybersecurity Technician Risk Management PDF
- Infrastructure Security in the Real World PDF
- Week 3 Lecture 1 Cybersecurity: Risk Management and Incident Response PDF
- National and International Cybersecurity Standards and Controls PDF
Summary
These flashcards cover questions and answers on NIST Cybersecurity Frameworks, including core components, implementation tiers, and profile differences. They are suitable for professionals in the cybersecurity field.
Full Transcript
S1 National Institute of Standards and Technology Answer Frameworks 1. Framework Core Question 2. Fr...
S1 National Institute of Standards and Technology Answer Frameworks 1. Framework Core Question 2. Framework Implementation Tiers What are the three primary components to manage cybersecurity risk under the NIST 3. Framework Profile Cybersecurity Framework? FC-02045 #1 © Becker Professional Education. All rights reserved. S1 National Institute of Standards and Technology Answer Frameworks 1. Identify Question 2. Protect The NIST CSF framework core consists of five components. What are the five 3. Detect components? 4. Respond 5. Recover FC-02046 #2 © Becker Professional Education. All rights reserved. S1 Page 1 of 19 S1 National Institute of Standards and Technology Answer Frameworks Tier 1: Partial Question Tier 2: Risk-Informed State the NIST CSF Implementation Tiers that apply to the risk management process, risk Tier 3: Repeatable management program integration, and external participation. Tier 4: Adaptive FC-02047 #3 © Becker Professional Education. All rights reserved. S1 National Institute of Standards and Technology Answer Frameworks A Current Profile is the current state of organizational risk management. Question A Target Profile is the desired future state of organizational risk management. Explain the difference between a Current Profile and a Target Profile. The differences between the current state and future state are identified in a gap analysis. FC-02048 #4 © Becker Professional Education. All rights reserved. S1 Page 2 of 19 S1 National Institute of Standards and Technology Answer Frameworks 1. Identify-P Question 2. Govern-P Identify the eight framework functions under the NIST Privacy Framework Core. 3. Control-P 4. Communicate-P 5. Protect-P 6. Detect 7. Respond 8. Recover FC-02049 #5 © Becker Professional Education. All rights reserved. S1 National Institute of Standards and Technology Answer Frameworks 1. Common (Inheritable): Implement controls at the organizational level, which are Question adopted by information systems. What are the three control implementation approaches that are to be implemented on a 2. System-Specific: Implement controls at the information system level. per-control basis with respect to implementation models? 3. Hybrid: Implement controls at the organization level where appropriate and the remainder at the information system level. FC-02050 #6 © Becker Professional Education. All rights reserved. S1 Page 3 of 19 S1 Answer Privacy and Data Security Standards Unintentional Data Breach: A breach resulting from negligence or error. Question Intentional Data Breach: A breach resulting from bad actors illegally gaining access to What are the two general categories of data breaches? data. FC-02051 #7 © Becker Professional Education. All rights reserved. S1 Answer Privacy and Data Security Standards Administrative safeguards, physical safeguards, and technical safeguards. Question What are three examples of safeguards for covered entities or business associates? FC-02052 #8 © Becker Professional Education. All rights reserved. S1 Page 4 of 19 S1 Answer Privacy and Data Security Standards 1. Lawfulness, Fairness, Transparency Question 2. Purpose Limitation What are the six principles that must be followed when processing data in compliance 3. Data Minimization with GDPR? 4. Accuracy 5. Storage Limitation 6. Integrity and Confidentiality FC-02073 #9 © Becker Professional Education. All rights reserved. S1 Answer Privacy and Data Security Standards 1. Build and maintain a secure network and systems Question 2. Protect account data What are the six goals of the PCI DSS? 3. Maintain a vulnerability management program 4. Implement strong access control measures 5. Regularly monitor and test networks 6. Maintain an information security policy FC-02074 #10 © Becker Professional Education. All rights reserved. S1 Page 5 of 19 S1 Center for Internet Security Critical Security Controls: Answer Part 1 Align: Controls should map to top cybersecurity standards. Question Measurable: Controls should be simple and measurable. Explain the principles by which the CIS Controls were designed. Offense Informs Defense: Controls are drafted based on data from actual cyberattacks and defense against them. Focus: Controls should help prioritize the most critical problems. Feasible: All recommendations should be practical. FC-02075 #11 © Becker Professional Education. All rights reserved. S1 Center for Internet Security Critical Security Controls: Answer Part 1 Actively manage all enterprise assets connected to the infrastructure physically, virtually, remotely, and those within cloud environments, to accurately know the totality Question of assets that need to be monitored and protected within the enterprise. Describe the intent of Control 01: Inventory and Control of Enterprise Assets. Source: CIS Critical Security Controls: Version 8 FC-02076 #12 © Becker Professional Education. All rights reserved. S1 Page 6 of 19 S1 Center for Internet Security Critical Security Controls: Answer Part 1 Actively manage all software on the network so that only authorized software is installed and can execute, and that unauthorized and unmanaged software is found and Question prevented from installation or execution. Describe the intent of Control 02: Inventory and Control of Software Assets. Source: CIS Critical Security Controls: Version 8 FC-02077 #13 © Becker Professional Education. All rights reserved. S1 Center for Internet Security Critical Security Controls: Answer Part 1 Develop processes and technical controls to identify, classify, securely handle, retain, and dispose of data. Question Describe the intent of Control 03: Data Protection. Source: CIS Critical Security Controls: Version 8 FC-02078 #14 © Becker Professional Education. All rights reserved. S1 Page 7 of 19 S1 Center for Internet Security Critical Security Controls: Answer Part 1 Establish and maintain the secure configuration of enterprise assets and software. Question Source: CIS Critical Security Controls: Version 8 Describe the intent of Control 04: Secure Configuration of Enterprise Assets and Software. FC-02079 #15 © Becker Professional Education. All rights reserved. S1 Center for Internet Security Critical Security Controls: Answer Part 1 Use processes and tools to assign and manage authorization to credentials for user accounts, including administrator accounts as well as service accounts, to enterprise Question assets and software. Describe the intent of Control 05: Account Management. Source: CIS Critical Security Controls: Version 8 FC-02080 #16 © Becker Professional Education. All rights reserved. S1 Page 8 of 19 S1 Center for Internet Security Critical Security Controls: Answer Part 1 Use processes and tools to create, assign, manage, and revoke access credentials and privileges for user, administrator, and service accounts for enterprise assets and Question software. Describe the intent of Control 06: Access Control Management. Source: CIS Critical Security Controls: Version 8 FC-02081 #17 © Becker Professional Education. All rights reserved. S1 Center for Internet Security Critical Security Controls: Answer Part 1 Develop a plan to continuously assess and track vulnerabilities on all enterprise assets within the enterprise’s infrastructure, in order to remediate and minimize the window of Question opportunity for attackers. Monitor public and private industry sources for new threat Describe the intent of Control 07: Continuous Vulnerability Management. and vulnerability information. Source: CIS Critical Security Controls: Version 8 FC-02082 #18 © Becker Professional Education. All rights reserved. S1 Page 9 of 19 S1 Center for Internet Security Critical Security Controls: Answer Part 1 Collect, alert, review, and retain audit logs of events that could help detect, understand, or recover from an attack. Question Describe the intent of Control 08: Audit Log Management. Source: CIS Critical Security Controls: Version 8 FC-02083 #19 © Becker Professional Education. All rights reserved. S1 Center for Internet Security Critical Security Controls: Answer Part 1 Improve protections and detections of threats from email and web vectors, as these are opportunities for attackers to manipulate human behavior through direct engagement. Question Describe the intent of Control 09: Email and Web Browser Protections. Source: CIS Critical Security Controls: Version 8 FC-02084 #20 © Becker Professional Education. All rights reserved. S1 Page 10 of 19 S1 Center for Internet Security Critical Security Controls: Answer Part 2 Prevent or control the installation, spread, and execution of malicious applications, code, or scripts on enterprise assets. Question Describe the intent of Control 10: Malware Defenses. Source: CIS Critical Security Controls: Version 8 FC-02085 #21 © Becker Professional Education. All rights reserved. S1 Center for Internet Security Critical Security Controls: Answer Part 2 Establish and maintain data recovery practices sufficient to restore in-scope enterprise assets to a pre-incident and trusted state. Question Describe the intent of Control 11: Data Recovery. Source: CIS Critical Security Controls: Version 8 FC-02086 #22 © Becker Professional Education. All rights reserved. S1 Page 11 of 19 S1 Center for Internet Security Critical Security Controls: Answer Part 2 Establish, implement, and actively manage network devices in order to prevent attackers from exploiting vulnerable network services and access points. Question Describe the intent of Control 12: Network Infrastructure Management. Source: CIS Critical Security Controls: Version 8 FC-02087 #23 © Becker Professional Education. All rights reserved. S1 Center for Internet Security Critical Security Controls: Answer Part 2 Operate processes and tooling to establish and maintain comprehensive network monitoring and defense against security threats across the enterprise’s network Question infrastructure and user base. Describe the intent of Control 13: Network Monitoring and Defense. Source: CIS Critical Security Controls: Version 8 FC-02088 #24 © Becker Professional Education. All rights reserved. S1 Page 12 of 19 S1 Center for Internet Security Critical Security Controls: Answer Part 2 Establish and maintain a security awareness program to influence behavior among the workforce to be security conscious and properly skilled to reduce cybersecurity risks to Question the enterprise. Describe the intent of Control 14: Security Awareness and Skills Training. Source: CIS Critical Security Controls: Version 8 FC-02089 #25 © Becker Professional Education. All rights reserved. S1 Center for Internet Security Critical Security Controls: Answer Part 2 Develop a process to evaluate service providers who hold sensitive data or are responsible for an enterprise’s critical IT platforms or processes to ensure these Question providers are protecting those platforms and data appropriately. Describe the intent of Control 15: Service Provider Management. Source: CIS Critical Security Controls: Version 8 FC-02090 #26 © Becker Professional Education. All rights reserved. S1 Page 13 of 19 S1 Center for Internet Security Critical Security Controls: Answer Part 2 Manage the security life cycle of in-house developed, hosted, or acquired software to prevent, detect, and remediate security weaknesses before they can impact the Question enterprise. Describe the intent of Control 16: Application Software Security. Source: CIS Critical Security Controls: Version 8 FC-02091 #27 © Becker Professional Education. All rights reserved. S1 Center for Internet Security Critical Security Controls: Answer Part 2 Establish a program to develop and maintain an incident response capability to prepare, detect, and quickly respond to an attack. Question Describe the intent of Control 17: Incident Response Management. Source: CIS Critical Security Controls: Version 8 FC-02092 #28 © Becker Professional Education. All rights reserved. S1 Page 14 of 19 S1 Center for Internet Security Critical Security Controls: Answer Part 2 Test the effectiveness and resiliency of enterprise assets through identifying and exploiting weaknesses in controls (people, processes, and technology), and simulating Question the objectives and actions of an attacker. Describe the intent of Control 18: Penetration Testing. Source: CIS Critical Security Controls: Version 8 FC-02093 #29 © Becker Professional Education. All rights reserved. S1 Answer COBIT 2019 Framework The COBIT framework provides a roadmap that organizations can use to implement best practices for IT governance and management. Question Describe the purpose of ISACA’s COBIT framework. FC-02094 #30 © Becker Professional Education. All rights reserved. S1 Page 15 of 19 S1 Answer COBIT 2019 Framework Management is responsible for the daily planning and administration of company operations, such as executive officers. Question What are the key differences between management and stakeholders under the COBIT Stakeholders can be internal such as lower levels of management, or external such as framework? regulators, investors, business partners, and IT vendors. FC-02095 #31 © Becker Professional Education. All rights reserved. S1 Answer COBIT 2019 Framework COBIT 5 Question Six principles for a governance system What five components were used for the development of COBIT 2019's foundation? Three principles for a governance framework Other standards and regulations Community contribution FC-02096 #32 © Becker Professional Education. All rights reserved. S1 Page 16 of 19 S1 Answer COBIT 2019 Framework 1. Provide Stakeholder Value Question 2. Holistic Approach What are the six governance system principles under COBIT 2019? 3. Dynamic Governance System 4. Governance Distinct From Management 5. Tailored to Enterprise Needs 6. End-to-End Governance System FC-02097 #33 © Becker Professional Education. All rights reserved. S1 Answer COBIT 2019 Framework Based on Conceptual Model: Governance frameworks should identify key components as well as the relationships between those components. Question Describe the three principles used to develop the COBIT 2019 core model. Open and Flexible: Frameworks should have the ability to change, adding relevant content and removing irrelevant content, while keeping consistency and integrity. Aligned to Major Standards: Frameworks should align with regulations, frameworks, and standards. FC-02098 #34 © Becker Professional Education. All rights reserved. S1 Page 17 of 19 S1 Answer COBIT 2019 Framework 1. Processes Question 2. Organizational Structures What are the seven components to satisfy management and governance objectives 3. Principles, Policies, Frameworks under the COBIT 2019 core model? 4. Information 5. Culture, Ethics, and Behavior 6. People, Skills, and Competencies 7. Services, Infrastructure, and Applications FC-02099 #35 © Becker Professional Education. All rights reserved. S1 Answer COBIT 2019 Framework Enterprise Strategy Question Enterprise Goals What are the 11 design factors that should be considered under COBIT? Risk Profile Information and Technology Issues Threat Landscape Compliance Requirements Role of IT Sourcing Model for IT IT Implementation Methods Technology Adoption Strategy Enterprise Size FC-02100 #36 © Becker Professional Education. All rights reserved. S1 Page 18 of 19 S1 Answer COBIT 2019 Framework Governance Objectives: Evaluate, Direct, and Monitor (EDM) Question Management Objectives: List the governance objectives and management objectives according to the COBIT 2019 Align, Plan, and Organize (APO) core model. Build, Acquire, and Implement (BAI) Deliver, Service, and Support (DSS) Monitor, Evaluate, and Assess (MEA) FC-02101 #37 © Becker Professional Education. All rights reserved. Page 19 of 19