03. Industry Standards and Frameworks for Information Security

Question 1

Industry Standards and Frameworks for InfoSec

An Information Security Program will/may use or adopt several types of frameworks such as…

Answer 1

1. Control Frameworks
2. Risk Management Frameworks
3. Architecture Frameworks
4. Security Program Management Frameworks

213

Question 2

Industry Standards and Frameworks for InfoSec

Control Frameworks include…

Answer 2

1. CIS CSC
2. ISO/IEC 27002
3. NIST SP 800-53
4. PCI DSS
5. NIST CSF
6. COBIT
7. ETSI TEchnical Report (TR) 103 305-1
8. HITRUST CSF

213

Question 3

Industry Standards and Frameworks for InfoSec

Risk Management Frameworks include…

Answer 3

1. ISO/IEC 27005
2. ISO/IEC 31000
3. NIST CSF
4. NIST SP 800-37

213

Question 4

Industry Standards and Frameworks for InfoSec

Architecture Frameworks include…

Answer 4

1. Zachman
2. TOGAF

The Open Group Architecture Framework

213

Question 5

Industry Standards and Frameworks for InfoSec

Security Program Management Frameworks include…

Answer 5

1. ISO/IEC 27001
2. NIST CSF
3. COBIT
4. ETSI TR 103 787-1

213

Question 6

Control Frameworks

An advantage of an organisation adopting an industry-standard control framework is that they are used by thousands of companies and they are…

Answer 6

regularly updated to reflect changing business practivces, emerging threats, and new technologies

213

Question 7

Control Frameworks

A strategist should select a control framework based on its…

Answer 7

alignment to the industry

214

Question 8

Control Frameworks

Where a control framework has been selected based on its industry alignment, the strategist should institude a process for…

Answer 8

developing additional controls based on the results of risk assessments to meet the specific needs of the organisation

214

Question 9

Control Frameworks: COBIT

COBIT has 4 domains…

Answer 9

1. Plan and Organise
2. Acquire and Implement
3. Delivery and Support
4. Monitor and Evaluate

215

Question 10

Control Frameworks: COBIT

COBIT is not primarily a security control framework. It is an IT process framework that includes security processes interspersed. The security and risk related processes are…

Answer 10

1. Ensure Risk Optimization
2. Manage Risk
3. Manage Security
4. Manage Security Resources
5. Monitor, Evaluate, and Assess compliance with external requirements

215

Question 11

Control Frameworks: ITIL / ISO/IEC 20000

ITIL is a framework of…

Answer 11

IT Service Delivery and Management Processes

ITIL is not a security framework but a process framework for IT Service Management

215

Question 12

Control Frameworks: ISO/IEC 27002

ISO/IEC 27002:
Information Technology - Security Techniques - Code of practice for information security controls is..

Answer 12

An international standard controls framework

ISO 27002 provides full explanations on controls
ISO 27001 is high level and includes the controls in an appendix but not in detail

216

Question 13

Control Frameworks: HIPAA

HIPPA
Health Insurance Portability and Accountability Act establishes requirements for…

Answer 13

protecting electronic protected health information (ePHI)

216

Question 14

Control Frameworks: HIPAA

HIPAA requirements fall into 3 main categories…

Answer 14

1. Administrative safeguards
2. Physical safeguards
3. Technical safeguards

216

Question 15

Control Frameworks: HIPAA

Each control within the framework is labeled as either…

Answer 15

Required or addressable

Required MUST be implemented
Addressable is considered optional if the control does not apply or the risk is negligible

216

Question 16

Control Frameworks: NIST SP 800-53

NIST SP 800-53 is one of the most…

Answer 16

well known and adopted security control frameworks

216

Question 17

Control Frameworks: NIST SP 800-53

NIST SP 800-53 is required for all…

Answer 17

US Government information systems and private industry that store or process federal government information

216

Question 18

Control Frameworks: NIST SP 800-53

NIST SP 800-53 controls are organised into 18 categories…

Answer 18

1. Access Control
2. Awareness and Training
3. Audit and Accountability
4. Security Assessment and Authorisation
5. Configuration Management
6. Contingiency Planning
7. Identification and Authentication
8. Incident Response
9. Maintenance
10. Media Protection
11. Physical and Environmental Protection
12. Planning
13. Personnel Security
14. Risk Assessment
15. System and Services Acquisition
16. System and Communications protection
17. System and Information Integrity
18. Program Management

216/217

Question 19

Control Frameworks: NIST SP 800-171

NIST SP 800-171 is a framework of requirements for…

Answer 19

the protection of controlled unclassified information (CUI)

Required for all infomration systems in private industry that store or process CUI for federal government

217

Question 20

Control Frameworks: NIST SP 800-171

NIST SP 800-171 is organised into 13 categories…

Answer 20

1. Access Control
2. Awareness and Training
3. Audit and Accountability
4. Configuration Mnaagement
5. Indeitifcation and Authentication
6. Incident Response
7. Maintenance
8. Media Protection
9. personnel Security
10. Physical Protection
11. Risk Assessment
12. Security Assessment
13. System and Communications Protection

217

Question 21

Control Frameworks: NIST SP 800-171

A framework of assessments and assessor certifications used to enforce compliance of NIST SP 800-171

Answer 21

Cybersecurity Maturity Model Certification
(CMMC)

217

Question 22

Control Frameworks: NIST CSF

The NIST CSF is a risk based life-cycle methodology used for…

Answer 22

assessing risk, enacting controls, and measuring control effectiveness

217

Question 23

Control Frameworks: NIST CSF

The 3 core components of the NIST CSF…

Answer 23

1. Framework Core
2. Framework Implementation Tiers
3. Framework Profile

218

Question 24

Control Frameworks: NIST CSF

The set of 5 functions within the Framework core of NIST CSF

Answer 24

1. Identify
2. Detect
3. Protect
4. Respond
5. Recover

217

Question 25

Control Frameworks: NIST CSF

5 Maturity levels defined within the Framework Implementation Tiers of the NIST CSF

Answer 25

1. Partial
2. Risk
3. Informed
4. Repeatable
5. Adaptive

218

Question 26

Control Frameworks: NIST CSF

The Frameowkr Profile within the NIST CSF aligns elements of the Framework Core with the organisations…

Answer 26

1. Business requirements
2. Risk tolerance
3. Available resources

218

Question 27

Control Frameworks: NIST CSF

Organisations implementing NIST CSF first perform an assessment by measuring maturity of the Framework Core i.e. Identify, Detect, Protect, Respond, Recover. The organisation then determins the maturity levels they desire to reach for each Framework core. The identified differences are considered…

Answer 27

gaps that need to be filled through sevearl means

Hiring additional resources
Training resources
Adding or changing business processes or procedures
Changing system or device configuration
Acquiring new systems or devices

218

Question 28

Control Frameworks: CIS CSC

CIS CSC - Center for Internet Securtiy Critical Security Controls is a…

Answer 28

well-known control framework with 18 sections

218

Question 29

Control Frameworks: PCS DSS

The Payment Card Industry Data Security Standard is a control framework specifically for protecting credit card numbers and related information when…

Answer 29

stored, processed and transmitted on an organisations network

219

Question 30

Control Frameworks: PCS DSS

The PCI DSS has 12 control objectives…

Answer 30

1. Install and maintain a firewall configuration to protect cardholder data.
2. Do not use vendor-supplied defaults for system passwords and other security parameters.
3. Protect stored cardholder data.
4. Encrypt transmission of cardholder data across open, public networks.
5. Protect all systems against malware and regularly update antivirus software or programs.
6. Develop and maintain secure systems and applications.
7. Restrict access to cardholder data by business need to know.
8. Identify and authenticate access to system components. .
9. Restrict physical access to cardholder data.
10. Track and monitor all access to network resources and cardholder data.
11. Regularly test security systems and processes
12. Maintain a policy that addresses information security for all personnel

219

Question 31

Control Frameworks: PCS DSS

PCI DSS is mandatory for all organisations…

Answer 31

storing, processing, or transmitting credit card data

219

Question 32

Control Frameworks: PCS DSS

Organisations that store, process or transmit high volumes of credit card data are required to undergo…

Answer 32

annual on-site audits

219

Question 33

Information Security Management Frameworks

Information security management frameworks are business process models that include…

Answer 33

essential processes and activities needed by most organisations

219

Question 34

Information Security Management Frameworks

Information Security Management Frameworks are risk-centric because the identification of risk is a key driver for activities in other parts of the framework to…

Answer 34

reduce risk to acceptable levels

219

Question 35

Information Security Management Frameworks

ISO/IEC 27001 is a well-known international standard which defines the requirements and steps to run an…

Answer 35

Information Security Management System
(ISMS)

An ISMS is a set of processes used to assess risk, develop policy and controls, and manage all processes found in infosec program

219

Question 36

Information Security Management Frameworks

COBIT 2019 is a…

Answer 36

controls and governance framework for managing an IT organisation

COBIT 2019 for Information Security is an additional standard that explains each component of the frameowkr from an information security perspective

220

Question 37

Information Security Management Frameworks

The NIST CSF is an outcomes based security management and control framework that guides an organisation in…

Answer 37

1. Understanding its maturity levels
2. Assessing risk
3. Identifying gaps
4. Developing action plans for strategic improvement

220

Question 38

Information Security Management Frameworks

ETSI CYBER Cybersecurity for SMEs Part 1: Cybersecurity Standardisation Essentials is a published documentation that describes a…

Answer 38

Top-down approach to developing and managing cybersecurity programs

220

Question 39

Information Security Architecture

1. Security management frameworks describe….
2. Control frameworks are…

Answer 39

1. Activities in an information security program
2. Collections of security controls

The activity might be “access management” and the controls might be “RBAC or MAC” etc..

220

Question 40

Enterprise Architecture (EA)

A business function and a technical model which consists of activities that ensure IT systems meet important business needs

Answer 40

Enterprise Architecture
(EA)

EA may include business functions being mapped to IT environments and systems at all levels

220

Question 41

Information Security Architecture

A subset (special topic) within Enterprise Architecture concerned with the protective characteristics found in many components in an overall EA

Answer 41

Information Security Architecture

220

Question 42

Information Security Architecture

The purpose of an Enterprise Architecture and Enterprise Security Architecture is…

Answer 42

1. All hardware and software fulfil a stated purpose
2. Components work well together
3. Structure and consistency in infrastructure through the organisation
4. Infrastructure resources are used efficiently
5. Infrastructure is scalable and flexible
6. Elements can be upgraded as needed
7. Elements can be added as needed

220

Question 43

Information Security Architecture

The 2 main layers that exist within Information Security Architecture

Answer 43

1. Policy
2. Standards

1. Defines characterstics of the overall environment i.e. the need for centralised authentication
2. Defines standards to be used i.e. specific protocols, methods of authentication, configuration and hardening etc..

221

Question 44

Information Security Architecture

Centralised functions within an information security architecture help amplify the workfroce so that a relatively small staff level can…

Answer 44

effectively manage hundreds or thousands of devices

221

Question 45

Information Security Architecture

Examples of modern information security architecture centralised functions that amplify a small staff workforce to manage devices…

Answer 45

1. Authentication
2. Encryption Key Management
3. Monitoring
4. Device Management
5. Software Development

1. Utilising central identity and access management services i.e. AD
2. Centralised certificate authorities (CA)
3. Centralised monitoring of all systems - SIEM as example
4. Centralised configuration management or distribution servers as example
5. Formal architectures implemented describing end to end software development environment

221