Ch 04 Framework Flashcards
Which of the following standards would be most useful to you in ensuring your information security management system follows industry best practices?
A. NIST SP 800-53
B. Six Sigma
C. ISO/IEC 27000 series
D. COBIT
C. The ISO/IEC 27000 series is the only option that addresses best practices across the breadth of an ISMS. NIST SP 800-53 and COBIT both deal with controls, which are a critical but not the only component of an ISMS.
What is COBIT and where does it fit into the development of information security systems and security programs?
A. Lists of standards, procedures, and policies for security program development
B. Current version of ISO 17799
C. A framework that was developed to deter organizational internal fraud
D. Open standard for control objectives
D. COBIT is an open framework developed by ISACA and the IT Governance Institute (ITGI). It defines goals for the controls that should be used to properly manage IT and ensure IT maps to business needs.
Which publication provides a catalog of security controls for information systems?
A. ISO/IEC 27001
B. ISO/IEC 27005
C. NIST SP 800-37
D. NIST SP 800-53
D. NIST Special Publication (SP) 800-53, Security and Privacy Controls for Information Systems and Organizations, catalogs over 1,000 security controls. ISO/IEC 27005 and NIST SP 800-37 both describe risk management frameworks, while ISO/IEC 27001 is focused on information security management systems (ISMSs).
ISO/IEC 27001 describes which of the following?
A. The Risk Management Framework
B. Information security management system
C. Work product retention standards
D. International Electrotechnical Commission standards
B. ISO/IEC 27001 provides best practice recommendations on information security management systems (ISMSs).
Which of the following is not true about Operationally Critical Threat, Asset and Vulnerability Evaluation (OCTAVE)?
A. It is the only internationally recognized quantitative risk management framework.
B. It was developed by Carnegie Mellon University.
C. It is focused only on risk assessments.
D. It is a team-oriented risk management methodology that employs workshops.
A. OCTAVE is not a quantitative methodology. The only such methodology for risk management we’ve discussed is FAIR.
What is a key benefit of using the Zachman Framework?
A. Ensures that all systems, processes, and personnel are interoperable in a concerted effort to accomplish organizational missions
B. Use of the iterative and cyclic Architecture Development Method (ADM)
C. Focus on internal SLAs between the IT department and the “customers” it serves
D. Allows different groups within the organization to look at it from different viewpoints
D. One of the key benefits of the Zachman Framework is that it allows organizations to integrate business and IT infrastructure requirements in a manner that is presentable to a variety of audiences by providing different viewpoints. This helps keep business and IT on the same sheet of music. The other answers describe the DoDAF (A), TOGAF (B), and ITIL (C).
Which of the following describes the Center for Internet Security (CIS) Controls framework?
A. Consists of over 1,000 controls, divided into 20 families, that are mapped to the security category of an information system
B. Balances resource utilization, risk levels, and realization of benefits by explicitly tying stakeholder needs to organizational goals to IT goals
C. Developed to determine the maturity of an organization’s processes
D. Consists of 20 controls divided into three groups to help organizations incrementally improve their security posture
D. There are 20 CIS controls and 171 subcontrols organized so that any organization, regardless of size, can focus on the most critical controls and improve over time as resources become available. The other answers describe NIST SP 800-53 (A), COBIT 2019 (B), and Capability Maturity Model (C).
Which of the following is not one of the seven steps in the NIST Risk Management Framework (RMF)?
A. Monitor security controls
B. Establish the context
C. Assess security controls
D. Authorize information system
B. Establishing the context is a step in ISO/IEC 27005, not in the NIST RMF. While it is similar to the RMF’s prepare step, there are differences between the two. All the other responses are clearly steps in the NIST RMF process.
The information security industry is made up of various best practices, standards, models, and frameworks. Some were not developed first with security in mind, but can be integrated into an organizational security program to help in its effectiveness and efficiency. It is important to know of all of these different approaches so that an organization can choose the ones that best fit its business needs and culture. Which of the following best describes the approach(es) that should be put into place if an organization wants to integrate a way to improve its security processes over a period of time?
i. ITIL should be integrated because it allows for the mapping of IT service process management, business drivers, and security improvement.
ii. Six Sigma should be integrated because it allows for the defects of security processes to be identified and improved upon.
iii. A Capability Maturity Model should be integrated because it provides distinct maturity levels.
iv. The Open Group Architecture Framework should be integrated because it provides a structure for process improvement.
A. i, iii
B. ii, iii, iv
C. ii, iii
D. ii, iv
C. The best process improvement approaches provided in this list are Six Sigma and Capability Maturity Model. The following outlines the definitions for all items in this question:
TOGAF Model and methodology for the development of enterprise architectures, developed by The Open Group
ITIL Processes to allow for IT service management, developed by the United Kingdom’s Office of Government Commerce
Six Sigma Business management strategy that can be used to carry out process improvement
Capability Maturity Model (CMM) Organizational development for process improvement
Use the following scenario to answer Questions 10–12. You are hired as the chief information security officer (CISO) for a medium-size research and development company. Its research file servers were recently breached, resulting in a significant loss of intellectual property. The company is about to start a critical research project and wants to ensure another breach doesn’t happen. The company doesn’t have risk management or information security programs, and you’ve been given a modest budget to hire a small team and get things started.
Which of the following risk management frameworks would probably not be well suited to your organization?
A. ISO/IEC 27005
B. NIST Risk Management Framework (RMF)
C. Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE)
D. Factor Analysis of Information Risk (FAIR)
D. The Factor Analysis of Information Risk (FAIR) framework uses a quantitative approach to risk assessment. As we discussed in Chapter 2, this approach requires a lot more expertise and resources than quantitative ones. Since your organization is just getting started with risk management and information security and your resources are limited, this would not be a good fit.
Use the following scenario to answer Questions 10–12. You are hired as the chief information security officer (CISO) for a medium-size research and development company. Its research file servers were recently breached, resulting in a significant loss of intellectual property. The company is about to start a critical research project and wants to ensure another breach doesn’t happen. The company doesn’t have risk management or information security programs, and you’ve been given a modest budget to hire a small team and get things started.
You decide to adopt the NIST Risk Management Framework (RMF) and are in the process of categorizing your information systems. How would you determine the security category (SC) of your research file servers (RFS)?
A. SCRFS = (probable frequency) × (probable future loss)
B. SCRFS = {(confidentiality, high),(integrity, medium),(availability, low)} = high
C. SCRFS = {(confidentiality, high),(integrity, medium),(availability, low)} = medium
D. SCRFS = Threat × Impact × Probability
B. The NIST RMF relies on the Federal Information Processing Standard Publication 199 (FIPS 199) categorization standard, which breaks down a system’s criticality by security objective (confidentiality, integrity, availability) and then applies the highest security objective category (the “high water mark”) to determine the overall category of the system.
Use the following scenario to answer Questions 10–12. You are hired as the chief information security officer (CISO) for a medium-size research and development company. Its research file servers were recently breached, resulting in a significant loss of intellectual property. The company is about to start a critical research project and wants to ensure another breach doesn’t happen. The company doesn’t have risk management or information security programs, and you’ve been given a modest budget to hire a small team and get things started.
When selecting the controls for the research file servers, which of the following security control frameworks would be best?
A. NIST SP 800-53, Security and Privacy Controls for Information Systems and Organizations
B. ISO/IEC 27002 code of practice for information security controls
C. Center for Information Security (CIS) Controls
D. COBIT 2019
A. Because you’re using the NIST RMF, NIST SP 800-53 is the best answer because the two frameworks are tightly integrated. None of the other answers is necessarily wrong; they’re just not as well suited as SP 800-53 for the given scenario.
