Chapter 4: Frameworks

Question 1

framework

Answer 1

a guiding document which provides structure to the ways in which we manage risks, develop enterprise architecture, and secure all our assets

Question 2

RMF

Answer 2

risk management frameworks

Question 3

common RMFs

Answer 3

NIST RMF, ISO/IEC 27005, OCTAVE, and FAIR

Question 4

Seven steps of NIST RMF

Answer 4

Prepare, categorize, select, implement, assess, authorize, and monitor

Question 5

common security controls in NIST framework

Answer 5

they exist outside of a system and apply to multiple systems

Question 6

system-specific security controls in NIST framework

Answer 6

they exist inside a system boundary and protect only the one system

Question 7

hybrid security controls in NIST framework

Answer 7

they are a combination of the other two (common and system-specific)

Question 8

Four risk treatments

Answer 8

mitigated, accepted, transferred, or avoided

Question 9

OCTAVE

Answer 9

Operationally Critical Threat, Asset, and Vulnerability Evaluation; team-oriented risk management methodology which employs workshops and is commonly used in the commercial sector

Question 10

FAIR

Answer 10

Factor Analysis of Information Risk; only internationally recognized quantitative approach to risk management

Question 11

Most common info security program frameworks

Answer 11

ISO/IEC 27001 and NIST cybersecurity framework

Question 12

ISO/IEC 27001

Answer 12

standard for the establishment, implementation, control, and improvement of the info security mgmt system (ISMS)

Question 13

NIST Cybersecurity Framework official name

Answer 13

Framework for Improving Critical Infrastructure Cybersecurity

Question 14

Five higher-level functions of NIST Cybersecurity Framework

Answer 14

Identify, protect, detect, respond, and recover

Question 15

Most common security controls frameworks

Answer 15

NIST SP 800-53, CIS Controls, and COBIT

Question 16

NIST SP 800-53

Answer 16

over 1,000 security controls grouped into 20 families; Security and Privacy Controls for Info Systems and Orgs

Question 17

CIS

Answer 17

Center for Internet Security Controls

Question 18

CIS Controls framework

Answer 18

20 controls and 171 subcontrols organized in implementation groups to address any org’s security needs from small to enterprise level

Question 19

COBIT

Answer 19

framework of control objectives and allows for IT governance; developed by ISACA and ITGI (IT Governance Institute)

Question 20

Enterprise architecture frameworks

Answer 20

used to develop architectures for specific stakeholders and present information in views; used to build individual architectures that best map to individual organizational needs and business drivers

Question 21

Blueprints

Answer 21

functional definitions for the integration of technology into business processes

Question 22

Most common enterprise architecture frameworks

Answer 22

Zachman and SABSA; TOGAF and DoDAF

Question 23

Zachman Framework

Answer 23

enterprise architecture framework

Question 24

SABSA

Answer 24

security enterprise architecture framework

Question 25

ITIL

Answer 25

set of best practices for IT service management

Question 26

Six Sigma

Answer 26

used to identify defects in processes so that the processes can be improved upon

Question 27

CMM

Answer 27

Capability Maturity Model

Question 28

what is the CMM

Answer 28

allows for processes to improve in an incremented and standard approach

Question 29

ISO/IEC 27005

Answer 29

describe risk management frameworks

Question 30

NIST SP 800-37

Answer 30

describe risk management frameworks

Question 31

ISO/IEC 27001

Answer 31

describes information security management system

Question 32

OCTAVE

Answer 32

developed by Carnegie Mellon University; focused only on risk assessments; team-oriented risk management methodology which employs workshops

Question 33

Key benefit of Zachman Framework

Answer 33

Allows different groups within the org to look at it from different viewpoints

Question 34

Key benefit of the DoDAF

Answer 34

ensures all systems, processes, and personnel are interoperable in a concerted effort to accomplish organizational missions

Question 35

Key benefit of the TOGAF

Answer 35

Use of the iterative and cyclic Architecture Development Method (ADM)

Question 36

Key benefit of the ITIL

Answer 36

Focus on internal SLAs between the IT department and the “customers” it serves

Question 37

COBIT 2019

Answer 37

Balances resources utilization, risk levels, and realization of benefits by explicitly tying stakeholder needs to organizational goals to IT goals

Question 38

NIST RMF categorization

Answer 38

NIST RMF relies on the Federal Information Processing Standard Publication 199 (FIPS 199) which breaks down a system’s criticality by security objective (confidentiality, integrity, availability) and then applies the highest security objective category (out of low, medium, high) to determine the overall category of the system

Question 39

SC

Answer 39

security category; SC = {(confidentiality, high), (integrity, medium), (availability, low)}= high