Frameworks Flashcards

1
Q

A Framework is

A

a structure underlying a system, concept, or text.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Purpose of frameworks in IT and cybersecurity is to ____

A

Provide structure to the ways in which we manage risks, develop enterprise architecture, and secure all our assets.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Four Basic breakdown of Framework

A
  • Risk
  • Security Program
  • Security Controls
  • Enterprise Architecture
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Example of Risk Frameworks

A
  • NIST RMF
  • ISO/IEC 27005
  • OCTAVE
  • FAIR
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Examples Security Program Framework

A
  • ISO/IEC 27005 series
  • NIST Cybersecurity Framework
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Examples of Security Control Framework

A
  • NIST SP 800-53
  • CIS Controls
  • COBIT 2019
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Examples of Enterprise Architecture Framework

A
  • Zachman Framework
  • TOGAF
  • DoDAF
  • SABSA
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

NIST RMF is described in three core interrelated Special Publications

A
  • SP 800-37 R2 RMF for Information Systems and Organizations
  • SP 800-39 Managing Information Security Risk
  • SP 800-30 R1, Guide for conducting Risk Assessment
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

NIST RMF - 2. Categorize - What is the SP?

A

NIST SP 800-60 applies sensitivity and criticality to each security objective (CIA) to determine a system’s criticality.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

NIST RMF Defines 3 types of security controls, they are_____

A
  • Common
  • System Specific
  • Hybrid
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

NIST RMF 3. Select SP

A

NIST SP 800-53 R5 Security and Privacy Controls for Information Systems and Organizations

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

ISO/IEC 27005 outlines 4 ways in which the risk can be treated:

A
  • Mitigate
  • Accept
  • Transfer
  • Avoid
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

For RMF best results, which 2 ISO should be combined?

A

ISO/IEC 27005
ISO/IEC 27001

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation)
Is a RMF or Methodology for Risk Assessment?

A

It is not a Framework but more of a methodology for risk assessment.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Common Use of OCTAVE is in Public Sector or Private Sector?

A

Private Sector

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

OCTAVE Approach focuses on which type of Asset

A

Most critical assets

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

80% of the Consequences come from 20% of the causes (Pareto Principle) used in which Risk Assessment Methodology?

A

OCTAVE

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

OCTAVE Risk Assessment Methodology is divided into 3 phases:

A
  • Organizational view for most critical assets
  • Organizational Technology infrastructure vulnerabilities
  • Team Risk High, Medium, Low assessment and developing mitigation strategies
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

More Rigorous quantitative approach to manage risk - Proprietary Framework?

A

FAIR ( Factor Analysis Information Risk)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

FAIR - Factor Analysis of Information Risk focus on: Possible Threats or Probable Threats

A

Probable Threats

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Information Security Frameworks can be divided into 2 Categories:

A
  1. Looks holistically at the entire security program
  2. Focused on Controls
22
Q

Which ISO standard series serve as industry best practices for the management of security controls in a holistic manner within organizations around the world

A

ISO/IEC 27000

23
Q

As you probably realize, ISO_______ is the most important of these standards for the most organization:

A

ISO 27001

24
Q

NIST Cybersecurity Framework is divided into three main components:

A
  • Frame Core
  • implementation Tiers
  • Framework Profile
25
Q

NIST Cybersecurity Framework core practices organize Cybersecurity activities into 5 higher level functions l:

A
  • Identify
  • Protect
  • Detect
  • Respond
  • Recover
26
Q

Which NIST covers, Security and Privacy Controls for information systems and Organizations.

A

NIST SP 800-53

27
Q

NIST SP 800-53 Prescribes 4 Step process

A
  1. Select the appropriate security control baseline
  2. Tailor the baseline
  3. Document the security control selection process
  4. Apply the controls
28
Q

How many controls NIST SP 800-53 lists: more than # controls

A

1000 Controls into 20 families

29
Q

CIS - Centre for Internet Security, is a non profit organization that among other things maintains a list of # critical security controls

A

List of 20 Critical Security Controls

30
Q

CIS (Centre for Internet Security) recognize that not every organization will not have the resources necessary to implement all the controls. For this reason they are grouped into 3 Categories, and they are:

A
  • Basic - Key Controls
  • Foundational- Best Practices
  • Organizational - improved Cybersecurity (People and Processes focused)
31
Q

COBIT 2019 (Control Objectives for Information Technologies) is a framework for governance and management developed by ISACA, it helps Organizations:

A

Optimize the value of their IT by balancing resource utilization, risk levels, and realizations of benefits.

32
Q

Security Control framework
COBIT 2019 (Control Objectives for Information Technologies) has 6 key principles:

A
  1. Provide stakeholder value
  2. Holistic Approach
  3. Dynamic Governance Systems
  4. Governance distinct from management
  5. Tailored to enterprise needs
  6. End-to-end governance system
33
Q

COBIT 2019 specifies # enterprise and # alignment goals. These 2 steps of goals are different but related

A

13

34
Q

A Majority of the security compliance auditing practices used today in the industry are based off which security control framework?

A

COBIT 2019

35
Q

Is COBIT 2019 purely security focused or IT governance as well

A

Both

36
Q

One of the first enterprise architecture framework that was created is the:

A

Zachman Framework

37
Q

The Zachman Framework is a two-dimensional model that uses # basic communication interrogatives:

A

What
How
Where
Who
When
Why

38
Q

The Open Group Architecture Framework (TOGAF), which has its origins in the U. S. Department of Defence. This be used to develop the following 4 architecture types:

A
  • Business Architecture
  • Data Architecture
  • Application Architecture
  • Technology Architecture
39
Q

TOGAF can be used to create these individual architecture type through the use of: what method?

A

Architecture Development Method (ADM)

40
Q

TOGAF ( The Open Group Architecture Framework) architectures can allow a technology architect to understand the enterprise from 4 different views:

A
  • Business
  • Data
  • Application
  • Technology
41
Q

DoDAF stands for

A

Department of Defence Architecture Framework (DoDAF)

42
Q

The focus of The Department of Defence Architecture Framework (DoDAF):

A
  • Command
  • Control
  • Communications
  • Computers
  • intelligence
  • Surveillance
  • Reconnaissance systems and Processes
43
Q

Other Frameworks (3)

A
  • ITIL
  • Six Sigma
  • Capability Maturity Model
44
Q

ITIL (Information Technology Infrastructure Library) 1980s by UK’s Central Computer and Telecommunications Agency. ITIL is the_____now

A

De facto standard of best practices for IT services management

45
Q

Four dimensional in ITIL model:

A

-Organizations and People
-Value Stream and Processes
- Information and Technology
- Partners and Suppliers

46
Q

Six Factors in ITIL model:

A
  • Political
  • Economic
  • Social
  • Technological
  • Legal
  • Environmental
47
Q

Six Sigma was developed by Motorola with a goal of identifying and removing defects in its manufacturing process . It focuses on ______ ______ methodology.

A

Process improvement methodology

48
Q

Goal or Six Sigma

A

Improve Process Quality by using statistical methods of measuring operation efficiency and reducing variation, defects, and waste.

49
Q

CMM (Capability Maturity Model) 6 levels starting from 0:

A

Level 0: Nonexistent Management
Level 1: Unpredictable Processes
Level 2: Repeatable Processes
Level 3: Defined Processes
Level 4: Managed Processes
Level 5: Optimized Processes

50
Q

Framework designed to align an organization’s security architecture with its business strategy

A

SABSA

51
Q

It is a framework that assists both business and IT by using a common language of understanding

A

ITIL