Frameworks

Question 1

A Framework is

Answer 1

a structure underlying a system, concept, or text.

Question 2

Purpose of frameworks in IT and cybersecurity is to ____

Answer 2

Provide structure to the ways in which we manage risks, develop enterprise architecture, and secure all our assets.

Question 3

Four Basic breakdown of Framework

Answer 3

• Risk
• Security Program
• Security Controls
• Enterprise Architecture

Question 4

Example of Risk Frameworks

Answer 4

• NIST RMF
• ISO/IEC 27005
• OCTAVE
• FAIR

Question 5

Examples Security Program Framework

Answer 5

• ISO/IEC 27005 series
• NIST Cybersecurity Framework

Question 6

Examples of Security Control Framework

Answer 6

• NIST SP 800-53
• CIS Controls
• COBIT 2019

Question 7

Examples of Enterprise Architecture Framework

Answer 7

• Zachman Framework
• TOGAF
• DoDAF
• SABSA

Question 8

NIST RMF is described in three core interrelated Special Publications

Answer 8

• SP 800-37 R2 RMF for Information Systems and Organizations
• SP 800-39 Managing Information Security Risk
• SP 800-30 R1, Guide for conducting Risk Assessment

Question 9

NIST RMF - 2. Categorize - What is the SP?

Answer 9

NIST SP 800-60 applies sensitivity and criticality to each security objective (CIA) to determine a system’s criticality.

Question 10

NIST RMF Defines 3 types of security controls, they are_____

Answer 10

• Common
• System Specific
• Hybrid

Question 11

NIST RMF 3. Select SP

Answer 11

NIST SP 800-53 R5 Security and Privacy Controls for Information Systems and Organizations

Question 12

ISO/IEC 27005 outlines 4 ways in which the risk can be treated:

Answer 12

• Mitigate
• Accept
• Transfer
• Avoid

Question 13

For RMF best results, which 2 ISO should be combined?

Answer 13

ISO/IEC 27005
ISO/IEC 27001

Question 14

OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation)
Is a RMF or Methodology for Risk Assessment?

Answer 14

It is not a Framework but more of a methodology for risk assessment.

Question 15

Common Use of OCTAVE is in Public Sector or Private Sector?

Answer 15

Private Sector

Question 16

OCTAVE Approach focuses on which type of Asset

Answer 16

Most critical assets

Question 17

80% of the Consequences come from 20% of the causes (Pareto Principle) used in which Risk Assessment Methodology?

Answer 17

OCTAVE

Question 18

OCTAVE Risk Assessment Methodology is divided into 3 phases:

Answer 18

• Organizational view for most critical assets
• Organizational Technology infrastructure vulnerabilities
• Team Risk High, Medium, Low assessment and developing mitigation strategies

Question 19

More Rigorous quantitative approach to manage risk - Proprietary Framework?

Answer 19

FAIR ( Factor Analysis Information Risk)

Question 20

FAIR - Factor Analysis of Information Risk focus on: Possible Threats or Probable Threats

Answer 20

Probable Threats

Question 21

Information Security Frameworks can be divided into 2 Categories:

Answer 21

1. Looks holistically at the entire security program
2. Focused on Controls

Question 22

Which ISO standard series serve as industry best practices for the management of security controls in a holistic manner within organizations around the world

Answer 22

ISO/IEC 27000

Question 23

As you probably realize, ISO_______ is the most important of these standards for the most organization:

Answer 23

ISO 27001

Question 24

NIST Cybersecurity Framework is divided into three main components:

Answer 24

• Frame Core
• implementation Tiers
• Framework Profile

Question 25

NIST Cybersecurity Framework core practices organize Cybersecurity activities into 5 higher level functions l:

Answer 25

- Identify - Protect - Detect - Respond - Recover

Question 26

Which NIST covers, Security and Privacy Controls for information systems and Organizations.

Answer 26

NIST SP 800-53

Question 27

NIST SP 800-53 Prescribes 4 Step process

Answer 27

1. Select the appropriate security control baseline 2. Tailor the baseline 3. Document the security control selection process 4. Apply the controls

Question 28

How many controls NIST SP 800-53 lists: more than # controls

Answer 28

1000 Controls into 20 families

Question 29

CIS - Centre for Internet Security, is a non profit organization that among other things maintains a list of # critical security controls

Answer 29

List of 20 Critical Security Controls

Question 30

CIS (Centre for Internet Security) recognize that not every organization will not have the resources necessary to implement all the controls. For this reason they are grouped into 3 Categories, and they are:

Answer 30

- Basic - Key Controls - Foundational- Best Practices - Organizational - improved Cybersecurity (People and Processes focused)

Question 31

COBIT 2019 (Control Objectives for Information Technologies) is a framework for governance and management developed by ISACA, it helps Organizations:

Answer 31

Optimize the value of their IT by balancing resource utilization, risk levels, and realizations of benefits.

Question 32

Security Control framework COBIT 2019 (Control Objectives for Information Technologies) has 6 key principles:

Answer 32

1. Provide stakeholder value 2. Holistic Approach 3. Dynamic Governance Systems 4. Governance distinct from management 5. Tailored to enterprise needs 6. End-to-end governance system

Question 33

COBIT 2019 specifies # enterprise and # alignment goals. These 2 steps of goals are different but related

Answer 33

13

Question 34

A Majority of the security compliance auditing practices used today in the industry are based off which security control framework?

Answer 34

COBIT 2019

Question 35

Is COBIT 2019 purely security focused or IT governance as well

Answer 35

Both

Question 36

One of the first enterprise architecture framework that was created is the:

Answer 36

Zachman Framework

Question 37

The Zachman Framework is a two-dimensional model that uses # basic communication interrogatives:

Answer 37

What How Where Who When Why

Question 38

The Open Group Architecture Framework (TOGAF), which has its origins in the U. S. Department of Defence. This be used to develop the following 4 architecture types:

Answer 38

- Business Architecture - Data Architecture - Application Architecture - Technology Architecture

Question 39

TOGAF can be used to create these individual architecture type through the use of: what method?

Answer 39

Architecture Development Method (ADM)

Question 40

TOGAF ( The Open Group Architecture Framework) architectures can allow a technology architect to understand the enterprise from 4 different views:

Answer 40

- Business - Data - Application - Technology

Question 41

DoDAF stands for

Answer 41

Department of Defence Architecture Framework (DoDAF)

Question 42

The focus of The Department of Defence Architecture Framework (DoDAF):

Answer 42

- Command - Control - Communications - Computers - intelligence - Surveillance - Reconnaissance systems and Processes

Question 43

Other Frameworks (3)

Answer 43

- ITIL - Six Sigma - Capability Maturity Model

Question 44

ITIL (Information Technology Infrastructure Library) 1980s by UK’s Central Computer and Telecommunications Agency. ITIL is the_____now

Answer 44

De facto standard of best practices for IT services management

Question 45

Four dimensional in ITIL model:

Answer 45

-Organizations and People -Value Stream and Processes - Information and Technology - Partners and Suppliers

Question 46

Six Factors in ITIL model:

Answer 46

- Political - Economic - Social - Technological - Legal - Environmental

Question 47

Six Sigma was developed by Motorola with a goal of identifying and removing defects in its manufacturing process . It focuses on ______ ______ methodology.

Answer 47

Process improvement methodology

Question 48

Goal or Six Sigma

Answer 48

Improve Process Quality by using statistical methods of measuring operation efficiency and reducing variation, defects, and waste.

Question 49

CMM (Capability Maturity Model) 6 levels starting from 0:

Answer 49

Level 0: Nonexistent Management Level 1: Unpredictable Processes Level 2: Repeatable Processes Level 3: Defined Processes Level 4: Managed Processes Level 5: Optimized Processes

Question 50

Framework designed to align an organization’s security architecture with its business strategy

Answer 50

SABSA

Question 51

It is a framework that assists both business and IT by using a common language of understanding

Answer 51

ITIL