Frameworks, Policies, and Procedures

Question 1

Framework-based governance seeks to mitigate the risks that are associated with IT
service delivery

Answer 1

Enterprise Security Architecture

Question 2

A framework that stipulates control selection and deployment

Answer 2

Prescriptive Frameworks

Question 3

A component of an ESA framework that is used to assess the formality and
optimization of security control selection and usage and address any gaps

Answer 3

Maturity Model

Question 4

Prescriptive frameworks can make it difficult for the framework to keep pace with
a continually evolving threat landscape

Answer 4

Risk-based Frameworks

Question 5

A framework that uses risk assessment to prioritize security control selection and
investment

Answer 5

Risk-based Framework

Question 6

A risk-based framework that is focused on IT security over IT service provision

Answer 6

NIST Cybersecurity Framework

Question 7

Identifies five cybersecurity functions (Identify, Protect, Detect,
Respond, and Recover) and each function can be divided into categories
and subcategories

Answer 7

Framework Core

Question 8

Assesses how closely core functions are integrated with the
organization’s overall risk management process and each tier is classed
as Partial, Risk Informed, Repeatable, and Adaptive

Answer 8

Implementation Tiers

Question 9

Used to supply statements of current cybersecurity outcomes and
target cybersecurity outcomes to identify investments that will be most
productive in closing the gap in cybersecurity capabilities shown by
comparison of the current and target profiles

Answer 9

Framework Profiles

Question 10

The process of determining whether a system is free from defects or deficiencie

Answer 10

Quality Control (QC)

Question 11

Processes that analyze what constitutes quality and how it can be measured and
checked

Answer 11

Quality Assurance (QA)

Question 12

A compliance-testing process to ensure that the security system meets
the requirements of a framework or regulatory environment, or that a
product or system meets its design goals

Answer 12

Verification

Question 13

The process of determining whether the security system is fit for
purpose

Answer 13

Validation

Question 14

The process of testing the subject against a checklist of requirements in a highly
structured way for measurement against an absolute standard

Answer 14

Assessment

Question 15

A less methodical process of testing that is aimed at examining outcomes or
proving usefulness

Answer 15

Evaluation

Question 16

A more rigid process than assessments or evaluations, in which the auditor
compares the organization against a predefined baseline to identify areas that
require remediation

Answer 16

Audit

Question 17

Similar to a lessons learned review, except it occurs at a regular interval, such as
quarterly or annually

Answer 17

Scheduled Review

Question 18

Process of making small, incremental gains to products and services by identifying
defects and inefficiencies for further refinement

Answer 18

Continual Improvement

Question 19

The technique of constantly evaluating an environment for changes so that new
risks may be more quickly detected and business operations improved upon

Answer 19

Continuous Monitoring