ISC 1

Question 1

NIST

Answer 1

National Institute of Standards and Technology Framework (1901) (1995 - Info Security). Here to protect us

Question 2

Why do we need IT?

Answer 2

Organizations adopt technology to enhance or support business operations; protect digital records and assets; safeguards physical assets

Question 3

NIST Cybersecurity Framework

Answer 3

Voluntary framework that includes three components to manage cybersecurity risk:
1. Framework
2. Framework Implementation
3. Framework Profile

Question 4

CS Framework Core ComponentsDRRIP

Answer 4

Identify
Protect
Detect
Respond
Recover

Question 5

Identify ID

Answer 5

Keep records of: assets of the organization, system users internal/external, information process operations and all system used

Question 6

Protect

Answer 6

Focus on deploying safeguards and access controls to networks, applications, and devices.
Performing regular updates to security software
Performing data backups, developing plans for disposing of files or unused devices and user training

Question 7

Detect

Answer 7

Deploy tools to: Detect cyber security attacks.
Monitor network access points, user devices, unauthorized personnel access.

Question 8

Respond

Answer 8

Develop response polices addressing how to:
Contain a cybersecurity event
React using planned responses that mitigate losses
Notify

Question 9

Recover

Answer 9

Focuses on:
Supporting the restoration of a company’s network to normal operations
Restoring backed up files or environments

Question 10

Implementation Tiers

Answer 10

How sophisticated is a company’s security infrastructure?
Inform an organization as to the effectiveness of those profiles.
Tiers act as a benchmark, identifying the degree to which information security practices are integrated throughout an organization.

Question 11

CSF Framework Profiles

Answer 11

Determine success or failure of information security implementation. Implementation guides with insight specific to a particular industry

Question 12

Tier Levels

Answer 12

Tier 1 (partial)
Tier 2 (risk informed)
Tier 3 (Repeatable)
Tier 4 (Adaptive)

Question 13

Tier Categories

Answer 13

Risk management process
Integrated risk management program
External participation

Question 14

Tier 1 (partial)

Answer 14

Risk management Process: Ad hoc and reactive
Integrated Risk Management: Not integrated into organization processes
External Participation: does not evaluate external risks, cybersecurity is isolated

Question 15

Tier 2 (Risk Informed)

Answer 15

Risk Management Process: CS prioritization is based on org risk, and management approves CS efforts
Integrated Risk Management: org is aware of CS but not managing securely
External Participation: there is awareness but inconsistent actions are taken to respond to those risks

Question 16

Tier 3 (Repeatable)

Answer 16

Risk Management Process: org utilizes CS in planning and has enshrined CS practices in formal policies
Integrated Risk Management: a org risk approach to CS where CS is integrated into planning and regularly communicated
External Participation: org collabs w/ and contributes to security community at large. Has gov structures internally to manage cyber risk

Question 17

Tier 4 (Adaptive)

Answer 17

Risk Management Process: org CS is based on iterative improvements based on internal/external cyber incidents
Integrated Risk Management: managing CS is a org wide affair, cyber risk is prioritized
External Participation: org robustly participates in external info sharing activities

Question 18

Current Profile

Answer 18

Current state of the org risk managment

Question 19

Target profile

Answer 19

Desired future state of org risk management

Question 20

Gap Analysis

Answer 20

Identifies differences between the current and desired state

Question 21

NIST Privacy Framework

Answer 21

Protect individuals data as used in data processing applications. Developed to be industry agnostic and to account for cultural and individual constructs around privacy

Question 22

Privacy Framework Core Components (PICCG)

Answer 22

Identify
Govern
Control
Communicate
Protect

Question 23

Govern

Answer 23

What is the best governance structure for privacy risks related to the company’s data processing activities?

Question 24

Control

Answer 24

What is the best management structure for privacy risks related to data processing activities

Question 25

Communicate

Answer 25

How should the org drive dialogue around privacy risks related to data processing activities

Question 26

NIST SP 800-53 Framework

Answer 26

Set of security and privacy controls applicable to all info systems and now the standard for federal info security systems. Designed for protecting, care about effectiveness not cost

Question 27

SP 800-53 Security and Privacy Requirements

Answer 27

OMB - requires the controls for federal information systems
FISMA - requires the implementation of minimum controls to protect federal info and info systems

Question 28

Common (Inheritable) Control

Answer 28

Implement controls at the org level, which are adopted by info systems

Question 29

System Specific Control

Answer 29

Implement controls at the information system level

Question 30

Hybrid Control

Answer 30

Implement controls at the org level where appropriate and the rest at the info system level

Question 31

Data Breach Costs

Answer 31

Detection and escalation: Cost to detect
Notification: costs to notify parties
Post-breach Response: Cost to rectify effects
Loss of Business and Revenue: temp lost do to down time

Question 32

HIPAA

Answer 32

Health Insurance Portability and Accountability Act required the department of health and human services to adopt national standards promoting health care privacy and security

Question 33

HIPPA Security Rule

Answer 33

Specifically governs electronic PHI. Under the security Rule all covered entities must:
ensure the confidentiality, integrity, and availability of all electronic PHI;
Protect against reasonably anticipated threats;
Ensure compliance

Question 34

HITECH

Answer 34

Amended HIPPA:
Increased penalties for HIPPA violations
Required that patients receive the option to obtain records in electronic form
Breach rule to notify within 60 days of discovery

Question 35

GDPR (Data Protection) Principals

Answer 35

European Unions general applicability law regulating the privacy of data

Question 36

Lawfulness, Fairness, Transparency

GDPR

Answer 36

Data must be processed lawfully, fairly, and in a transparent manner

Question 37

Purpose Limitation

GDPR

Answer 37

Data must be processed for specified, explicate, and legitimate purposes

Question 38

Data Minimization

GDPR

Answer 38

Data processing must be adequate, relevant, and limited to what is necessary

Question 39

Accuracy

GDPR

Answer 39

Data must be accurate and kept updated

Question 40

Storage Limitation

GDPR

Answer 40

Data must be stored only for as long as necessary. storing it for longer periods is permitted for public interest archiving, scientific or historical research, or statistical purposes.

Question 41

Integrity and Confidentiality

GDPR

Answer 41

Data must be processed securely and protected against unauthorized access, accidental loss, destruction, or damage

Question 42

Payment Card Industry Data Security Standard

Answer 42

A framework to apply to promote data security when processing payments

Question 43

Build and Maintain a Secure Network and System

PCI DSS

Answer 43

1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor supplied defaults for system passwords

Question 44

Protect cardholder Data

PCI DSS

Answer 44

3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open networks

Question 45

Maintain a Vulnerability Management Program

PCI DSS

Answer 45

5. Protect all systems against malware and regularly update anti-virus software programs
6. Develop and maintain secure system applications

Question 46

Implement Strong Access Control Measures

PCI DSS

Answer 46

7. Restrict access to cardholder data through need to know restrictions
8. Identify and authenticate access to system components

Question 47

Regularly Monitor and Test Networks

PCI DSS

Answer 47

10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes

Question 48

CIS

Answer 48

The Center for Internet Security. Controls are a recommended set of actions, processes, and best practices that can be adopted and implemented by organizations to strengthen their cybersecurity defenses.

Question 49

CIS Control Principles OFFAM

Answer 49

Offense Informs Defense
Focus
Feasible
Align
Measurable

Question 50

Align

CIS Principle

Answer 50

Controls should map to other top cybersecurity standards like NIST VS, COBIT, HIPPA

Question 51

Measurable

CIS Principle

Answer 51

Controls should be simple and measurable, avoiding vague language

Question 52

Offense Informs Defense

CIS Prinicple

Answer 52

Controls are drafted based on data from actual CS attacker behavior and how to defend against it

Question 53

Focus

CIS Principle

Answer 53

Controls should help prioritize the most critical problems and avoid resolving every CS issue

Question 54

Feasible

CIS Principle

Answer 54

All recommendations should be practical

Question 55

IG1

Answer 55

Group is for small or mid sized orgs that have limited CS defense mechanisms in place

Question 56

IG2 (includes IG1)

Answer 56

Group is for companies that have IT staff who support multiple departments that have various risk profiles and typically handle sensitive client data

Question 57

IG3 (Includes IG1 and IG2)

Answer 57

Group for companies that have security experts in all domains within CS such as penetration testing, risk management, and application security.

Question 58

CIS Control 01

Answer 58

Inventory and Control of Enterprise Assets: Helps orgs actively track and manage all IT assets connected to a company’s IT infrastructure physically or virtually with a cloud environment

Question 59

CIS Control 2

Answer 59

Inventory and Control of Software Assets: Provides recommendations for orgs to track and actively manage all software applications so that only authorized software can be installed

Question 60

CIS Control 3

Answer 60

Data Protection: Helps orgs develop ways to securely manage the entire life cycle of their data

Question 61

CIS Control 4

Answer 61

Configuration of Enterprise Assets and Software: this control helps orgs establish and maintain secure baseline configurations for their enterprise assets

Question 62

CIS Control 5

Answer 62

Account Management: Outlines best practices for companies to manage credentials and authorization for user accounts, privileged user accounts, and service accounts for company hardware and software applications

Question 63

CIS Control 6

Answer 63

Access Control Management: Control expands on 5 by specifying the type of access that user accounts should have

Question 64

CIS Control 7

Answer 64

Continuous Vulnerability Management: Control assists org in continuously identifying and tracking vulnerabilities within its infrastructure so that it can remediate and eliminate weak points or windows

Question 65

CIS Control 8

Answer 65

Audit Log Management: Control establishes an enterprise log management process so that organizations can be alerted and recover from an attack in real time

Question 66

CIS Control 10

Answer 66

Malware Defense: assists companies in preventing the installation and propagation of malware onto company assets and its network

Question 66

CIS Control 9

Answer 66

Email and Web Browser Protections: Provides recommendations on how to detect and protect against cybercrime attempted through email or the internet

Question 67

CIS Control 11

Answer 67

Data Recovery: Establishes data backup, testing, and restoration processes that allow organizations to effectively recover company assets

Question 68

CIS Control 12

Answer 68

Network Infrastructure Management: This control establishes procedures and tools for managing and securing a company’s network infrastructure

Question 69

CIS Control 13

Answer 69

Network Monitoring and Defense: Establishes processes for monitoring and defending a company’s network infrastructure against internal and external security threats

Question 70

CIS Control 14

Answer 70

Security Awareness and Skill Training: Guides organizations in establishing a security awareness and training program to reduce cybersecurity risk

Question 71

CIS Control 15

Answer 71

Service Provider Management: helps organizations develop processes to evaluate third party service providers that have access to sensitive data or that are responsible for managing some or all of a company’s IT functions

Question 72

CIS Control 16

Answer 72

Application Software Security: establishes safeguards that manage the entire life cycle of software that is acquired, hosted, or developed in house to detect, deter and resolve CS weaknesses before they are exploited

Question 73

CIS Control 17

Answer 73

Incident Response Management: Provides the recommendations necessary to establish an incident response management program to detect, respond, and prepare for potential CS attacks

Question 73

CIS Control 18

Answer 73

Penetration Testing: Control helps organizations test the sophistication of their CS defense system in place by simulating actual attacks in effort to find and exploit weakness.

Question 74

COBIT

Answer 74

Control Objectives for Information and Related Technologies
provides a road map that organizations can use to implement best practices for IT governance and management.

Question 75

COBIT Principles for Governance System GETPHD

Answer 75

Governance Distinct from Management (Distinct)
End to end governance system (End to end)
Tailored to enterprise needs (Tailored)
Provide stakeholder Value (Value)
Holistic approach (Holistic)
Dynamic governance system (Dynamic)

Question 76

COBIT Principles for a Governance Framework BOA

Answer 76

Based on conceptual model
Open and flexible
Aligned to major standards

Question 77

Provide stakeholder Value (Value)

Answer 77

gov system should create value for the company’s stakeholders by balancing benefits, risks, and resources

Question 78

Holistic approach (Holistic)

Answer 78

gov systems for IT can comprise diverse components, collectively providing a holistic model.

Question 79

Dynamic governance system (Dynamic)

Answer 79

When a change in one gov system occurs, the impact on all others should be considered so that the system continues to meet the demands of the organization. continue to be relevant while adjusting as a new challenge arises

Question 80

Governance Distinct from Management (Distinct)

Answer 80

Management activities and governance systems should be clearly distinguished from each other because they have different functions

Question 81

Tailored to enterprise needs (Tailored)

Answer 81

gov models should be customized to each individual company, using design factors to prioritize and tailor the system

Question 82

End to end governance system (End to end)

Answer 82

All processes in the org involving info and tech should be factored into an end to end approach

Question 83

COBIT Governance Objectives

Answer 83

One domain: evaluate, direct, and monitor (EDM): those charged with governance evaluate strategic objectives, direct management to achieve those objectives, and monitor whether they are being met

Question 84

COBIT Management Objectives

Answer 84

Four domains
Align, plan and organize (APO)
Build, acquire, and implement (BAI)
Deliver, service, and support (DSS)
Monitor, evaluate, and assess (MEA)

Question 85

Objectives of EDM Domain

Answer 85

Ensuring benefits delivery
Governance framework setting
Risk optimization
Resource optimization
Stakeholder engagement

Question 86

APO Domain

Answer 86

Focuses on aligning information tech overall strategy, planning how to utilize technology in business operation of the organization, and organizing the resources for their most effective and efficient usage. 14 objectives - managed data is most significant

Question 87

BAI Domain

Answer 87

Addresses the building, acquiring, and implementation of information technology solutions in the organizations business processes. 11 objectives, offering guidance on requirements definition, identifying solutions, managing capacity, availability, org change…

Question 88

DSS Domain

Answer 88

Addresses the delivery, service, and support of IT services. 6 objectives - service request is most important

Question 89

MEA Domain

Answer 89

Addresses information tech conformance to the company’s performance targets and control objectives along with external requirements. Accomplished through continuous monitoring, evaluation, and assessment of info tech systems. 4 objectives - managed system of internal control is most important

Question 90

COBIT Components to Satisfy Objectives

Answer 90

Processes: activities to achieve goals
Organizational Structures: decision making entities
Principals, Policies and Frameworks:
Information: info needed for gov system to work
Culture, Ethic, and Behavior: tone at top
People, Skills, and Competencies: needed to make sound decisions
Services, Infrastructure, and Applications: gov system tools and resources needed for info tech processing

Question 91

COBIT Design Factors

Answer 91

Enterprise Strategy
Enterprise Goals
Risk Profile
Information and Technology Issues
Threat Landscape
Compliance Requirements
Role of IT
Sourcing Model for IT
IT Implementation Methods
Technology Adoption Strategy
Size of Company

Question 92

COBIT Publications

Answer 92

Designed so that companies could adopt its recommendations in a way that is customized to their own needs

Question 93

COBIT 2019 Framework: Introduction and Methodology

Answer 93

Introduces the core concepts of the framework

Question 94

COBIT 2019 Framework: Governance and Management Objectives

Answer 94

Provides a outline of the 40 management and governance objectives, components and references

Question 95

COBIT 2019 Design Guide: Designing an Information and Technology Governance Solution

Answer 95

Covers design topics that influence governance as well as a guideline for designing a customized gov system

Question 96

COBIT 2019 Implementation Guide: Implementing and Optimizing an Information nd Technology Governance Solution

Answer 96

Provides a road map for continuous improvements when designing information tech gov systems -used in conjunction with design guide