ISC #1

Question 1

The 4 CSF tier under the NIST CSF

Answer 1

1. When incident management not integrated into organizational processes and is often ad hoc, this risk management program integration would fall under the Tier 1 (partial) CSF tier
2. Tier 2 (risk-informed) implementation involves cybersecurity awareness by the rest of the organization but does not involve being securely managed
3. Tier 3 (repeatable) implementation involves an organizational risk approach to cybersecurity where it is integrated into planning and regularly communicated among senior leadership
4. Tier 4 (adaptive) implementation involves the prioritization of managing cyber risks similar to other forms of organizational risks

Question 2

CSF Organizational Profiles

Answer 2

The current profile contains the current status of the organization’s risk management while the target profile contains the desired future status of the organization’s risk management. Utilizing both of these profiles to conduct a gap analysis will help identify differences between the current and desired state, allowing the organization to drive change.

Question 3

3 Primary Components to manage cybersecurity risk

Answer 3

CSF Core
CSF Tiers
CSF Organizational Profiles

Question 4

CSF Core consists of 6 functions

Answer 4

Govern - establishes, communicates, and monitors the orgs cybersecurity risk mgmt strategy, expectations, and policy
Identify - understanding assets, suppliers, and their cybersecurity risks
Protect - secure its assets to prevent or reduce its likelihood and impact of adverse events
Detect - timely discovery of cybersecurity incidents
Respond - contain the effect of cybersecurity incidents
Recover - timely restoration to normal operations

Question 5

Privacy Framework Core

Answer 5

Identify
Govern
Control
Communicate
Protect
Detect
Respond
Recover

Question 6

HIPPA established

Answer 6

2009

Question 7

GDPR established

Answer 7

May 2018

Question 8

COBIT established

Answer 8

1996

Question 9

COBIT CORE MODEL: Governance Objectives

Answer 9

EDM: Those charged with governance evaluate strategic objectives, direct management to achieve those objectives, and monitor whether objectives are being met
*governance framework setting and maintenance, resource optimization, and benefits delivery

Question 10

COBIT CORE MODEL: 4 Management Objectives

Answer 10

1. APO - Focuses on information technology’s overall strategy, organization, and supporting activities
   *managed security, managed human resources, and managed budget and costs
2. BAI - Addresses the implementation of information technology’s solutions in the organization’s business process
   *managed knowledge, managed organizational change, and managed availability and capacity
3. DDS - Addresses the security, delivery, and support of IT services
   *service requests and incidents, managed problems, and managed security devices
4. MEA - Addresses information technology’s conformance to the company’s performance targets and control objectives along with external requirements
   *managed performance and conformance monitoring, managed system of internal control, managed compliance with external requirements, and managed assurance

Question 11

3 Principles for a governance framework under COBIT 2019

Answer 11

1. Based on Conceptual Model
2. Open and Flexible
3. Aligned to Major Standards

Question 12

Governance Control System

Answer 12

1. Processes
2. Organizational structures
3. Principles, policies, and frameworks
4. Information
5. Culture, ethics, and behavior
6. People, skills, and competencies
7. Services, infrastructure, and applications