ISC #1 Flashcards
The 4 CSF tier under the NIST CSF
- When incident management not integrated into organizational processes and is often ad hoc, this risk management program integration would fall under the Tier 1 (partial) CSF tier
- Tier 2 (risk-informed) implementation involves cybersecurity awareness by the rest of the organization but does not involve being securely managed
- Tier 3 (repeatable) implementation involves an organizational risk approach to cybersecurity where it is integrated into planning and regularly communicated among senior leadership
- Tier 4 (adaptive) implementation involves the prioritization of managing cyber risks similar to other forms of organizational risks
CSF Organizational Profiles
The current profile contains the current status of the organization’s risk management while the target profile contains the desired future status of the organization’s risk management. Utilizing both of these profiles to conduct a gap analysis will help identify differences between the current and desired state, allowing the organization to drive change.
3 Primary Components to manage cybersecurity risk
CSF Core
CSF Tiers
CSF Organizational Profiles
CSF Core consists of 6 functions
Govern - establishes, communicates, and monitors the orgs cybersecurity risk mgmt strategy, expectations, and policy
Identify - understanding assets, suppliers, and their cybersecurity risks
Protect - secure its assets to prevent or reduce its likelihood and impact of adverse events
Detect - timely discovery of cybersecurity incidents
Respond - contain the effect of cybersecurity incidents
Recover - timely restoration to normal operations
Privacy Framework Core
Identify
Govern
Control
Communicate
Protect
Detect
Respond
Recover
HIPPA established
2009
GDPR established
May 2018
COBIT established
1996
COBIT CORE MODEL: Governance Objectives
EDM: Those charged with governance evaluate strategic objectives, direct management to achieve those objectives, and monitor whether objectives are being met
*governance framework setting and maintenance, resource optimization, and benefits delivery
COBIT CORE MODEL: 4 Management Objectives
- APO - Focuses on information technology’s overall strategy, organization, and supporting activities
*managed security, managed human resources, and managed budget and costs - BAI - Addresses the implementation of information technology’s solutions in the organization’s business process
*managed knowledge, managed organizational change, and managed availability and capacity - DDS - Addresses the security, delivery, and support of IT services
*service requests and incidents, managed problems, and managed security devices - MEA - Addresses information technology’s conformance to the company’s performance targets and control objectives along with external requirements
*managed performance and conformance monitoring, managed system of internal control, managed compliance with external requirements, and managed assurance
3 Principles for a governance framework under COBIT 2019
- Based on Conceptual Model
- Open and Flexible
- Aligned to Major Standards
Governance Control System
- Processes
- Organizational structures
- Principles, policies, and frameworks
- Information
- Culture, ethics, and behavior
- People, skills, and competencies
- Services, infrastructure, and applications