ISC 1 - Regulations, Standards, & Frameworks

Question 1

What is NIST?

Answer 1

National Institute of Standards and Technology

Question 2

What are the core functions of the NIST Privacy Framework?

Answer 2

Communicate
Govern
Identify
Control
Protect
Detect
Respond
Recover

Question 3

What is the protect function of NIST composed of?

Answer 3

1-data protection policies, processes, and procedures
2- identity management, authentications, and access control
3 - data security
4 - data maintenance
5 - protective technology

Question 4

What is the control function of NIST composed of?

Answer 4

1- data processing policies, processes, and procedures
2 - data processing management
3 - disassociated processing

Question 5

What is the identity function of NIST composed of?

Answer 5

1- inventory and mapping
2 - business environment
3 - risk assessment
4 - data processing ecosystem risk management

Question 6

What is the govern function of NIST composed of?

Answer 6

1 - governance policies, processes, and procedures
2- risk management strategy
3- awareness and training
4 - monitoring review

Question 7

What are the four implementation tiers?

Answer 7

Partial
Risk-Informed
Repeatable
Adaptive

Question 8

What are the two framework profiles?

Answer 8

Current and target

Question 9

What is the Health Insurance and Portability Act (HIPAA)?

Answer 9

A business that handles protected health information (PHI) via transmission of health information

Question 10

What is the GDPR?

Answer 10

General Data Protection Regulation; For companies located in the EU, the scope of GDPR applies to data processing organizations.

Question 11

CIS - What is the Inventory and Control of Enterprise Assets?

Answer 11

Actively manage all enterprise assets connected to the infrastructure to accurately know all assets that need to be monitored and protected

Question 12

CIS - What is Inventory and Control of Software Assets?

Answer 12

Actively manage (inv, track, and correct) all software on the network so that only authorized software is installed and executed. Unauthorized and unmanaged software is found and prevented from installation and execution

Question 13

CIS - What is Data Protection?

Answer 13

Develop processes and technical controls to identify, classify, securely handle, retain, and dispose of data

Question 14

CIS - What is Secure Configuration of Enterprise Assets and Software?

Answer 14

Establish and maintain the secure configuration of enterprise assets and software

Question 15

CIS - What is Account Management?

Answer 15

Assign and manage authorization to credentials for user, admin, and service accounts

Question 16

CIS - What is Access Control Management?

Answer 16

Create, assign, manage, and revoke access credentials and privileges for user, admin, and service accts for assets and software

Question 17

CIS - What is continuous vulnerability management?

Answer 17

Continuously assess and track vulnerabilities on all enterprise assets within their infrastructure, to remediate and minimize the window of opportunity for attackers.

Question 18

CIS - What is Audit Log Management?

Answer 18

Collect, alert, review, and retain audit logs of events that could help detect, understand, or recover from an attack

Question 19

CIS - What are email and web browser protections?

Answer 19

Improve protections and detections of threats from email and web vectors.

Question 20

CIS - What is Data Recovery?

Answer 20

Implement controls such as protecting recovery data and performing automated backups

Question 21

CIS - What is Network Infrastructure Management?

Answer 21

Est., implement, and actively/securely manage network devices to prevent attackers from exploiting vulnerable network services and access points

Question 22

CIS - What is Network Monitoring & Defense?

Answer 22

Operate processes and tooling to est. and maintain comprehensive network monitoring and defense against security threats across the enterprise’s network infrastructure and user base

Question 23

CIS - What is Security Awareness and Skills Training?

Answer 23

Est. and maintain a security awareness program, training workforce members to recognize social engineering attacks, and training workforce members on authentication best practices

Question 24

CIS - What is Application Software Security?

Answer 24

Manage the security life cycle of in-house developed, hosted, or acquired software to prevent, detect, and remediate security weaknesses before they impact the enterprise

Question 25

CIS - What is Incident Response Management?

Answer 25

Est. a program to develop and maintain an incident response capability (policies, plans, procedures, roles, training, communications) to prepare, detect, and quickly respond to an attack

Question 26

CIS - What is Penetration Testing?

Answer 26

Test the effectiveness and resiliency of enterprise assets by identifying and exploiting weaknesses in controls (people, processes, and technology) and stimulating the objectives and actions of an attacker

Question 27

What are the three principles for a Governance framework?

Answer 27

1 - Based on conceptual model
2 - open and flexible
3 - aligned to major standards

Question 28

What are the COBIT Design Factors?

Answer 28

Risk Profile
Enterprise Strategy
IT implementation methods
Threat Landscape

Question 29

What are the components of the governance system?

Answer 29

Processes
Organizational structures
Principles, policies, and frameworks
Information
Culture, ethics, and behavior
People, skills, and competencies
Services, infrastructure, and applications

Question 30

Evaluate, Direct, and Monitor (5)

Answer 30

1- governance framework setting and maintenance
2 - benefits delivery
3 - risk optimization
4 - resource optimization
5 - stakeholder engagement/management

Question 31

Align, Plan, and Organize

Answer 31

Managed strategy
Managed innovation
Managed risk
Managed data

Question 32

Deliver, Service, and Support (6)

Answer 32

1 - Managed Operations
2 - service requests and incidents
3 - managed problems
4 - managed continuity
5 - managed security services
6 - managed business process controls

Question 33

Build, Acquire, and Implement

Answer 33

• Managed programs, projects, requirements definition, IT changes, assets, knowledge, organizational change, availability and capacity
• resource optimization
• benefits delivery
• governance framework setting and maintenance

Question 34

Monitor, Evaluate, and Assess

Answer 34

• a system of internal control
• performance and conformance monitoring
• assurance
• compliance with external requirements