M1 - National Institute of Standards and Tech Frameworks

Question 1

Identify

Answer 1

What are the company’s privacy risks related to data processing activities?

Categories:
-Inventory and Mapping
-Business Environment
-Risk Assessment
-Data Processing Ecosystem Risk

Question 2

Govern

Answer 2

What is the best governance structure for privacy risks related to the company’s data processing activities?

Categories:
-Governance Policies, processes and procedures
-Risk management strategy
-Awareness and training
-Monitoring review

Question 3

Control

Answer 3

What is the best management structure for privacy risks related to data processing activities?

Categories:
-Data processing policies, processes and procedures
-Data processing management
-Disassociated processing

Question 4

Communicate

Answer 4

How should the organization drive dialogue around privacy risks related to data processing activities?

Categories:
-Communication policies, processes and procedures
-Data processing awareness

Question 5

Protect

Answer 5

What are the safeguards that should be in place around privacy risks related to data processing activities?

Categories:
-Data protections policies, processes and procedures
-Identity management, authentication and access control
-Data security
-Maintenance
-Protective technology

Question 6

Detect

Answer 6

How should the organization detect data privacy risks and events?

Categories:
-Anomalies and events
-Security Continuous Monitoring
-Detection Processes

Question 7

Respond

Answer 7

How should the organization respond to data privacy events?

Categories:
-Response planning
-Communications
-Analysis
-Mitigation
-Improvements

Question 8

Recover

Answer 8

How should the organization respond to data privacy events?

Categories:
-Recovery Planning
-Improvements
-Communications

Question 9

Tier 1

Answer 9

Partial

Risk Management Process: RM is ad hoc and reactive. IS efforts is not prioritized.

Integration: Incident management is ad hoc and not integrated

External Participation: Corporate cybersecurity is isolated and the org doesn’t evaluate external risks

Question 10

Tier 2

Answer 10

Risk-Informed

Risk Management Process: CS prioritization is based on org risk. Management approves CS efforts; however, CS may be isolated from org processes

Integration: Awareness, but no integration

External Participation: There is awareness of how env security risks impact the organization, but inconsistent actions are taken to respond to this risks

Question 11

Tier 3

Answer 11

Repeatable

Risk Management Process: Org utilizes CS in planning and has enshrined CS practices in formal, documented policies

Integration: CS is integrated into planning and regularly communicated among senior leadership

External Participation: The org collaborates with and contributes to security community at large. It also has governance structures internally to manage cyber risk

Question 12

Tier 4

Answer 12

Adaptive

Risk Management Process: Org CS is based on iterative improvement based on internal and external cyber incidents and is responsive to evolving threats

Integration: Managing CS is and org-wide affair. Cyber risk is prioritized heavily

External participation: The org participates in external information.

Question 13

Explain the difference between a Current Profile and a Target Profile

Answer 13

Current Profile: is the Current state of org risk management

Target Profile: desired future state of org risk management

The differences between the current state and future state are identified in a gap analysis