S1

Question 1

NIST

Answer 1

National Institute of Standards and Technology Framework (1901) (1995 - Info Security). Here to protect us

Question 2

Why do we need IT?

Answer 2

Organizations adopt technology to enhance or support business operations; protect digital records and assets; safeguards physical assets

Question 3

NIST Cybersecurity Framework

Answer 3

Voluntary framework that includes three components to manage cybersecurity risk:
1. Framework
2. Framework Implementation
3. Framework Profile

Question 4

CS Framework Core ComponentsDRRIP

Answer 4

Identify
Protect
Detect
Respond
Recover

Question 5

Identify ID

Privancy Core

Answer 5

Keep records of: assets of the organization, system users internal/external, information process operations and all system used

Question 6

Protect

Privancy Core

Answer 6

Focus on deploying safeguards and access controls to networks, applications, and devices.
Performing regular updates to security software
Performing data backups, developing plans for disposing of files or unused devices and user training

Question 7

Detect

Answer 7

Deploy tools to: Detect cyber security attacks.
Monitor network access points, user devices, unauthorized personnel access.

Question 8

Respond

Answer 8

Develop response polices addressing how to:
Contain a cybersecurity event
React using planned responses that mitigate losses
Notify

Question 9

Recover

Privacy Core

Answer 9

Focuses on:
Supporting the restoration of a company’s network to normal operations
Restoring backed up files or environments

Question 10

Implementation Tiers

Answer 10

How sophisticated is a company’s security infrastructure?
Inform an organization as to the effectiveness of those profiles.
Tiers act as a benchmark, identifying the degree to which information security practices are integrated throughout an organization.

Question 11

CSF Framework Profiles

Answer 11

Determine success or failure of information security implementation. Implementation guides with insight specific to a particular industry

Question 12

Tier Levels

Answer 12

Tier 1 (partial)
Tier 2 (risk informed)
Tier 3 (Repeatable)
Tier 4 (Adaptive)

Question 13

Tier Categories

Answer 13

Risk management process
Integrated risk management program
External participation

Question 14

Tier 1 (partial)

Answer 14

Risk management Process: Ad hoc and reactive
Integrated Risk Management: Not integrated into organization processes
External Participation: does not evaluate external risks, cybersecurity is isolated

Question 15

Tier 2 (Risk Informed)

Answer 15

Risk Management Process: CS prioritization is based on org risk, and management approves CS efforts
Integrated Risk Management: org is aware of CS but not managing securely
External Participation: there is awareness but inconsistent actions are taken to respond to those risks

Question 16

Tier 3 (Repeatable)

Answer 16

Risk Management Process: org utilizes CS in planning and has enshrined CS practices in formal policies
Integrated Risk Management: a org risk approach to CS where CS is integrated into planning and regularly communicated
External Participation: org collabs w/ and contributes to security community at large. Has gov structures internally to manage cyber risk

Question 17

Tier 4 (Adaptive)

Answer 17

Risk Management Process: org CS is based on iterative improvements based on internal/external cyber incidents
Integrated Risk Management: managing CS is a org wide affair, cyber risk is prioritized
External Participation: org robustly participates in external info sharing activities

Question 18

Current Profile

Answer 18

Current state of the org risk managment

Question 19

Target profile

Answer 19

Desired future state of org risk management

Question 20

Gap Analysis

Answer 20

Identifies differences between the current and desired state

Question 21

NIST Privacy Framework

Answer 21

Protect individuals data as used in data processing applications. Developed to be industry agnostic and to account for cultural and individual constructs around privacy

Question 22

Privacy Framework Core Components (PICCG)

Answer 22

Identify
Govern
Control
Communicate
Protect

Question 23

Govern

Privacy Core

Answer 23

What is the best governance structure for privacy risks related to the company’s data processing activities?

Question 24

Control

Privacy Framework Core

Answer 24

What is the best management structure for privacy risks related to data processing activities

Question 25

Communicate

Privacy Framework Core

Answer 25

How should the org drive dialogue around privacy risks related to data processing activities

Question 26

NIST SP 800-53 Framework

Answer 26

Set of security and privacy controls applicable to all info systems and now the standard for federal info security systems. Designed for protecting, care about effectiveness not cost

Question 27

SP 800-53 Security and Privacy Requirements

Answer 27

OMB - requires the controls for federal information systems
FISMA - requires the implementation of minimum controls to protect federal info and info systems

Question 28

Common (Inheritable) Control

NIST SP 800-53

Answer 28

Implement controls at the org level, which are adopted by info systems

Question 29

System Specific Control

NIST SP 800-53

Answer 29

Implement controls at the information system level

Question 30

Hybrid Control

NIST SP 800-53

Answer 30

Implement controls at the org level where appropriate and the rest at the info system level

Question 31

Data Breach Costs

Answer 31

Detection and escalation: Cost to detect
Notification: costs to notify parties
Post-breach Response: Cost to rectify effects
Loss of Business and Revenue: temp lost do to down time

Question 32

HIPAA

Answer 32

Health Insurance Portability and Accountability Act required the department of health and human services to adopt national standards promoting health care privacy and security

Question 33

HIPAA Security Rule

Answer 33

Specifically governs electronic PHI. Under the security Rule all covered entities must:
ensure the confidentiality, integrity, and availability of all electronic PHI;
Protect against reasonably anticipated threats;
Ensure compliance

Question 34

HITECH

Answer 34

Amended HIPPA:
Increased penalties for HIPPA violations
Required that patients receive the option to obtain records in electronic form
Breach rule to notify within 60 days of discovery

Question 35

GDPR (Data Protection) Principals

Answer 35

European Unions general applicability law regulating the privacy of data

Question 36

Lawfulness, Fairness, Transparency

GDPR

Answer 36

Data must be processed lawfully, fairly, and in a transparent manner

Question 37

Purpose Limitation

GDPR

Answer 37

Data must be processed for specified, explicate, and legitimate purposes

Question 38

Data Minimization

GDPR

Answer 38

Data processing must be adequate, relevant, and limited to what is necessary

Question 39

Accuracy

GDPR

Answer 39

Data must be accurate and kept updated

Question 40

Storage Limitation

GDPR

Answer 40

Data must be stored only for as long as necessary. storing it for longer periods is permitted for public interest archiving, scientific or historical research, or statistical purposes.

Question 41

Integrity and Confidentiality

GDPR

Answer 41

Data must be processed securely and protected against unauthorized access, accidental loss, destruction, or damage

Question 42

Payment Card Industry Data Security Standard

Answer 42

A framework to apply to promote data security when processing payments

Question 43

Build and Maintain a Secure Network and System

PCI DSS

Answer 43

1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor supplied defaults for system passwords

Question 44

Protect cardholder Data

PCI DSS

Answer 44

3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open networks

Question 45

Maintain a Vulnerability Management Program

PCI DSS

Answer 45

5. Protect all systems against malware and regularly update anti-virus software programs
6. Develop and maintain secure system applications

Question 46

Implement Strong Access Control Measures

PCI DSS

Answer 46

7. Restrict access to cardholder data through need to know restrictions
8. Identify and authenticate access to system components

Question 47

Regularly Monitor and Test Networks

PCI DSS

Answer 47

10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes

Question 48

CIS

Answer 48

The Center for Internet Security. Controls are a recommended set of actions, processes, and best practices that can be adopted and implemented by organizations to strengthen their cybersecurity defenses.

Question 49

CIS Control Principles OFFAM

Answer 49

Offense Informs Defense
Focus
Feasible
Align
Measurable

Question 50

Align

CIS Principle

Answer 50

Controls should map to other top cybersecurity standards like NIST VS, COBIT, HIPPA

Question 51

Measurable

CIS Principle

Answer 51

Controls should be simple and measurable, avoiding vague language

Question 52

Offense Informs Defense

CIS Prinicple

Answer 52

Controls are drafted based on data from actual CS attacker behavior and how to defend against it

Question 53

Focus

CIS Principle

Answer 53

Controls should help prioritize the most critical problems and avoid resolving every CS issue

Question 54

Feasible

CIS Principle

Answer 54

All recommendations should be practical

Question 55

IG1

CIS Impletmentation Group

Answer 55

Group is for small or mid sized orgs that have limited CS defense mechanisms in place

Question 56

IG2 (includes IG1)

CIS Impletmentation Group

Answer 56

Group is for companies that have IT staff who support multiple departments that have various risk profiles and typically handle sensitive client data

Question 57

IG3 (Includes IG1 and IG2)

CIS Impletmentation Group

Answer 57

Group for companies that have security experts in all domains within CS such as penetration testing, risk management, and application security.

Question 58

CIS Control 01

Inventory and Control of Enterprise Assets

Answer 58

Inventory and Control of Enterprise Assets: Helps orgs actively track and manage all IT assets connected to a company’s IT infrastructure physically or virtually with a cloud environment

Question 59

CIS Control 2

Inventory and Control of Software Assets

Answer 59

Provides recommendations for orgs to track and actively manage all software applications so that only authorized software can be installed

Question 60

CIS Control 3

Data Protection

Answer 60

Helps orgs develop ways to securely manage the entire life cycle of their data

Question 61

CIS Control 4

Configuration of Enterprise Assets and Software

Answer 61

this control helps orgs establish and maintain secure baseline configurations for their enterprise assets

Question 62

CIS Control 5

Account Management

Answer 62

Outlines best practices for companies to manage credentials and authorization for user accounts, privileged user accounts, and service accounts for company hardware and software applications

Question 63

CIS Control 6

Access Control Management

Answer 63

Control expands on 5 by specifying the type of access that user accounts should have

Question 64

CIS Control 7

Continuous Vulnerability Management

Answer 64

Control assists org in continuously identifying and tracking vulnerabilities within its infrastructure so that it can remediate and eliminate weak points or windows

Question 65

CIS Control 8

Audit Log Management

Answer 65

Control establishes an enterprise log management process so that organizations can be alerted and recover from an attack in real time

Question 66

CIS Control 10

Malware Defense

Answer 66

assists companies in preventing the installation and propagation of malware onto company assets and its network

Question 67

CIS Control 9

Email and Web Browser Protections:

Answer 67

Provides recommendations on how to detect and protect against cybercrime attempted through email or the internet

Question 68

CIS Control 11

Data Recovery

Answer 68

Establishes data backup, testing, and restoration processes that allow organizations to effectively recover company assets

Question 69

CIS Control 12

Network Infrastructure Management:

Answer 69

This control establishes procedures and tools for managing and securing a company’s network infrastructure. Network infrastrucutre is up to date, maintain a secure network architecture

Question 70

CIS Control 13

Network Monitoring and Defense

Answer 70

Establishes processes for monitoring and defending a company’s network infrastructure against internal and external security threats

Question 71

CIS Control 14

Security Awareness and Skill Training:

Answer 71

Guides organizations in establishing a security awareness and training program to reduce cybersecurity risk

Question 72

CIS Control 15

Service Provider Management

Answer 72

helps organizations develop processes to evaluate third party service providers that have access to sensitive data or that are responsible for managing some or all of a company’s IT functions

Question 73

CIS Control 16

Application Software Security

Answer 73

establishes safeguards that manage the entire life cycle of software that is acquired, hosted, or developed in house to detect, deter and resolve CS weaknesses before they are exploited

Question 74

CIS Control 17

Incident Response Management:

Answer 74

Provides the recommendations necessary to establish an incident response management program to detect, respond, and prepare for potential CS attacks

Question 75

CIS Control 18

Penetration Testing

Answer 75

Control helps organizations test the sophistication of their CS defense system in place by simulating actual attacks in effort to find and exploit weakness.

Question 76

COBIT

Answer 76

Control Objectives for Information and Related Technologies
provides a road map that organizations can use to implement best practices for IT governance and management.

Question 77

COBIT Principles for Governance System GETPHD

Answer 77

Governance Distinct from Management (Distinct)
End to end governance system (End to end)
Tailored to enterprise needs (Tailored)
Provide stakeholder Value (Value)
Holistic approach (Holistic)
Dynamic governance system (Dynamic)

Question 78

COBIT Principles for a Governance Framework BOA

Answer 78

Based on conceptual model
Open and flexible
Aligned to major standards

Question 79

Provide stakeholder Value (Value)

COBIT

Answer 79

gov system should create value for the company’s stakeholders by balancing benefits, risks, and resources

Question 80

Holistic approach (Holistic)

COBIT

Answer 80

gov systems for IT can comprise diverse components, collectively providing a holistic model.

Question 81

Dynamic governance system (Dynamic)

COBIT

Answer 81

When a change in one gov system occurs, the impact on all others should be considered so that the system continues to meet the demands of the organization. continue to be relevant while adjusting as a new challenge arises

Question 82

Governance Distinct from Management (Distinct)

COBIT

Answer 82

Management activities and governance systems should be clearly distinguished from each other because they have different functions

Question 83

Tailored to enterprise needs (Tailored)

COBIT

Answer 83

gov models should be customized to each individual company, using design factors to prioritize and tailor the system

Question 84

End to end governance system (End to end)

COBIT

Answer 84

All processes in the org involving info and tech should be factored into an end to end approach

Question 85

COBIT Governance Objectives

Answer 85

One domain: evaluate, direct, and monitor (EDM): those charged with governance evaluate strategic objectives, direct management to achieve those objectives, and monitor whether they are being met

Question 86

COBIT Management Objectives

Answer 86

Four domains
Align, plan and organize (APO)
Build, acquire, and implement (BAI)
Deliver, service, and support (DSS)
Monitor, evaluate, and assess (MEA)

Question 87

EDM Domain

Answer 87

Those charged with governance evaluate strategic objectives, direct managment to achieve those objectives, and monitor wheather objectives are being met. 5 objectives:
ensuring business delivery, governance framwork setting, risk optimization, resouce optimization, and stakeholder engagment

Question 88

APO Domain

Answer 88

Focuses on aligning information tech overall strategy, planning how to utilize technology in business operation of the organization, and organizing the resources for their most effective and efficient usage. 14 objectives - managed data is most significant

Question 89

BAI Domain

Answer 89

Addresses the building, acquiring, and implementation of information technology solutions in the organizations business processes. 11 objectives, offering guidance on requirements definition, identifying solutions, managing capacity, availability, org change…

Question 90

DSS Domain

Answer 90

Addresses the delivery, service, and support of IT services. 6 objectives - service request is most important

Question 91

MEA Domain

Answer 91

Addresses information tech conformance to the company’s performance targets and control objectives along with external requirements. Accomplished through continuous monitoring, evaluation, and assessment of info tech systems. 4 objectives - managed system of internal control is most important

Question 92

COBIT Components to Satisfy Objectives

Answer 92

Components are factors that either collectively or individually contribute to the successful execution of a company’s governance system over information technology and systems.

Question 93

COBIT Design Factors

Answer 93

Influence the design of a companys IT goverance system, with a total of 11 factors to consider

Question 94

COBIT Publications

Answer 94

Designed so that companies could adopt its recommendations in a way that is customized to their own needs

Question 95

COBIT 2019 Framework: Introduction and Methodology

Answer 95

Introduces the core concepts of the framework

Question 96

COBIT 2019 Framework: Governance and Management Objectives

Answer 96

Provides a outline of the 40 management and governance objectives, components and references

Question 97

COBIT 2019 Design Guide: Designing an Information and Technology Governance Solution

Answer 97

Covers design topics that influence governance as well as a guideline for designing a customized gov system

Question 98

COBIT 2019 Implementation Guide: Implementing and Optimizing an Information nd Technology Governance Solution

Answer 98

Provides a road map for continuous improvements when designing information tech gov systems -used in conjunction with design guide

Question 99

Processes COBIT Component

Answer 99

activities to achieve goals

Question 100

Organizational Structures

Answer 100

decision making entities

Question 101

Principals, Policies and Frameworks

COBIT Compenent

Answer 101

These serve as the guide for turning desired behavior into practice

Question 102

Information

COBIT Compenent

Answer 102

info needed for gov system to work

Question 103

Culture, Ethic, and Behavior

COBIT Component

Answer 103

These factors influence the success of all management and governance activities

Question 104

People, Skills, and Competencies

COBIT Component

Answer 104

These are needed so that sound decisions are made, corrective actions are taken when necessary, and critical objectives are complete

Question 105

Services, Infrastructure, and Applications

COBIT Component

Answer 105

gov system tools and resources needed for info tech processing

Question 106

Enterprise Strategy

COBIT Design Factor

Answer 106

IT governance strategies generally include a primary strategy and a secondary strategy. Examples include growth/acquisition, innovations/differentiation, cost leadership

Question 107

Enterprise Goals

COBIT Design Factor

Answer 107

Goals support the strategy and are structured based on the balanced scorecard dimensions, which are financial, customer, internal, and growth

Question 108

Risk Profile

COBIT Design Factor

Answer 108

Addresses current risk exposure for the organization and maps out which risks exceed the orgz risk appetite

Question 109

Information and Tech Issues

COBIT Design Factor

Answer 109

Common issues include regular IT audit findings of poor IT quality or control, insufficient IT resources, frustration between IT and different departments, hidden IT spending, problems with data quality, and non compliance with applicable regulations.

Question 110

Threat Landscape

COBIT Design Factor

Answer 110

the environment in which the company operates. The threat landscape may be classified as normal or high because of geopolitical threats or issues, the industry sector, or economic issues.

Question 111

Compliance Requirements

COBIT Design Factor

Answer 111

Compliance demands on the company can be classified as low, normal, or high. Classifications are intuitive, with low requirements implying minimal compliance demands, normal compliance indicating that the organization is typical of its industry

Question 112

Role of IT

COBIT Design Factor

Answer 112

Categorized as:
Support - system that is not critical for operating a business or maintaining continuity
Factory - system that will have an immediate impact in business operations and continuity if it fails
Turnaround - system that drives innovation for the business but s not required for critical business operations
Strategic - system that is crucial for both innovation and business operations

Question 113

Sourcing model for IT

COBIT Design Factor

Answer 113

Sourcing is the type of IT procurement model the company adopts, ranging from outsourcing, to cloud based, built in house, or a hybrid of any of these sources

Question 114

Technology Adoption Strategy

COBIT Design Factor

Answer 114

First mover strategy - emerging technologies are adopted as soon as possible to gain an edge
Follower strategy - emerging technologies are adopted after they are prove
Slow-adopter strategy - very late to adopt new tech

Question 115

Enterprise Size

COBIT Design Factor

Answer 115

Two enterprise sizes are defined - large companies with total full-time employee count of more than 250, and small/mid companies with 50 to 250 full time employees

Question 116

Govern Function

NIST Privacy Framework Core

Answer 116

governance policies, process, and procedures
-risk management strategy
-awareness and training
-monitoring review

Question 117

What is are examples of admin safeguards?

HIPPA

Answer 117

-security and awareness training
-information access management
-Contingency plans