S1 M1

Question 1

3 components to manage cybersecurity risk

Answer 1

Framework core
Implementation tiers
Framework profile

Question 2

Purpose of NIST CSF?

Answer 2

To identify, assess, and manage cybersecurity risks in a cost effective and repeatable manner

Question 3

5 CSF Core components

Answer 3

Identify
Protect
Detect
Respond
Recover

Question 4

CSF Implementation Tiers

Answer 4

Tier 1 - partial (not integrated; ad hoc and situational risk management)
Tier 2 - risk informed (some are aware of risks, but not yet integrated; no action taken)
Tier 3 - repeatable (formal, documented policies, cybersecurity is implemented into planning)
Tier 4 - adaptive (Fully integrated and cybersecurity is prioritized)

Question 5

CSF Profiles

Answer 5

Current profile - current level of risk management
Target profile - Where you would like your risk management to be
Gap analysis - difference between current and target

Question 6

Privacy framework core

Answer 6

Identify
Protect
Detect
Respond
Recover
Control
Communicate
Govern

Question 7

Difference between NIST security and privacy controls and NIST CSF and privacy framework

Answer 7

CSF and privacy framework are designed to manage cybersecurity risks in a cost effective manner, security and privacy controls are designed to protect against sophisticated threats. Must more detailed and stricter.

Question 8

Three NIST SP control implementation approaches

Answer 8

Common - implementation at the organizational level
System-specific - Implementation at the information system level
Hybrid - combination based on appropriateness