S1 - Regulation, Standards, and Frameworks

Question 1

NIST Privacy Framework Core Functions:
Protect Function

Answer 1

Has 5 categories:
> data protection policies processes and procedures
> identity management, authentication & access control
> data security
>maintenance
> protective technology.

Question 2

When incident management not integrated into organizational processes and is often ad hoc (“for this situation”), this risk management program integration would fall under

Answer 2

Tier 1 (partial) implementation tier

pq no esta fully integrated entonces es partial.

Question 3

NIST CSF
Tiers:

Answer 3

> Tier 2 (risk informed) implementation involves cybersecurity awareness by the rest of the organization but does not involve being securely managed.

> Tier 3 (repeatable) implementation involves an organizational risk approach to cybersecurity where it is integrated into planning and regularly communicated among senior leadership

> Tier 4 (adaptive) implementation involves the prioritization of managing cyber risks similar to other forms of organizational risks.

Question 4

These are recognized framework profiles under NIST

Answer 4

The current profile and the target profile

DON’T EXIST =>historic profile and the industry profile

Question 5

NIST Privacy Framework Core Functions best describes how the organization should drive dialogue around privacy risks related to data processing activities?

Answer 5

Communicate Function

Question 6

Controls are the objectives to be implemented for family baseline conformance, whereas control enhancements are best practices

Answer 6

Controls are the objectives to be implemented for family baseline conformance, whereas control enhancements are best practices

Question 7

Types of controls:

Answer 7

> Control Enhancements = best practices
Control Baseline. = required to be in conformance to the control family
Control Inheritance. = implemented at the organizational level and adopted/inherited by information systems.

Question 8

Redacted = permitted to disclose

Answer 8

No violation of HIPAA

Question 9

Under the HIPAA Security Rule,

Answer 9

covered entities are required to protect against reasonably anticipated threats to the security of information. These requirements are in place to protect the security of protected health information (PHI) for patients.

Question 10

general data protection regulation (GDPR)

Answer 10

Even though the processing for takes place outside of the EU in the U.S., the scope of GDPR still fully applies.

Question 11

protected health information (PHI)

Answer 11

protected health information (PHI)

Question 12

CIS Critical Security Controls Version 8
Control 06: Access Control Management
(KEY: Access - has the CONTROL to create, assign & manage)

Answer 12

Use processes and tools to create, assign, manage, and revoke access credentials and privileges for user, administrator, and service accounts for enterprise assets and software.

Question 13

CIS Critical Security Controls Version 8
Control 05: Account Management
(KEY: Account no crea pero al igual assign & manage)

Answer 13

Use processes and tools to assign and manage authorization to credentials for user accounts, including administrator accounts, as well as service accounts, to enterprise assets and software.

Question 14

CIS Critical Security Controls Version 8
Control 02: Inventory and Control of Software Assets

Answer 14

Actively manage (inventory, track, and correct) all software (operating systems and applications) on the network so that only authorized software is installed and can execute, and that unauthorized and unmanaged software is found and prevented from installation or execution.

Question 15

CIS Critical Security Controls Version 8
Control 08: Audit Log Management

Answer 15

Collect, alert, review, and retain audit logs of events that could help detect, understand, or recover from an attack.

Question 16

CIS Critical Security Controls Version 8
Control 01: Inventory and Control of Enterprise Assets

Answer 16

Actively manage (inventory, track, and correct) all enterprise assets (end-user devices, including portable and mobile; network devices; non-computing/Internet of Things (IoT) devices; and servers) connected to the infrastructure physically, virtually, remotely, and those within cloud environments, to accurately know the totality of assets that need to be monitored and protected within the enterprise. This will also support identifying unauthorized and unmanaged assets to remove or remediate.

Question 17

CIS Critical Security Controls Version 8
Control 04: Secure Configuration of Enterprise Assets and Software
(KEY: configuration=establish +maintains)

Answer 17

Establish and maintain the secure configuration of enterprise assets (end-user devices, including portable and mobile; network devices; non-computing/IoT devices; and servers) and software (operating systems and applications).

Question 18

CIS Critical Security Controls Version 8
Control 03: Data Protection
(KEY: Data -Dispose)

Answer 18

Develop processes and technical controls to identify, classify, securely handle, retain, and dispose of data.

Question 19

CIS Critical Security Controls Version 8
Control 07: Continuous Vulnerability Management
(KEY: develops a plan)

Answer 19

Develop a plan to continuously/periodically assess and track vulnerabilities on all enterprise assets within the enterprise’s infrastructure, in order to remediate and minimize the window of opportunity for attackers. Monitor public and private industry sources for new threat and vulnerability information.

I.E. underscores the criticality of regular review of the cyberenvironment to identify weaknesses in order to help deter attackers?

Question 20

CIS Critical Security Controls Version 8
Control 09: Email and Web Browser Protections

Answer 20

Improve protections and detections of threats from email and web vectors, as these are opportunities for attackers to manipulate human behavior through direct engagement.

Question 21

CIS Critical Security Controls Version 8
Control 18: Penetration Testing

Answer 21

Test the effectiveness and resiliency of enterprise assets through identifying and exploiting weaknesses in controls (people, processes, and technology) and simulating the objectives and actions of an attacker.

Question 22

CIS Critical Security Controls Version 8
Control 13: Network Monitoring and Defense

Answer 22

Operate processes and tooling to establish and maintain comprehensive network monitoring and defense against security threats across the enterprise’s network infrastructure and user base.

Question 23

CIS Critical Security Controls Version 8
Control 16: Application Software Security

Answer 23

Manage the security life cycle of in-house developed, hosted, or acquired software to prevent, detect, and remediate security weaknesses before they can impact the enterprise.

Question 24

CIS Critical Security Controls Version 8
Control 17: Incident Response Management

Answer 24

Establish a program to develop and maintain an incident response capability (e.g., policies, plans, procedures, defined roles, training, and communications) to prepare, detect, and quickly respond to an attack.

Question 25

CIS Critical Security Controls Version 8 Control 12: Network Infrastructure Management

Answer 25

Establish, implement, and actively manage (track, report, correct) network devices in order to prevent attackers from exploiting vulnerable network services and access points.

Question 26

CIS Critical Security Controls Version 8 Control 14: Security Awareness and Skills Training..

Answer 26

Establish and maintain a security awareness program to influence behavior among the workforce to be security conscious and properly skilled to reduce cybersecurity risks to the enterprise.

Question 27

CIS Critical Security Controls Version 8 Control 10: Malware Defenses.

Answer 27

Prevent or control the installation, spread, and execution of malicious applications, code, or scripts on enterprise assets.

Question 28

CIS Critical Security Controls Version 8 Control 11: Data Recovery.

Answer 28

Establish and maintain data recovery practices sufficient to restore in-scope enterprise assets to a pre-incident and trusted state.

Question 29

principles for a governance framework under COBIT 2019

Answer 29

> Based on conceptual model > open and flexible > aligned to major standards.

Question 30

COBIT core model Build, Acquire, and Implement (BAI) KEY: Manage org & programas

Answer 30

includes 11 objectives, such as managed programs, managed projects, managed requirements definition, managed IT changes, and managed assets. i.e. managed knowledge, managed organizational change, and managed availability and capacity.

Question 31

COBIT core model Deliver, Service, and Support (DSS) [KEY: DDS=Dentist = problems & CONTINUITY)

Answer 31

includes six objectives, such as managed operations, service requests and incidents, managed problems, managed continuity, managed security services, and managed business process controls.

Question 32

COBIT core model Evaluate, Direct, and Monitor (EDM) (KEY: EDM-STAKEHOLDER)

Answer 32

includes five objectives: Ensured governance framework setting and maintenance, ensured benefits delivery, ensured risk optimization, ensured resource optimization, and ensured stakeholder engagement.

Question 33

COBIT core model Align, Plan, and Organize (APO) KEY: Manage people, portfolio/budget

Answer 33

includes 14 objectives, such as managed strategy, managed innovation, managed portfolio, managed risk, and managed data I.E. managed security, managed human resources, and managed budget and costs.

Question 34

COBIT core model Monitor, Evaluate, and Assess (MEA)

Answer 34

four objectives : Managed assurance, managed performance and conformance monitoring, managed system of internal control, and managed compliance with external requirements.

Question 35

components of the governance system

Answer 35

Processes; organizational structures; principles, policies, and frameworks; information; culture, ethics, and behavior; people, skills, and competencies; and services, infrastructure, and applications.

Question 36

COBIT design factors Threat landscape

Answer 36

described as the environment in which the company operates and may be classified as normal or high due to factors such as the industry sector or economic issues

Question 37

COBIT design factors Enterprise strategy

Answer 37

defined as strategies that generally include a primary and secondary strategy, such as growth/acquisition, innovation/differentiation, cost leadership, and client service strategies.

Question 38

COBIT design factors IT implementation methods

Answer 38

defined as the methods that can be used to implement new IT projects, such as Agile, DevOps, Waterfall, or a hybrid of such methods.

Question 39

COBIT design factors Risk profile

Answer 39

described as a profile addressing current risk exposure for the organization and maps out which risks exceed the organization's risk appetite

Question 40

IT system that is not critical core operation but is INNOVATIVE=

Answer 40

TURNAROUND KEY= le da la vuelta con la inovacion... Y entonces me deara la media vuleta (luis miguel es inovador)