IT Infrastructure and Governance Frameworks Review Questions with complete Solutions Graded A+
Cybersecurity framework (CSF) - Answers Developing a set of plain language controls for the protection
of critical IT infrastructure. The focus of the framework core is to develop a program to identify, assess,
and manage cybersecurity risks in a cost-effective and repeatable manner.
Framework Core - Answers Involves identifying assets, system users, information processes, operations,
and all systems used; protecting by deploying safeguards, access controls, performing regular updates
and data backups, and having plans for disposing of files or unused data; detecting active cybersecurity
attacks, monitoring network access points, user devices, unauthorized personnel access, and high-risk
employee behavior or the use of high-risk devices; responding with policies to contain cybersecurity
events, react using planned responses that mitigate losses, and notify all parties affected; and
recovering by supporting the restoration of a company's network to normal operations, restoring
backup files or environments, and positioning employees to rebound with the proper response.
Framework Tiers - Answers Measure an organization's information security sophistication and act as a
benchmark, not a means of implementing. Includes Tier 1 (Partial), Tier 2 (Risk Informed), Tier 3
(Repeatable), and Tier 4 (Adoptive).
Privacy Framework - Answers Involves identifying privacy risks related to data processing activities,
establishing governance and management structures, driving dialogue around privacy risks,
implementing safeguards, detecting data privacy risks and events, responding to data privacy events,
and recovering business operations after data privacy events.
Security and Privacy Controls (SP 800-53) - Answers A strict standard with nearly 1,200 detailed controls
designed to protect against sophisticated threats. Applicable to all federal information systems,
providing a stricter standard than NIST CSF or Privacy Frameworks. Implementation can be costly and
burdensome.
HIPAA - Answers Governs the privacy of protected health information (PHI) and applies to covered
entities like healthcare providers, health plans, health care clearinghouses, and service providers. It
mandates safeguards for electronic PHI, including confidentiality, integrity, availability, protection
against threats, impermissible uses or disclosures, and compliance by the covered entity's workforce.
GDPR - Answers General Data Protection Regulation is one of the strictest privacy laws globally,
providing circumstances for lawful data processing, applying to data processors based in the EU, even if
processing occurs outside the EU, and to those not based in the EU but offering goods/services to or
monitoring individuals in the EU. It is based on six principles including lawfulness, fairness, transparency,
and purpose limitation.
Data Minimization - Answers Process only necessary data for the purpose
Accuracy - Answers Ensure data is precise and regularly updated
Storage Limitation - Answers Store data only for necessary periods
, Integrity and Confidentiality - Answers Secure data against unauthorized access or loss
PCI DSS - Answers Payment Card Industry Security Standard
Network Security Controls - Answers Maintain secure network and system configurations
Secure Configurations - Answers Apply safe settings to system components
Vulnerability Management Program - Answers Protect systems from malicious software
Access Control Measures - Answers Restrict system access based on necessity
Physical Access Restriction - Answers Limit physical access to sensitive data
Network Monitoring - Answers Track and review system activity for anomalies
Information Security Policy - Answers Support security with organizational guidelines
Cryptography - Answers Convert data into unreadable format for security
Multifactor Authentication - Answers Use multiple verification methods for access
Penetration Testing - Answers Regularly test for system vulnerabilities
PCI DSS Requirements - Answers Specific actions to meet security standards
Data Encryption - Answers Secure data during transmission over networks
Software Security Development - Answers Create secure software systems
Unique User ID - Answers Assign distinct identifiers for system access
Network Segmentation - Answers Divide networks to control traffic flow
External Vulnerability Scanning - Answers Regularly scan for system weaknesses
Data Classification - Answers Categorize data based on sensitivity levels
Cybersecurity Controls - Answers Actions to enhance defense against cyber threats
Security Baseline Configuration - Answers Establish secure settings for enterprise assets
Account Management Best Practices - Answers Manage user credentials and authorizations effectively
Default Settings - Answers Preconfigured settings that may have vulnerabilities
Security Hardening - Answers Enhancing security measures to protect networks and devices
Firewalls - Answers Security systems that monitor and control incoming/outgoing network traffic
Cybersecurity framework (CSF) - Answers Developing a set of plain language controls for the protection
of critical IT infrastructure. The focus of the framework core is to develop a program to identify, assess,
and manage cybersecurity risks in a cost-effective and repeatable manner.
Framework Core - Answers Involves identifying assets, system users, information processes, operations,
and all systems used; protecting by deploying safeguards, access controls, performing regular updates
and data backups, and having plans for disposing of files or unused data; detecting active cybersecurity
attacks, monitoring network access points, user devices, unauthorized personnel access, and high-risk
employee behavior or the use of high-risk devices; responding with policies to contain cybersecurity
events, react using planned responses that mitigate losses, and notify all parties affected; and
recovering by supporting the restoration of a company's network to normal operations, restoring
backup files or environments, and positioning employees to rebound with the proper response.
Framework Tiers - Answers Measure an organization's information security sophistication and act as a
benchmark, not a means of implementing. Includes Tier 1 (Partial), Tier 2 (Risk Informed), Tier 3
(Repeatable), and Tier 4 (Adoptive).
Privacy Framework - Answers Involves identifying privacy risks related to data processing activities,
establishing governance and management structures, driving dialogue around privacy risks,
implementing safeguards, detecting data privacy risks and events, responding to data privacy events,
and recovering business operations after data privacy events.
Security and Privacy Controls (SP 800-53) - Answers A strict standard with nearly 1,200 detailed controls
designed to protect against sophisticated threats. Applicable to all federal information systems,
providing a stricter standard than NIST CSF or Privacy Frameworks. Implementation can be costly and
burdensome.
HIPAA - Answers Governs the privacy of protected health information (PHI) and applies to covered
entities like healthcare providers, health plans, health care clearinghouses, and service providers. It
mandates safeguards for electronic PHI, including confidentiality, integrity, availability, protection
against threats, impermissible uses or disclosures, and compliance by the covered entity's workforce.
GDPR - Answers General Data Protection Regulation is one of the strictest privacy laws globally,
providing circumstances for lawful data processing, applying to data processors based in the EU, even if
processing occurs outside the EU, and to those not based in the EU but offering goods/services to or
monitoring individuals in the EU. It is based on six principles including lawfulness, fairness, transparency,
and purpose limitation.
Data Minimization - Answers Process only necessary data for the purpose
Accuracy - Answers Ensure data is precise and regularly updated
Storage Limitation - Answers Store data only for necessary periods
, Integrity and Confidentiality - Answers Secure data against unauthorized access or loss
PCI DSS - Answers Payment Card Industry Security Standard
Network Security Controls - Answers Maintain secure network and system configurations
Secure Configurations - Answers Apply safe settings to system components
Vulnerability Management Program - Answers Protect systems from malicious software
Access Control Measures - Answers Restrict system access based on necessity
Physical Access Restriction - Answers Limit physical access to sensitive data
Network Monitoring - Answers Track and review system activity for anomalies
Information Security Policy - Answers Support security with organizational guidelines
Cryptography - Answers Convert data into unreadable format for security
Multifactor Authentication - Answers Use multiple verification methods for access
Penetration Testing - Answers Regularly test for system vulnerabilities
PCI DSS Requirements - Answers Specific actions to meet security standards
Data Encryption - Answers Secure data during transmission over networks
Software Security Development - Answers Create secure software systems
Unique User ID - Answers Assign distinct identifiers for system access
Network Segmentation - Answers Divide networks to control traffic flow
External Vulnerability Scanning - Answers Regularly scan for system weaknesses
Data Classification - Answers Categorize data based on sensitivity levels
Cybersecurity Controls - Answers Actions to enhance defense against cyber threats
Security Baseline Configuration - Answers Establish secure settings for enterprise assets
Account Management Best Practices - Answers Manage user credentials and authorizations effectively
Default Settings - Answers Preconfigured settings that may have vulnerabilities
Security Hardening - Answers Enhancing security measures to protect networks and devices
Firewalls - Answers Security systems that monitor and control incoming/outgoing network traffic
