ISC - CPA Exam Complete Study
1.S1 M1 - National Institute of Standards and Technology Framework:
2.NIST: -National Institute of Standards and Technology
-Established in 1901 to promote research capabilities
- Improved in 1995 to include cybersecurity
3.Three Standardized Frameworks from NIST: 1) NIST Cybersecurity
Frame- work (CSF)
2) NIST Privacy Framework
3) NIST SP 800-53 - Security and Privacy Controls
4.NIST Cybersecurity Framework Components: a) Framework Core
b) Framework Implementation Tiers
c) Framework Profile
5.a) Framework Core: -IDENTIFY: keep record of assets, system users,
all sys- tems
-PROTECT: deploy safeguards, regular updates, backups
-DETECT: detect active cyber security attacks, monitor network
-RESPOND: contain cybersecurity event, react, notify affected parties
-RECOVER: support restoration, restore files
*5 functions, 23 categories, 108 subcategories
1/
110
,6.b) Implementation Tiers: -benchmark identifying the degree to which
information security practices are integrated throughout an organization
-Tier 1: partial
-Tier 2: risk-informed
-Tier 3: repeatable
-Tier 4: adaptive
Based On:
-RM Process
-RM Program Integration
-External Participation
7.Tier 1 - partial: -ad hoc, no formal process
-inconsistent actions
8.Tier 2 - risk informed: -growing company, management approves
cybersecurity efforts
-cybersecurity is isolated from risk management
-awareness, but no consistent response to risk
9.Tier 3 - repeatable: -formal, documented policies
-cybersecurity integrated into planning and regularly communicated
10.Tier 4 - adaptive: -responsive to evolving threats
2/
110
,-organization wide
11.c) Framework Profiles: -mechanisms by which NIST recommends
companies measure cybersecurity risk and how to minimize risk
-current profile: current state of organizational risk management
-target profile: desired future state of organizational risk management
*gap analysis: differences between current and desired state
12.2. NIST Privacy Framework: -framework on data protection
-developed to be industry agnostic
-overlap with NIST Cybersecurity Framework
13.Components of NIST Privacy Framework: -Identify: privacy risks
related to data processing
-Govern: governance structure (new)
-Control: management structure (new)
-Communicate: dialogue around privacy risks (new)
-Protect: safeguards
-Detect: discovering privacy risks
-Respond: reacting to privacy breach
-Recover: continuing business after privacy breach
14.Privacy Framework Tiers: identical to NIST CSF Tiers
-Tier 1: partial
3/
110
, -Tier 2: risk-informed
-Tier 3: repeatable
-Tier 4: adaptive
Based On:
-RM Process
-RM Program Integration
-External Participation
-Workforce
15.SP 800-53: -NIST Security and Privacy Controls
-applicable to all information systems but STANDARD for federal
information security systems
-stricter standards and less cost effective
-well defined security and privacy requirements
-use of trustworthy information system components
4/
110
1.S1 M1 - National Institute of Standards and Technology Framework:
2.NIST: -National Institute of Standards and Technology
-Established in 1901 to promote research capabilities
- Improved in 1995 to include cybersecurity
3.Three Standardized Frameworks from NIST: 1) NIST Cybersecurity
Frame- work (CSF)
2) NIST Privacy Framework
3) NIST SP 800-53 - Security and Privacy Controls
4.NIST Cybersecurity Framework Components: a) Framework Core
b) Framework Implementation Tiers
c) Framework Profile
5.a) Framework Core: -IDENTIFY: keep record of assets, system users,
all sys- tems
-PROTECT: deploy safeguards, regular updates, backups
-DETECT: detect active cyber security attacks, monitor network
-RESPOND: contain cybersecurity event, react, notify affected parties
-RECOVER: support restoration, restore files
*5 functions, 23 categories, 108 subcategories
1/
110
,6.b) Implementation Tiers: -benchmark identifying the degree to which
information security practices are integrated throughout an organization
-Tier 1: partial
-Tier 2: risk-informed
-Tier 3: repeatable
-Tier 4: adaptive
Based On:
-RM Process
-RM Program Integration
-External Participation
7.Tier 1 - partial: -ad hoc, no formal process
-inconsistent actions
8.Tier 2 - risk informed: -growing company, management approves
cybersecurity efforts
-cybersecurity is isolated from risk management
-awareness, but no consistent response to risk
9.Tier 3 - repeatable: -formal, documented policies
-cybersecurity integrated into planning and regularly communicated
10.Tier 4 - adaptive: -responsive to evolving threats
2/
110
,-organization wide
11.c) Framework Profiles: -mechanisms by which NIST recommends
companies measure cybersecurity risk and how to minimize risk
-current profile: current state of organizational risk management
-target profile: desired future state of organizational risk management
*gap analysis: differences between current and desired state
12.2. NIST Privacy Framework: -framework on data protection
-developed to be industry agnostic
-overlap with NIST Cybersecurity Framework
13.Components of NIST Privacy Framework: -Identify: privacy risks
related to data processing
-Govern: governance structure (new)
-Control: management structure (new)
-Communicate: dialogue around privacy risks (new)
-Protect: safeguards
-Detect: discovering privacy risks
-Respond: reacting to privacy breach
-Recover: continuing business after privacy breach
14.Privacy Framework Tiers: identical to NIST CSF Tiers
-Tier 1: partial
3/
110
, -Tier 2: risk-informed
-Tier 3: repeatable
-Tier 4: adaptive
Based On:
-RM Process
-RM Program Integration
-External Participation
-Workforce
15.SP 800-53: -NIST Security and Privacy Controls
-applicable to all information systems but STANDARD for federal
information security systems
-stricter standards and less cost effective
-well defined security and privacy requirements
-use of trustworthy information system components
4/
110
