Domain 3

Question 1

What is the purpose of the NIST RMF SELECT step?

Answer 1

The purpose of the Select step is to:
- select,
- tailor
- document

the controls necessary to protect the information system and organization commensurate with risk to:
- organizational operations,
- assets,
- individuals,
- other organizations,
- and the Nation.*

NIST 800-37

Question 2

What is the purpose of the NIST RMF Categorize step?

Answer 2

In Step 2 (Categorize) of the Risk Management Framework, the organization determines the value of the system to the organization’s mission (Categorization).

Simultaneously, the level of Confidentiality required for the system and its information Classification will be established.

Question 3

What two decisions inform the NIST RMF Select step?

Answer 3

• Categorization
  (value of the asset)
• Classification
  (confidentiality required)

Question 4

Different frameworks have different terminology for various control types:

What term uses the NIST Risk Management Framework?

Answer 4

The NIST RMF prefers the term operational controls.

Question 5

What kind of controls does the ISACA COBIT framework recognize?

Answer 5

The ISACA COBIT framework recognizeses:

• administrative
• technical
• management
• legal
  forms of control.

Question 6

What does the selection and approval of security and privacy controls require?

Answer 6

The selection and approval of security and privacy controls requires an understanding of:
- what a control is,
- what it is designed to do,
and what policy decisions shape the controls environment.

Question 7

By what are the resulting controls decisions are shaped or influenced by?

Answer 7

The resulting controls decisions are shaped by a variety of influences, including:
- statutory or regulatory obligations,
- organizational security or privacy policies
- the organizations risk management practices
- existing controls
- system capabilities
- contractual requirements

associated with the operation of the system, and other factors.

Question 8

Many influences shape the control decisions process (e.g.
- statutory or regulatory obligations,
- organizational security or privacy policies
- the organizations risk management practices
- existing controls
- system capabilities
- contractual requirements)

What is required from the security professionals to make such a decision?

Answer 8

Such a diverse group of influences requires security professionals to fully understand the business context in which the system operates to ensure the control suite is appropriate for, and effective at, security the system from compromise.

Question 9

What kind of information help you define the control objectives?

Answer 9

The categorization and classification inputs help the organization define the control objectives, which state the desired outcomes expected from the proper implementation of the control.

Question 10

What does the control objective define?

Answer 10

Thus, a control is a mechanism through which the desired result is accomplished.

There is no point in having a control without a control objective - the control objective defines the value of the control to the system or organization.

Question 11

What 3 major types of controls exist according to NIST RMF

Answer 11

Types of controls might include:
- physical
- technical
- administrative actions

Question 12

What is are physical controls?

Answer 12

Physical controls are designed to shape the individual’s access to:

• space
• system
• environments

or to address the effects of environmental hazards on information system’s operations.

Typical physical controls include:

• Doors & Locks
• mantraps
• turnstiles
• bollards
• physical and the physical characteristics of buildings and environments (e.g.
  reinforced concrete
  site selection).

Question 13

Name some examples for physical controls.

Answer 13

Typical physical controls include:

• Doors & Locks
• mantraps
• turnstiles
• bollards
• physical and the physical characteristics of buildings and environments (e.g.
  reinforced concrete
  site selection).

Question 14

What are technical controls?

Answer 14

Technical controls are applied to an information system through mechanisms contained in the:

• hardware
• software
• or firmware

components of the system.

These include:
- identity and access management tools,
- cryptographic algorithms,
- parity mechanisms to identify Integrity errors in information,
- and other system configurations and capabilities.

Question 15

Name some examples for technical controls.

Answer 15

These include:
- identity and access management tools,
- cryptographic algorithms,
- parity mechanisms to identify Integrity errors in information,
- and other system configurations and capabilities.

Question 16

What are adminstrative controls?

Answer 16

Administrative controls provide direction to people to properly:
- manage,
- operate,
- and use a system.

Policies, instructions, standards, procedure manuals, and signage are only a few of the many different forms of administrative controls organizations use to shape the risk of system operation.

Question 17

Name some examples for administrative controls.

Answer 17

• Policies,
• instructions,
• standards,
• procedure manuals,
• and signage

are only a few of the many different forms of administrative controls organizations use to shape the risk of system operation.

Question 18

Controls can be also divided into seven categories. Name those 7 control cateogries.

Answer 18

In practice, a single control may span several categories.

• Directive controls
• Deterrent controls
• Preventive controls
• Detective controls
• Corrective controls
• Recovery controls
• Compensating controls

Question 19

What is are directive controls?

Answer 19

Directive controls. These are generally administrative in nature, providing guidance to the people operating the system.

Directive controls are established before the risk event. In their execution, the actions they direct may become the:
- detective
- corrective
- recovery

controls discussed below.

Question 20

What is are deterrent controls?

Answer 20

Deterrent controls. These change the risk/reward calculation of the [[Threat|threat actor]]. Some consequence will be advertised to the human threat actor, which will cause them to reassess whether to cause harm to the system.

Deterrent controls must exist before the threat event happens. If the risk event happens before the control exists, the use of this control is irrelevant.

• A deterrent control aims to discourage potential attackers or unauthorized users from engaging in malicious activity by making the consequences clear or by creating the perception of a high likelihood of detection and punishment.
• It’s more about discouraging harmful actions rather than stopping them outright.

Question 21

What is are preventive controls?

Answer 21

Preventive controls. These are any other controls implemented before the risk event that change the likelihood or consequence of the risk event.

These controls are designed to proactively identify and mitigate potential threats, thus reducing the chance of the risk event happening or diminishing its effect should it occur.

• A preventive control is designed to stop security incidents from occurring in the first place by blocking or limiting certain actions or behaviors.
• It works proactively to prevent harm before it happens.

Question 22

What is are detective controls?**

Answer 22

Detective controls. These identify that the risk event has occurred. As described, the decision to implement a control is different from that of identifying a risk event.

So, a policy might direct the use of an intrusion detection system (IDS), but the actual IDS and its operation is a detective control.

A detective control uses a sensor to communicate with a controller to determine whether an acceptable tolerance has been exceeded.

If it has, an enunciator generates an alarm. It is the job of the detective control to simply identify and announce the out-of-normal-state.

Once a detective control has identified the risk event, controls that affect the likelihood of the risk event have failed.

Question 23

What is are corrective controls?

Answer 23

Corrective controls. These limit further damage from the risk event.
Corrective controls might be a manual process or could be automatic actions performed by a system to limit the impact of the risk event.

Regardless of the form they take, a corrective control’s focus is on the harm from the event.

Question 24

What is are recovery controls?

Answer 24

Recovery controls. These return the system to an acceptable state of operation.
These may be the actions taken to execute a directive control (e.g. implementing a business continuity plan), or they may be automatic system actions that restore normal operation to an out-of-normal condition.

They are informed by the detective controls] without which they cannot operate effectively.

As with detective and corrective controls, recovery controls are only relevant to the risk event after it has occurred.

Question 25

What is are **compensating controls**?

Answer 25

**Compensating controls**. These may be relevant before or after the **threat event**. These controls will either augment the primary control to achieve the needed risk reduction level or take over for the primary control if it fails. Compensating controls may be associated with any other control category.

Question 26

Name examples of **directive controls**.

Answer 26

Examples - Security Policies - Training and Awareness Programs - Standard Operating Procedures (SOPs) - Security Guidelines and Best Practices - Regulatory Compliance Requirements

Question 27

Name examples of **deterrent controls**.

Answer 27

Example: - Visible security cameras - warning signs that tell people they are being monitored.

Question 28

Name examples of **preventive controls**.

Answer 28

Example: - Firewalls, - access control systems, - and encryption they actively block unauthorized access or harmful actions.

Question 29

Name examples of **detective controls**.

Answer 29

Examples - Intrusion Detection Systems (IDS) - Security Information and Event Management (SIEM) - Audit Logs - File Integrity Checkers - CCTV - Vulnerability Scanning - User Activity Monitoring

Question 30

Name examples of **corrective controls**.

Answer 30

Examples - Incident Response Plans - Patch Management - Access Control Adjustments - Restoration of Backups - Reconfiguration of Systems - User Education and Re-Training - Network Segmentation - Strengthening Firewalls or Security Controls

Question 31

Name examples of **recovery controls**.

Answer 31

Examples - Data Backups and Restoration - Disaster Recovery Plans (DRP) - Business Continuity Plans (BCP) - Failover Systems - Cloud-based Disaster Recovery - Hot/Cold/Warm Sites - Redundancy and Load Balancing - Alternate Work Locations - System and Application Recovery - Testing and Drills

Question 32

Name examples of **compensating controls**.

Answer 32

Examples - Multi-Factor Authentication (MFA) - Increased Monitoring and Logging - Manual Access Control Procedures - Use of Encryption on Backup Media - Virtual Private Network (VPN) for Remote Access - Physical Security for High-Risk Areas - Regular Security Audits - Manual Data Review Processes - Third-Party Security Services - Contractual Agreements and Audits for Vendors

Question 33

What do traditional information security models use to create a controls matrix for a control objective?

Answer 33

Traditional information security models use the three control types and seven control categories to create a controls matrix for a control objective.

Question 34

What is a **control matrix** for a **control objective?**

Answer 34

This matrix is useful for auditing and monitoring the proper operation of the system. The matrix also helps organizations evaluate the risks of single points of failure in the control environment, as it documents the defense in depth used to achieve a control objective. To be effective in achieving the control objective, a control must: - be implemented as designed - operate as expected - achieve the desired result

Question 35

What is necessary to determine whether the **control objective** is achieved?

Answer 35

Without effective controls assessment and monitoring, it is not possible to determine whether the control objective is achieved.