NIST CSF

Question 1

What are the different Tiers?

Answer 1

1. ) Partial
2. ) Risk Informed
3. ) Repeatable
4. ) Adaptive

Question 2

What are the three cybersecurity management practice areas being measured under the different Tiers?

Answer 2

1. ) Risk Management Process
2. ) Integrated Risk Management Program
3. ) External Participation

Question 3

What does Risk Management Process mean?

Answer 3

The functionality and repeatability of the cybersecurity risk management
- How much is the organization involved in the risk management process?

Question 4

What does Integrated Risk Management Program mean?

Answer 4

The extent to which cybersecurity is considered in broader risk management decisions
- How well is cybersecurity risk integrated into the overall business risk of the organization? How much is cybersecurity considered in overall risk management?

Question 5

What does External Participation mean?

Answer 5

The degree to which the organization: 1. monitors and manages supply chain risk, and 2. benefits by sharing or receiving information from external parties
- How well does the organization coordinates, collaborates, and shares information back and forth with other organizations?

Question 6

What is a Profile?

Answer 6

A particular customization of the CSF Core for an organization or sector based on their unique requirements

Question 7

What are the three main inputs that determine a CSF Profile?

Answer 7

1. ) Business Objectives
2. ) Security Requirements
3. ) Technical Environment

Question 8

If the CSF is an overall cybersecurity management model, then what is the RMF?

Answer 8

It falls under CSF for Risk Management, which has “tasks” that link back to CSF functions

Question 9

What are some of the most comparable frameworks to the CSF?

Answer 9

• CIS (Center for Internet Security) CSC
• COBIT 5
• ISA
• ISO/IEC
• NIST SP 800-53

Question 10

What are the 5 CSF Functions?

Answer 10

1. ) Identify (ID)
2. ) Protect (PR)
3. ) Detect (DE)
4. ) Respond (RS)
5. ) Recover (RE)

Question 11

For ID, the organization must identify what?

Answer 11

• Systems and data
• Critical business processes that depend on those systems and data
• The weaknesses and strengths associated with those systems
• All resources (people, technology, money, equipment, facilities)
• Vulnerabilities, threats, likelihood, impact, and frequency and overall risk
• Governance (laws, regulations, etc.)

Question 12

What are the categories under the Identify (ID) Function?

Answer 12

1. ) Asset Management (ID.AM)
2. ) Business Environment (ID.BE)
3. ) Governance (ID.GV)
4. ) Risk Assessment (ID.RA)
5. ) Risk Management Strategy (ID.RM)
6. ) Supply Chain Risk Management (ID.SC)

Question 13

How many subcategories support the 6 categories within the Identify Function?

Answer 13

29

Question 14

What does the Protect (PR) Function focus on?

Answer 14

• Ensuring strong authentication and access control
• Protecting data
• Secure maintenance of assets
• Securing people (security clearances, user authorization, etc.)
• Sound policies and procedures
• Ensuring the right administrative, technical, and physical controls are in place

Question 15

What are the categories under the Protect (PR) Function?

Answer 15

1. ) Identity Management, Authentication, Access Control (PR.AC)
2. ) Awareness and Training (PR.AT)
3. ) Data Security (PR.DS)
4. ) Information Protection Processes and Procedures (PR.IP)
5. ) Maintenance (PR.MA)
6. ) Protective Technology (PR.PT)

Question 16

How many subcategories support the 6 categories within the Protect Function?

Answer 16

39

Question 17

What is the purpose of the “Informative References” portion of the CSF?

Answer 17

Maps the subcategory to other frameworks and controls that tell you how to actually do the subcategory (action)

Question 18

What does the Detect (DE) Function focus on?

Answer 18

• Focuses on detection processes and technologies
• Looks for anomalies and unusual events
• Ensures continuous security and risk monitoring

Question 19

What are the categories under the Detect (DE) Function?

Answer 19

1. ) Anomalies and Events (DE.AE)
2. ) Security Continuous Monitoring (DE.CM)
3. ) Detection Processes (DE.DP)

Question 20

How many subcategories support the 3 categories within the Detect Function?

Answer 20

18

Question 21

What does the Respond (RS) Function focus on?

Answer 21

• Planning for incident and contingency response
• Ensuring the robustness of incident communications
• Analyzing the root causes of incidents
• Mitigating damage to systems, data, equipment, facilities, and people
• Improving the overall contingency planning and response processes

Question 22

What are the categories under the Respond (RS) Function?

Answer 22

1. ) Response Planning (RS.RP)
2. ) Communications (RS.CO)
3. ) Analysis (RS.AN)
4. ) Mitigation (RS.MI)
5. ) Improvements (RS.IM)

Question 23

How many subcategories support the 5 categories within the Respond Function?

Answer 23

16

Question 24

What does the Recover (RC) Function focus on?

Answer 24

• Business continuity, incident recovery, and disaster recovery planning
• Maintaining communications during the recovery process
• Improving the recovery effort

Question 25

What are the categories under the Recover (RC) Function?

Answer 25

1. ) Recovery Planning (RC.RP) 2. ) Improvements (RC.IM) 3. ) Communications (RC.CO)

Question 26

How many subcategories support the 3 categories within the Recover Function?

Answer 26

6

Question 27

What is a Tier?

Answer 27

The degree to which an organization's cybersecurity risk management practices exhibit the characteristics defined in the Framework

Question 28

What is the purpose of Tiers?

Answer 28

They're used to measure how well the organization implements different aspects of the CSF, the three cybersecurity management practice areas

Question 29

What is Tier 1?

Answer 29

Partial

Question 30

What is Tier 2?

Answer 30

Risk-Informed

Question 31

What is Tier 3?

Answer 31

Repeatable

Question 32

What is Tier 4?

Answer 32

Adaptive

Question 33

What are the CSF Tiers NOT?

Answer 33

They're not: - A maturity model - The same as the RMF Tiers

Question 34

What is the RMF Three-Tier Risk Model composed of?

Answer 34

1. ) Organizational 2. ) Mission/Business Process 3. ) Information System They don't measure anything

Question 35

What does the "Organization" RMF Risk Tier cover?

Answer 35

Higher-level management processes and overarching risk

Question 36

What does the "Mission/Business Process" RMF Risk Tier cover?

Answer 36

Risk associated with processes used across the organization

Question 37

What does the "Information System" RMF Risk Tier cover?

Answer 37

Risk associated with a particular system or systems

Question 38

How can you explain the measuring differences between CSF Tiers vs. Maturity Models vs. RMF Risk Tiers?

Answer 38

- CSF Tiers measure level of effort - Maturity Models measure repeatability and definability of processes geared towards that effort - RMF Risk Tiers measure nothing at all, different cross sections of the organization

Question 39

What are characteristics of CSF Profiles?

Answer 39

- They align Functions, Categories, and Subcategories with mission/business requirements, risk, and resources - They allow organizations to establish a unique roadmap to cybersecurity based on their needs - They describe both current and target states of the organization in terms of cybersecurity posture

Question 40

For CSF Profiles, what are the inputs combined with to create the Profile output?

Answer 40

Inputs (Business Objectives, Risk, and Technical Environment) + Functions, Categories, Subcategories = Output (CSF Profile)

Question 41

How many CSF Subcategories are there in total?

Answer 41

108

Question 42

How does an organization identify assets and risks?

Answer 42

- Make a physical inventory of all assets - Perform a mission analysis - Perform a business impact assessment - Perform a comprehensive risk assessment

Question 43

How does an organization protect their assets?

Answer 43

- Ensure users are trained on how to protect sensitive data (periodic security training, user agreements and consequences, personnel security processes) - Test protection mechanisms (Vulnerability assessments, penetration testing, risk assessments)

Question 44

How does an organization effectively detect?

Answer 44

- Assume a state of breach - Implement detection controls at multiple layers (Perimeter, interior systems and data, people) - Be able to detect both unusual and normal events - Be able to filter useful information from "noise" - Employ the right people for detection (who know what to look for) - Continuously monitor for analogies and risk Use multiple types of controls (physical, tech, operational like following procedure)

Question 45

How does an organization set up response capabilities?

Answer 45

- Develop incident response plans - Plan for quick, efficient, and accurate incident communications - Develop plans to mitigate damage to systems, data, equipment, facilities, and people - Become proficient at analyzing the root causes of incidents - Ensure a process to improve contingency planning and response processes in place - Develop and retain qualified personnel for response effort - Exercise response capabilities (IR = incident response) - Refine processes through risk analysis and lessons learned

Question 46

How does an organization implement recovery?

Answer 46

- Develop, test, and maintain: 1. ) Business Continuity 2. ) Incident Recovery 3. ) Disaster Recovery Plans - Ensure robust communications process during recovery - Capture lessons learned to improve recovery function - Select and train qualified people for recovery functions

Question 47

How do you create your own CSF Profile?

Answer 47

- Develop your mission/business objectives - Determine risk - Determine governance (Which laws are applicable) - Articulate with CSF subcategories - Produce controls and technical methods

Question 48

What are the factors of business continuity that matter for the Recovery Function?

Answer 48

1. ) Critical process recovery 2. ) Timeliness 3. ) Redundant capabilities