Which of the following is a framework principle established by NIST as an initial framework
consideration?
C
Explanation:
One of the framework principles established by NIST is to ensure that the framework is consistent
and aligned with existing regulatory and legal requirements that are relevant to cybersecurity12
.
Reference: 1: Cybersecurity Framework | NIST 2
: Framework Documents | NIST
Which role will benefit MOST from a better understanding of the current cybersecurity posture by
applying the CSF?
A
Explanation:
Executives are the role that will benefit most from a better understanding of the current
cybersecurity posture by applying the CSF.
This is because executives are responsible for setting the
strategic direction, objectives, and priorities for the organization, as well as overseeing the allocation
of resources and the management of risks1
.
By applying the CSF, executives can gain a
comprehensive and consistent view of the cybersecurity risks and capabilities of the organization,
and align them with the business goals and requirements2
.
The CSF can also help executives
communicate and collaborate with other stakeholders, such as regulators, customers, suppliers, and
partners, on cybersecurity issues3
.
Reference: 1: Implementing the NIST Cybersecurity Framework Using COBIT 2019 | ISACA 2:
Cybersecurity Framework | NIST 3
: Framework Documents | NIST
When coordinating framework implementation, the business/process level collaborates with the
implementation/operations level to:
B
Explanation:
According to the TM Forum’s Business Process Framework (eTOM), the business/process level is
responsible for defining the business strategy, objectives, and requirements, as well as monitoring
and controlling the performance and quality of the processes1
.
The implementation/operations level
is responsible for designing, developing, and executing the processes that deliver and support the
services1
.
When coordinating framework implementation, these two levels collaborate to assess
changes in current and future risks, such as market trends, customer expectations, regulatory
compliance, security threats, and operational issues2
.
This helps them to align the processes with
the business goals and outcomes, and to identify and mitigate any potential gaps or challenges3
.
Reference: 1: Process Framework (eTOM) - TM Forum 2: Implement Dynamics 365 with a process-
focused approach 3
: Operations Management Implementation - Smarter Solutions, Inc.
Which of the following COBIT 2019 governance principles corresponds to the CSF application stating
that CSF profiles support flexibility in content and
structure?
A
Explanation:
This principle corresponds to the CSF application stating that CSF profiles support flexibility in
content and structure, because both emphasize the need for tailoring the governance system to the
specific context and requirements of the enterprise12
.
The CSF profiles are based on the enterprise’s
business drivers, risk appetite, and current and target cybersecurity posture3
.
The COBIT 2019 design
factors are a set of parameters that influence the design and operation of the governance system,
such as enterprise strategy, size, culture, and regulatory environment4
.
Reference: 1: COBIT | Control Objectives for Information Technologies | ISACA 2: COBIT 2019
Framework – ITSM Docs - ITSM Documents & Templates 3: Framework Documents | NIST 4
:
Introduction to COBIT Principles - Testprep Training Tutorials
Which of the following functions provides foundational activities for the effective use of the
Cybersecurity Framework?
B
Explanation:
The Identify function provides foundational activities for the effective use of the Cybersecurity
Framework, because it assists in developing an organizational understanding of managing
cybersecurity risk to systems, people, assets, data, and capabilities12
.
This understanding enables an
organization to focus and prioritize its efforts, consistent with its risk management strategy and
business needs12
.
The Identify function includes outcome categories such as Asset Management,
Business Environment, Governance, Risk Assessment, Risk Management Strategy, and Supply Chain
Risk Management12
.
Reference: 1: The Five Functions | NIST 2
: Getting Started with the NIST Cybersecurity Framework: A
Quick Start Guide
What does a CSF Informative Reference within the CSF Core provide?
C
Explanation:
A CSF Informative Reference within the CSF Core provides a citation to a related activity from
another standard or guideline that can help an organization achieve the outcome described in a CSF
Subcategory12
.
For example, the Informative Reference for ID.AM-1 (Physical devices and systems
within the organization are inventoried) is COBIT 5 APO01.01, which states "Maintain an inventory of
IT assets"3
.
Reference: 1
: Informative Reference: What are they, and how are they used?
| NIST 2: Everything to
Know About NIST CSF Informative Reference | Axio 3
: NIST Cybersecurity Framework v1.1 - CSF Tools
- Identity Digital
Analysis is one of the categories within which of the following Core Functions?
A
Explanation:
Analysis is one of the six categories within the Detect function of the NIST Cybersecurity Framework.
The Analysis category aims to identify the occurrence of a cybersecurity event by performing data
aggregation, correlation, and analysis12
.
Reference: 1: The Five Functions | NIST 2
: Cybersecurity Framework Components | NIST
Which of the following is associated with the "Detect" core function of the NIST Cybersecurity
Framework?
B
Explanation:
Anomalies and Events is one of the six categories within the Detect function of the NIST
Cybersecurity Framework.
The Anomalies and Events category aims to ensure that anomalous
activity is detected in a timely manner and the potential impact of events is understood12
.
Reference: 1: The Five Functions | NIST 2
: Detect | NIST
Within the CSF Core structure, which type of capability can be implemented to help practitioners
recognize potential or realized risk to enterprise assets?
C
Explanation:
The Detection capability is the type of capability within the CSF Core structure that can help
practitioners recognize potential or realized risk to enterprise assets.
The Detection capability
consists of six categories that enable timely discovery of cybersecurity events, such as Anomalies and
Events, Security Continuous Monitoring, and Detection Processes12
.
Reference: 1: The Five Functions | NIST 2
: Cybersecurity Framework | NIST
The CSF Implementation Tiers distinguish three fundamental dimensions of risk management to help
enterprises evaluate which of the following?
A
Explanation:
The CSF Implementation Tiers distinguish three fundamental dimensions of risk management to help
enterprises evaluate their cybersecurity posture, which is the alignment of their cybersecurity
activities and outcomes with their business objectives and risk appetite12
.
The Tiers range from
Partial (Tier 1) to Adaptive (Tier 4) and describe the degree of rigor, integration, and collaboration of
the organization’s cybersecurity risk management practices12
.
Reference: 1: Cybersecurity Framework Components | NIST 2
: Cybersecurity Framework FAQs
Framework Components | NIST
What is the MOST important reason to compare framework profiles?
C
Explanation:
The most important reason to compare framework profiles is to identify gaps between the current
and target state of cybersecurity activities and outcomes, and to prioritize the actions needed to
address them12
.
Framework profiles are the alignment of the functions, categories, and
subcategories of the NIST Cybersecurity Framework with the business requirements, risk tolerance,
and resources of the organization3
.
By comparing the current profile (what is being achieved) and
the target profile (what is needed), an organization can assess its cybersecurity posture and develop
a roadmap for improvement4
.
Reference: 1: Cybersecurity Framework Components | NIST 2: Implementing the NIST Cybersecurity
Framework Using COBIT 2019 | ISACA 3: Examples of Framework Profiles | NIST 4
: Connecting COBIT
2019 to the NIST Cybersecurity Framework - ISACA
The goals cascade supports prioritization of management objectives based on:
C
Explanation:
The goals cascade is a mechanism that translates the stakeholder needs into specific, actionable, and
customized goals at different levels of the enterprise12
.
The stakeholder needs are the drivers of the
governance system and reflect the expectations and requirements of the internal and external
parties that have an interest or influence on the enterprise34
.
The goals cascade supports the
prioritization of management objectives based on the stakeholder needs, as well as the alignment of
the enterprise goals, the alignment goals, and the governance and management objectives12
.
Reference: 1: COBIT 2019 Goals Cascade: A Blueprint for Success 2: COBIT 2019 Framework – ITSM
Docs - ITSM Documents & Templates 3: COBIT | Control Objectives for Information Technologies |
ISACA 4
: Aligning IT goals using the COBIT5 Goals Cascade
The seven high-level CSF steps generally align to which of the following in COBIT 2019?
A
Explanation:
The seven high-level CSF steps generally align to the high-level phases of the COBIT 2019
implementation guide, which are: What are the drivers?; Where are we now?; Where do we want to
be?; What needs to be done?; How do we get there?; Did we get there?; and How do we keep the
momentum going?12
.
These phases provide a structured approach for implementing a governance
system using COBIT 2019, and can be mapped to the CSF steps of Prioritize and Scope, Orient, Create
a Current Profile, Conduct a Risk Assessment, Create a Target Profile, Determine, Analyze and
Prioritize Gaps, and Implement Action Plan34
.
Reference: 1: COBIT 2019 Implementation Guide 2: COBIT 2019 Implementation - ISACA 3:
Implementing the NIST Cybersecurity Framework Using COBIT 2019 | ISACA 4
: REVIEW OF
IMPLEMENTING THE NIST CYBERSECURITY FRAMEWORK USING COBIT 2019.
Which of the following is the MOST important input for prioritizing resources during program
initiation?
C
Explanation:
A business impact assessment (BIA) is the most important input for prioritizing resources during
program initiation, because it helps to identify and evaluate the potential effects of disruptions to
critical business functions and processes12
.
A BIA can help to determine the recovery objectives,
priorities, and strategies for the program, as well as the resource requirements and dependencies34
.
Reference: 1: Business Impact Analysis | Ready.gov 2: Business Impact Analysis - ISACA 3: COBIT
2019 Implementation Guide 4
: COBIT 2019 Implementation - ISACA
Which CSF step corresponds to the COBIT objective of knowledge and understanding of enterprise
goals?
A
Explanation:
This CSF step corresponds to the COBIT objective of knowledge and understanding of enterprise
goals, because it involves identifying the business drivers, mission, objectives, and risk appetite of
the organization, as well as the scope and boundaries of the cybersecurity program12
.
This step
helps to ensure that the cybersecurity activities and outcomes are aligned with the enterprise goals
and strategy34
.
Reference: 1: Cybersecurity Framework Components | NIST 2: Implementing the NIST Cybersecurity
Framework Using COBIT 2019 | ISACA 3: COBIT 2019 Design and Implementation COBIT
Implementation5 4: COBIT® 2019 Foundation | Skillsoft Global Knowledge6