Midterm
The United States Department of Homeland Security defines how many critical infrastructure sectors?
16
Operationally Critical Threat, Asset, and Vulnerability Evaluation
Maintain the assessment.
Which of the following is not one of the three levels NIST defines within an organization that should coordinate the framework implementation and a common flow of information?
Management
The NIST Cybersecurity Framework (CSF) Reference Tool can run in which of the following operating systems?
Microsoft Windows and Apple Mac OS-X
Which of the following is the leading membership organization for Boards and Directors in the U.S.?
NACD
Which of the following refers to those responsible for implementing, maintaining, and monitoring safeguards and systems?
Network engineers System administrators Webmasters
Which of the following federal legislations, also known as the Financial Modernization Act of 1999, was created to reform and modernize the banking industry by eliminating existing barriers between banking and commerce?
GLBA
Which of the following refers to the process of managing, directing, controlling, and influencing organizational decisions, actions, and behaviors?
Governance
The ISO 27002 standard has its origins in which of the following countries?
Great Britain
Which of the following is the topmost object in the policy hierarchy?
Guiding Principles
In the NIST Cybersecurity Framework, which governance subcategory references legal and regulatory requirements regarding cybersecurity, including privacy and civil liberties obligations?
ID.GV-3
Which of the following is a network of the national standards institutes of more than 160 countries?
ISO
Which function defined in the NIST Cybersecurity Framework Core includes the categories and subcategories that define what processes and assets need protection?
Identify
Which of the following is the objective of risk assessment?
Identify the inherent risk Determine the impact of a threat Calculate the likelihood of a threat occurrence
Which of the following is the magnitude of harm?
Impact
Which of the following is the last step in NIST's recommended steps to establish or improve a cybersecurity program?
Implement the action plan
Which key task in the policy adoption phase is the busiest and most challenging task of all?
Implementation
Which of the following refers to the level of risk before security measures are applied?
Inherent Risk
Which of the following best describes a procedure?
Instructions on how a policy is carried out
Which of the following statements about the NIST Cybersecurity Framework is not true?
It is aimed to replace an existing risk management process and cybersecurity program in an organization.
Which of the following statements best describes risk transfer?
It shifts a portion of the risk responsibility or liability to other organizations.
Which of the following statements about the NIST Cybersecurity Framework is true?
It was created in the U.S. and is also used outside of the U.S.
Which of the following is another term for statutory law?
Legislation
Which of the following is one of the ten plain language techniques for policy writing?
Limit a paragraph to one subject.
Which of the following risk assessment methodologies was originally developed by CERT?
OCTAVE
Which of the following is not an example of a standard?
Pass phrases make good passwords.
Which layer in the defense-in-depth strategy includes firewalls, IDS/IPS devices, segmentation, and VLANs?
Perimeter security
Which of the following refers to directives that codify organizational requirements?
Policies
Which of the following is the seminal tool used to protect both our critical infrastructure and our individual liberties?
Policy
Which of the following identifies a policy by name and provides the reader with an overview of the policy topic or category?
Policy heading
Which of the following refers to the relationship between a policy and its supporting documents?
Policy hierarchy
Which of the following is best thought of as a high-level directive or strategic roadmap?
Policy statement
Which part of the NIST Cybersecurity Framework provide guidance to allow organizations to analyze cybersecurity risk and to enhance their processes to manage such risk?
The Framework Tiers
Which of the following best describes residual risk?
The level of risk after security measures are applied
Which of the following best describes the accounting key information security principle?
The logging of access and usage of information resources
Endorsed is one of the seven policy characteristics. Which of the following statements best describes endorsed?
The policy is supported by management.
Which of the following best describes the accountability key information security principle?
The process of tracing actions to their source
What is the purpose of the policy exceptions section of a policy document?
To acknowledge exclusions
What is the purpose of the policy definition section?
To explain terms, abbreviations, and acronyms used in the policy
What is the purpose of the administrative notations section of a policy?
To refer the reader to additional information
Which of the following can achieve authentication in information security?
Tokens
The NIST Cybersecurity Framework was developed by which of the following?
U.S. government Corporations Individuals
Which of the following is not one of the plain language techniques for policy writing?
Use "shall" instead of "must."
Which key task in the policy development phase requires the authors to consult with internal and external experts, including legal counsel, human resources, compliance, cybersecurity and technology professionals, auditors, and regulators?
Vetting
Which part of the NIST Cybersecurity Framework is designed to help organizations view and understand the characteristics of their approach to managing cybersecurity risk?
The Framework Tiers
Which of the following statements best describes NIST?
A nonregulatory federal agency that develops and promotes standards
At which of the following states of the CMM scale are there no documented policies and processes?
AD hoc
In the NIST Cybersecurity Framework Tiers, which of the following Framework Implementation Tiers is labeled Tier 4?
Adaptive
Which of the following is not a supported export file format for current viewed data in the NIST CSF Reference Tool?
Adobe PDF files
Policy implementation and enforcement are part of which of the following phases of the cybersecurity policy life cycle?
Adopt
Which of the following statements is not true?
All guiding principles and corporate cultures are good.
How often should policies be reviewed?
Annually
Which of the following best describes a baseline?
Application of a standard to a specific category or grouping
Where is the policy introduction located in a consolidated policy document?
At the beginning of the document
Where are the policy definitions located in a consolidated policy document?
At the end of the document
Which of the following key information security principles grants users and systems a predetermined level of access to information resources?
Authorization
Which of the following is not one of the "Five A's" of information security?
Availability
Which of the following statements about policies and standards is true?
Both policies and standards are mandatory.
Which category in the Identify function of the NIST Cybersecurity Framework Core addresses the need for an organization's mission, objectives, stakeholders, and activities to be comprehended and prioritized?
Business Environment
Which of the following is an example of an information asset?
Business plans Employee records Company reputation
The NIST CSF Reference Tool provides a way for you to browse the Framework Core by which of the following?
Categories Functions Informative references
CVSS is short for which of the following?
Common Vulnerability Scoring System
Which of the following is not one of the tasks of the policy development phase?
Communicate
Which of the following elements ensures a policy is enforceable?
Compliance can be measured. Appropriate sanctions are applied when the policy is violated. Appropriate administrative, technical, and physical controls are put in place to support the policy.
Which of the following is a characteristic of the silo-based approach to cybersecurity?
Compliance is discretionary. Security is the responsibility of the IT department. Little or no organizational accountability exists.
Which of the following refers to the requirement that private or confidential information not be disclosed to unauthorized individuals?
Confidentiality
Which of the following is an example of a security mechanism designed to preserve confidentiality?
Controlled traffic routing Logical and physical access controls Database views
Which of the following can be defined as the shared attitudes, goals, and practices that characterize a company, corporation, or institution?
Corporate culture
Which of the following is a systematic, evidence-based evaluation of how well an organization conforms to such established criteria as Board-approved policies, regulatory requirements, and internationally recognized standards, such as the ISO 27000 series?
Cybersecurity audit
Which category in the Protect function of the NIST Cybersecurity Framework Core provides guidance around data management practices in order to protect the confidentiality, integrity, and availability of such data?
Data Security
Which of the following is the correct order of the policy life cycle?
Develop, publish, adopt, review
Which major regulation entity within the European Union (EU) was created to maintain a single standard for data protection among all member states in the EU?
EU General Data Protection Regulation (GDPR)
FERPA protects which of the following?
Educational records
Which of the following provides a model for understanding, analyzing, and quantifying information risk in quantitative financial and business terms?
FAIR
hich of the following is the official publication series for NIST standards and guidelines?
FIPS
Which of the following is a monitoring control that safeguards against the loss of integrity?
File integrity monitoring
Which of the following procedure formats is best suited when there is a decision-making process associated with a task?
Flowchart
Which of the following is the first step in NIST's recommended steps to establish or improve a cybersecurity program?
Prioritize and scope
Which function defined in the NIST Cybersecurity Framework Core provides guidance on how to recover normal operations after a cybersecurity incident?
Recover
Which of the following risks relates to negative public opinion?
Reputational risk
Which of the following is the outcome of policy review?
Retirement or re authorization
Which of the following statements best describes strategic risk?
Risk that relates to adverse business decisions
Which of the following refers to how much of the undesirable outcome a risk taker is willing to accept in exchange for the potential benefit?
Risk tolerance
In the NIST Cybersecurity Framework Tiers, which of the following Framework Implementation Tiers is labeled Tier 2?
Risk-Informed
File integrity monitoring
Rotation of duties
Which of the following is a collective term given to guidance on topics related to information systems security, predominantly regarding the planning, implementing, managing, and auditing of overall information security practices?
Security framework
Which of the following NIST publications focuses on cybersecurity practices and guidelines?
Special Publication 1800 series
Which of the following statements about standards and guidelines is true?
Standards are mandatory, whereas guidelines are not.
NIST's Cybersecurity Framework is divided into three parts, including all but which of the following?
The Framework Outcomes
Which part of the NIST Cybersecurity Framework is designed to help an organization align its cybersecurity undertakings with business requirements, risk tolerances, and resources?
The Framework Profiles
(n) __________ or waiver process is required for exceptions identified after a policy has been authorized.
exemption
he two approaches to cybersecurity are silo-based and __________.
operational
NIST created a(n) __________ that allows you to start reviewing and documenting each of the framework's functions, categories, subcategories, and informative references.
spreadsheet