NIST-NSCP
Components of Competency
- Skills that produce consistent performance - Knowledge to understand strategy or procedures - Ability transfers skills and knowledge across domains
Kotter's 8-Steps to Successful Change
1. Establish a sense of urgency 2. Form a powerful coalition 3. Create a vision 4. Communicate the vision 5. Empowering others to act on the vision 6. Planning for and creating short term wins 7. Consolidate improvements & producing still more change 8. Institutionalize new approaches
Escalation Archetype
A structure that is composed of two balancing loops which interact in such a way as to create a single reinforcing loop through cooperation. An increase of Results of A Relative to B influences additional Action by B. An increase in Action by B enhances B's Results . As B's Results increase, it tends to reduce the Results of A Relative to B . This reduction tends to influence more Action by A . Additional Action by A increases A's Results . The increase in A's Results then increases the Results of A Relative to B, and the cycle then repeats
CIS Control 16
Account Monitoring & Control
Organizational Agility - Principle Themes
Adaptable Organizational Structure is the ability to rapidly adjust the structure combined with operating processes and functions to adapt to changing market conditions. This capability starts at the top. It demands organizational leadership to reduce structure and process to enable the organization to respond rapidly and effectively. Similar to Operational Sustainability, it comes down to the balance between just enough structure and process to ensure stability while removing anything that may inhibit the ability to pivot and move as fast as necessary to seize market opportunities or respond to market risk. Tactical Flexibility: Once a strategy is defined and communicated, the organization must be tactically flexible to exploit opportunities within the strategic boundaries without compromising the value contributed by the operational and business processes. Using the operational governance processes in a constructive manner coupled with proper organizational taxonomy provides the flexibility and autonomy to make rapid decisions. Organic Leadership and Teaming: Autonomy leads to organic leadership and teaming. In this environment, self-forming leadership and teams are incredibly constructive because they operate in the open rather than in the shadows typical in a mechanistic organization focused on maturity models instead of value delivery. Organizational agility encourages risk-taking; leaders are not afraid to be vulnerable to their peers and subordinates.
What are adaptability statements?
Adaptive work is based on an unclear problem and solution, requiring new learning. Decisions should be at the lowest level possible to include the right institutional and operational knowledge.
What is the agile approach?
Agile approach is delivering value incrementally, rather than at the end of the project. Becoming agile is not about technology. Technology's implementation is a byproduct of agile work.
Risk Appetite
Amount of uncertainty an organization is willing to pursue or to accept to attain its risk management goals.
A Risk assessment methodology is comprised of four aspects. Which of the following is NOT part of an assessment methodology? A. Assessment strategy B. Assessment approach C. Assessment process D. Risk model
Answer: A Rationale: A risk assessment methodology consists of an assessment process, risk model, assessment approach, and analysis approach. The latter two are formed by developing an assessment strategy but are not part of the methodology itself. Source: Risk Framing Components & Relationships
Adaptive work is defined as leading change when both the problem and the solution are unclear. Which of the following best describes the relationships that must exist? A. New learning is required to solve the problem and formulate a solution, which in turn helps to refine the understanding of both the problem and its potential solution B. New learning is required to solve the problem and formulate a solution C. A refined understanding of both problem and the solutions leads to learning D. In all cases, the problem must be totally understood before any possible solution can be formulated
Answer: A Rationale: Adaptive work is defined as leading change when both the problem and the solution are unclear, and all the participants require new learning. This avoids "analysis paralysis" where nothing gets done. Working in small increments enables an organization to deliver value and refine both its knowledge of the problem and the way the solution is crafted. Value is delivered faster. Source: Adaptive Approach Reduces Waste, Delivers Value
Many organizations have difficulty identifying assets, let alone assign a value to them. Which of the following is true about asset value? A. The value of an asset isn't always measured in monetary terms B. The value of an asset is always measured in monetary terms C. International organizations value their assets in Bitcoin D. The US State Department values foreign assets
Answer: A Rationale: Assets come in many forms and are valued by more than their monetary costs. Value is most often based on the criticality of the asset in the delivery of business value. Source: Asset Value
An agile organization will develop an optimized rate of change that delivers & sustains the delivery of value. Which of the following is true? A. This rate of change is based on the establishment of a cadence that depends on the organizational carrying capacity. B. Agile organizations get more done with fewer resources much faster. C. Longer work increment ensures the maximum viable product is delivered and the end of each project D. This change rate is based on the establishment of a cadence dependent solely on user demand irrespective of resource requirements.
Answer: A Rationale: Carrying capacity is a term used to describe an optimal throughput based on a given set of resources. It dictates the cadence an organization can achieve with the efficient use of time and resources using an agile way of working. If the organization needs a faster cadence of the delivery of value that it must add the necessary resources to achieve it. Agile is not magic. Source: Optimized Rate of Change
Both the Identify and the Protect Functions share a common purpose in the identification of assets, understanding business objectives, governance structure, roles and responsibilities, and risk to operations. However, they differ in the context of that purpose. Which of the following best describes the context of each Function? A. Identify seeks understanding to manage cybersecurity risk to systems, assets, data, and capabilities. Protect seeks the development of safeguards to protect critical infrastructure services. B. Identify seeks to develop and implement appropriate activities to identify the occurrence of a cybersecurity event. Protect seeks the development of safeguards to protect critical infrastructure services. C. Identify seeks understanding to manage cybersecurity risk to systems, assets, data, and capabilities. Protect seeks the development and implementation of activities to respond to a detected cybersecurity event. D. Identify seeks to develop and implement appropriate activities to identify the occurrence of a cybersecurity event. Protect seeks the development and implementation of activities to respond to a detected cybersecurity event.
Answer: A Rationale: Identify is all about figuring out the digital assets you have and developing an understanding of what it will take to manage them. Protect addresses how to go about protecting those digital assets. Source: Two slides: Core Function Identify - Purpose, Goals & Objectives and Core Function Protect - Purpose Goals & Objectives
What do you do first? A. Adopt the framework and adapt B. Adapt the framework and adopt an information reference C. Adopt both framework and informative reference, adapt is a synonym D. Adopt is about management where adapt is about governance
Answer: A Rationale: NIST-CSF is a framework. You can't implement a framework; you can only adopt it. The framework ties back to informative references that can be selected and adapted to specific organizational needs. Source: Framework Categories, Subcategories, References
Which of the following is NOT be considered an objective of the Respond Function? A. Provide continuous monitoring B. Coordinate response activities with internal & external stakeholders C. Conduct analysis to ensure adequate response and support recovery activities D. Capture and use lessons learned from previous response activities.
Answer: A Rationale: Providing the capability to monitor for an incident falls under the Protect Function continually. Source: Core Function Protect, Goals & Objective
One of the objectives of the Respond Function addresses the need to keep stakeholder informed. Which of the following primarily addresses this objective? A. RS.CO - Communications B. RS-RP - Response Planning C. RC.CO - Communications D. RC.RP - Recovery Planning
Answer: A Rationale: RS.CO - Communication activities are coordinated with appropriate internal and external stakeholders, including external support from law enforcement agencies. Source: Respond: Framework Categories
Which of the following represents the Current Profile? A. The Current Profile is the "as-is state" characterized by the alignment of standards, guidelines, and practices to the Framework Core in an implementation scenario. B. The Current Profile is the Identify Core Function alignment of standards, guidelines, and practices in an implementation scenario. C. The Current Profile is the Protect Core Function alignment of standards, guidelines, and practices in an implementation scenario. D. The Current Profile is the "to-be state" characterized by the alignment of standards, guidelines, and practices to the Framework Core in an implementation scenario.
Answer: A Rationale: The Current Profile is the "as-is state" characterized by the alignment of standards, guidelines, and practices to the Framework Core in an implementation scenario. Source: Step-3: Create a Target Profile
Which of the following is true when thinking about informative references? a. The informative References presented in the Framework Core are illustrative and not exhaustive. b. The Framework Core can be used to identify opportunities for new or revised standards. A. Both B. A only C. B only D. Neither
Answer: A Rationale: The Informative References presented in the Framework Core are illustrative and NOT exhaustive. They are based on cross-sector guidance, most frequently referenced during the development of the Framework. The Framework is designed for flexibility as the informative references are updated and improved as well as other that are perhaps better suited for an organizational need. Source: Two slides: Informative References and Tailor to Suit.
In the context of the organizational size adopting the NIST-CSF, which of the following is true? A. Any size, any sector B. Medium to large in critical sectors only C. Any size only within the critical sectors D. Medium size, only critical sectors
Answer: A Rationale: The NIST-CSF is for any sized organization regardless of whether it is part of the critical infrastructure. Source: The Framework is for Organizations
Functions, categories, and subcategories are articulated in which framework benefit? A. Low-cost cybersecurity B. Common language when discussing cybersecurity C. Better collaboration D. Improved compliance
Answer: A Rationale: The benefits that accrue to an adopting organization include optimized cost, based on rationalizing the organizational needs with available resources, which leads to lowering costs. Source: Benefits of Adopting NISTCSF
When thinking about cybersecurity key DX challenges which of the following categories does NOT apply? A. Customers B. Business C. Management D. Workforce
Answer: A Rationale: The four key challenges are business, technology, management and workforce. Source: Cybersecurity: Key DX Challenges.
An organization should: A. Progress to higher tiers when it would reduce cybersecurity risk and be cost-effective B. Progress to a higher tier as soon as the new level has been reached and continue to Tier-4 C. Progress to a higher tier only when cost-effective D. Progress only when there is a gap in cybersecurity risk
Answer: A Rationale: The only imperative to move to a higher tier is when the need exists to close a cybersecurity gap AND it's cost-effective to do so. The framework helps organizations rationalize their needs and optimize the resources dedicated to cybersecurity. Source: Implementation Tier Objectives
A framework tier provides a look at the characteristics the organization demonstrates in its management of risk. It spans the range of partial to adaptive and describes the rigor of their practices. Which of the following is NOT one of the definition areas used to describe each of the characteristics of the four tiers? A. Cybersecurity Maturity Model adopted practices B. Integrated risk management program C. External participation D. Risk management processes
Answer: A Rationale: Tiers allow an organization to look at how they practice cybersecurity in three areas: risk management process (what do they have and what can they demonstrate they actually do); integrated risk management program (how broadly is cybersecurity awareness and integrated into their processes); and external participation (how much does the organization participate in a larger cybersecurity community). Source: Introduction and Tier1: Partial
The NIST-CSF core is comprised of function, categories and subcategories. Which of the following are directly mapped to the informative references? A. 800-53 B. Subcategories C. Functions D. Categories
Answer: B Rationale: All of the informative references are mapped directly back to NIST-CSF subcategories. Source: Controls
The Implement/Improve Cycles uses a systems thinking archetype called an escalation loop. This archetype shows the action that two reinforcing loops. Each loop interacts with the other to cause the other loop to seek a higher level of improvement. Which of the following statements are true? A. An escalation loop only works when both the assessment and the improvement loop seek different objectives B. The assessment loop identifies improvement opportunities (the gap), and the improvement loop creates a change that closes that gap C. The assessment loop focuses on the gap in the people, practice, and technology D. In the improvement loop, a change is first internalized, then it becomes the new normal, after which it can be used effectively
Answer: B Rationale: An escalation loops cause each side to seek improvement; the assessment loop seeks to normalize changes and identify new improvement opportunities. The improvement loop seeks to close the gap by improving the people's skills and knowledge, the practice used to implement the control process and identifies and implements any enabling technology. Source: Fast Track - Implement/Improve Cycles
When thinking about what it means to become digital, which of the following shift in mindset is required? A. Invest heavily in technology on focused or point solutions B. Becoming digital is more about culture than technology C. Seek solutions on the most granular level possible D. Tools are both the ends and the means to become digital
Answer: B Rationale: Becoming digital is about the application of technologies to various aspects of the organization, both internally and externally. Becoming digital is about changing the organizational approach to how it creates and delivers value by leveraging technology. It takes a cultural shift away from siloed thinking and away from technology as an internal tool to one where the organizational culture changes to act in a holistic manner to leverage technology to deliver improved value. Source: Becoming "Digital
When considering using technology to close the gap in desired cybersecurity posture, which of the following statements is true? A. It's important to acquire the tool so that the process can be changed to accommodates its features and limitations B. Improve the knowledge & skills of first, and then the practice to be enabled using technology C. Technology is the ends to solving a shortfall in a desired cybersecurity posture D. In all cases, the tool is purchased before any other people or practice decisions can be made
Answer: B Rationale: Even in the case where a control obviously requires the use of technology to close the gap, the technology should be considered as a means to achieve the end; both people (skills and knowledge) and practices (what and why) must be improved first. This approach assures that the technology selected is the optimal choice to enable the implementation of the control. Source: Technology is a Means, Not an End
Which of the following best describes the concept of "frame the risk?" A. It covers how risk is properly assessed and identifies internal, external vulnerabilities B. Describes the decision-making environment and how to assess, respond and monitor risk C. Provides consistency in the organizational development of alternative courses of action D. Seeks to put into perspective and rationalize the ongoing effectiveness of risk responses
Answer: B Rationale: Framing the risk describes the organizational decision-making environment as it produces a risk management strategy. It also seeks to ensure that both investment and operational decisions involving risk are transparent about their perceptions. Source: Frame the Risk
What is the appropriate action if one or more informative references are NOT enough for the current situation? A. Explore the other informative references for other industries and sectors. B. Work with standard bodies and appropriate technology leaders to craft new references to fill the gaps. C. Create an internal working group to address. This is critical because digital transformation (DX) depends on cybersecurity; delay would impact DX efforts. D. Notify NIST, or appropriate other responsible informative reference body, of the gaps.
Answer: B Rationale: It is possible that existing cybersecurity informative references might not cover every possible situation. The NIST-CSF was explicitly crafted to support improvement and development of new or revised standards, guidelines, or practices. NIST-CSF framework is descriptive and non-exhaustive specifically to address this situation. Source: Identify Opportunities for New or Revised Informative References
The Lockheed-Martin Intrusion Kill Chain provides high-level insight into the phases of a cybersecurity attack and identifies a way to mitigate or stop the attack. MITRE ATT&CK deployed a database of adversary (threat actor) tactics and techniques. Both are valuable tools. When comparing the two, which of the following best correct statement? A. The kill chain provides a higher level of understanding and prevention B. MITRE ATT&CK provides information that is more actionable than the kill chain C. The kill chain is proprietary and MITRE ATT&CK is globally accessible D. Neither conforms
Answer: B Rationale: MITRE ATT&CK is based on real-world observations that are used to develop threat models and methodologies. It's applicable to both the private sector as well as the government. It's acknowledged to provide a more actionable approach than the kill chain. However, the kill chain provides an excellent overview of an attack. Source: MITRE ATT&CK Framework
When thinking about Implementation Tiers, which of the following best describes the basis for success? A. When you reach CMMC level 6 on all aspects of cybersecurity B. Base success on achievement such as reaching the desired outcomes of a select target profile C. Frameworks are adopted not implemented D. Base success based on compliance to the criteria specified in each of the informative references
Answer: B Rationale: NIST-CSF is focused on outcomes, what you are achieving. It is risk-informed so organizations can tailor their adaptation of informative references to achieve their desired outcomes. Source: Implementation Tier Objectives
Which of the following statements best describe the origin of the NIST-CSF? A. Developed from a directive from the General Assembly of the UN to prevent international cyber terrorism B. President Obama signed an Executive Oder to improve critical cybersecurity infrastructure C. Congress passed a joint resolution directing the Executive branch to create a cybersecurity framework that everyone must follow D. A United States Supreme Court ruling stemming from the Sony breach required companies to be held liable for breach of public trust due to a preventable cybersecurity breach in a 7-2 decision
Answer: B Rationale: On February 12th, 2013, President Obama signed Executive Order 13636. The order intended to improve the USA national critical infrastructure cybersecurity posture by establishing a standard framework, when adopted, would help organizations in critical sectors improve their cybersecurity posture. Source: Cybersecurity Framework Origins
Which of the Recover: Framework Categories incorporate lessons learned into future activities? A. RC.RP - Recovery Planning B. RC.IM - Improvements C. RC.CO - Communications D. All of them
Answer: B Rationale: Recovery planning and process are improved by incorporating lessons learned into future recovery activities. Source: Recover: Framework Categories
When considering risk, what aspect of risk would be the first thing that should be addressed? A. Identification of threats B. Identification of assets C. Apply controls to mitigate threats D. Continual monitoring
Answer: B Rationale: The beginning step in any assessment is the complete identification of all your digital assets. Hardware first, then software. This is best supported by a formal configuration management system that includes configuration item relationships and owners. Source: Risk
The Identify Function Asset Management category ID.AM-1 and ID.AM-2 (hardware & software inventories, respectively) seek to control the entirety of organizational digital assets. Which of the following statements might be considered when deciding the order in which specific inventories should be done? A. Produce the software inventory first, then run a discovery against their hardware platforms B. Inventory the hardware to ensure a complete identification of all potential software C. Hardware and software inventory must be done simultaneously D. It doesn't matter which inventory is completed first
Answer: B Rationale: The hardware inventory should be completed first to ensure all possible software platforms are identified and can be subsequently inventoried. Failure to make sure that the hardware inventory is complete before attempting the software inventory may result in unknown vulnerabilities. Source: Core Function Identify: Subcategories (AM & BE)
When thinking about the basic principles of DX, which of the following principles best describes how an organization deals with the evolutionary needs of the organizational culture? A. Transform B. Response C. Innovation D. Value
Answer: B Rationale: The principle of "response" deals with the how the organization deals with evolutionary needs culture. Becoming digital doesn't happen with a flip of a switch. Without a plan that addresses the aspects of cultural change, the effort might flameout due to cultural inertia or entropy. Source: Digital Transformation: Basic Principles (THRIVE)
When thinking about the NIST-CSF Core, which statement is best describing the implementation tiers? A. Represents the outcomes based on business needs that an organization has selected from the framework categories and subcategories. B. Describes the desired cybersecurity posture the organization seeks C. Describes the degree to which the organizational cybersecurity risk management practices exhibit the characteristics defined in the framework. D. Represents industry standards, guidelines, and practices that allow for the communication of cybersecurity activities and outcomes
Answer: C Rationale: An implementation tier represents the rigor that an organization exhibit as defined in the framework. It doesn't represent a maturity model but a measure of what you are doing (and can document) against the framework guidance. Source: NIST-CSF Tier
Which of the following is NOT a way that a cybersecurity control is implemented? A. Through the skills & knowledge of people in the organization B. Through an understanding of what needs to be done, why, and how it should be done C. Through the complete mapping of informative references to each other and the selection of the best one D. Through the selection, installation, and operation of enabling technology
Answer: C Rationale: Controls are implemented via people, practice, and technology. These are the only three things you can affect in the implementation of controls. Source: Controls
Which activity of the gap analysis process for establishing or improving a program includes indicating the category and subcategory outcomes? A. Step 1: Prioritize and Scope B. Step 2: Orient C. Step 3: Create a Current Profile D. Step 4: Conduct a Risk Assessment
Answer: C Rationale: Creating a Current Profile (Step-3) would be where the organization identifies the category and subcategory outcomes that need to be improved. Source: CIIS Approach
Which of the following is NOT a key DX challenge to Digital Era organizations? A. Compliance issues B. Expanded attack surface C. Too many tools to manage D. Reduced visibility & control
Answer: C Rationale: Having too many tools is a technology challenge brought about when organizations purchase point solutions without having an overall practice, associated process and controls in place in advance of a tool purchase. Source: Cybersecurity: Key DX Challenges.
Framework profiles allow an organization to A. Consider its risk management practices B. Demonstrate its cybersecurity maturity C. Establish the difference between the current state and the desire cybersecurity posture D. Demonstrate the rigor of the organizational cybersecurity practices
Answer: C Rationale: Once an organization can establish a current state profile, then it can describe a future state outcome it desires and then develop a plan to achieve the desired (target) profile (cybersecurity posture). Source: NIST-CSF Framework Profiles
Which of the following represents a practical approach to continuous security improvement that involves testing a computer system, network, or web application to find vulnerabilities that an attacker could exploit? A. Lessons learned from security incidents B. Audit findings and remediation C. Penetration Testing D. Vulnerability Assessment
Answer: C Rationale: Penetration Testing represents a practical approach to continuous security improvement that involves testing a computer system, network, or web application to find vulnerabilities that an attacker could exploit. Answer A (lessons learned from incidents) involves a post-mortem review of an incident for lessons learned and improvements. Answer B (audit findings) involves reviewing recommendations from audit findings for process improvements, etc. Answer D (vulnerability assessment) involves identifying and remediating possible exposures by detecting and remediating known vulnerabilities.
The Fast Track™ concepts are based on the idea that to improve, an organization must first achieve repeatability within what it does. This is followed by optimization, which seeks to balance resources against needs. Which of the following are two aspects of optimize? A. Create structure and seek repeatability B. Continually assessing gaps and prioritizing closing those gaps C. Continued expansion of cybersecurity controls and internalization of processes D. Continual repeatability and optimum balance
Answer: C Rationale: Stabilize is about doing first things first; it seeks to create the necessary structure to achieve repeatability. Optimize expands and seeks to expand ((and improve??)) repeatability while optimizing resources and internalizing processes. Improve seeks to continually assess gaps, prioritize their closure and improve everything all the time. Sources: Fast Track Concepts
NIST-CSF includes guidance on a 7-step implementation/improvement process. Which of the 7-steps includes conducting a cost/benefit analysis? A. Step-2 Orient: Identify related systems & assets, regulatory requirements, and overall risk approach B. Step-4 Create a current profile: Determine current category & subcategory outcomes C. Step-6 Determine, Analyze, and Prioritize Gaps: Create an action plan to address gaps D. Step-7 Implement action plan: Determine which actions to take regarding the gaps
Answer: C Rationale: Step-7 includes the creation of an action plan to address gaps based on mission drivers, cost/benefit analysis and understand of risk. Source: Seven-Step Process
Which of the following best describes the NIST-CSF? A. The NIST-CSF is a prescriptive framework that covers what you must do and how you must do it B. The NIST-CSF is a descriptive methodology that provides the exact "how-to" method to implement the framework C. The NIST-CSF is a descriptive framework that provides a systematic approach to cyber risk management D. The NIST-CSF is a subset of ISO/ECI 9001-2019
Answer: C Rationale: The key here is that the NIST Cybersecurity Framework is "descriptive." It talks about what you should think about and why it's important to you. It provides a structure within which you may tailor your implementation of the relevant cybersecurity controls to organizational needs. Source: Key Attributes of NIST-CSF
Which statement describes Tier 3? A. Partial with ad hoc processes, limited risk awareness, and little or no collaboration B. Adaptive with practices based on lessons learned and risk management as part of the culture and information actively shared C. Repeatable with organizational-wide formal practices, consistent process and methods, and information sharing with other organizations D. Risk informed with approved risk management process, to organizational awareness of the role of risk in relation to other organizations
Answer: C Rationale: The organizational risk management practices are formally approved and expressed as policy. Source: Implementation Tiers Approach & Implementation Tier Example
The risk equation seeks to establish the organizational exposure to risk based on the likelihood and impact of a cybersecurity incident or breach. Which of the following is NOT a component of the risk equation? A. Asset value B. Vulnerabilities C. Risk strategy D. Threats
Answer: C Rationale: The risk equation looks at threats, vulnerabilities, and asset value in the context of the strength of the assessed control. Risk strategy is not part of the equation. Source: The Cyber Risk Equation
Which of the following represents a threat? A. Lack of governance B. Ineffective patch management C. Competitors D. Infrequent risk assessments
Answer: C Rationale: Threats can come from many sources, such as a nation-state, terrorist organizations, industrial spies, organized crime, hacktivist as well as business competitors. Source: Two slides: Threats & Vulnerabilities
When thinking about cyber risk management, which of the following is NOT one of the key properties? A. Risk management process B. Integrated risk management program C. Lower cost insurance D. External participation
Answer: C Rationale: While lower cybersecurity insurance may result from a cyber risk management program, it's not one of the key properties. Source: Key Properties of Cyber Risk Management
Which of the following is NOT a characteristic of a Digital Era organization? A. Flexible & agile in its response to changes in its business environment B. Thinks & works in an agile manner C. Utilizes short planning & work cycles D. Utilizes lengthy planning cycles to ensure completeness of the requirements
Answer: D Rationale: One of the hallmarks of a Digital Era organization is that its culture and structure supports near realtime response to a changing business environment. Therefore, both planning and work cycle are much shorter to accommodate a more dynamic environment. Source: Transformation - Industrial to Digital Era.
Which of the following statements best describes a Framework Profile? A. It provides the context for how an organization views cybersecurity risk and the processes to manage that risk. B. It represents the rigor practiced over a range of profiles C. It is the confluence of the people, practice and technology that are part of the organization used to characterize cybersecurity maturity D. It represents the cybersecurity outcomes based on business needs that an organization has selected from the Framework Categories and Subcategories
Answer: D Rationale: A profile represents "outcomes" the organization can demonstrate now and provides a target that the organization desires to achieve to meet their business needs for a particular cybersecurity posture. Source: Developing Framework Profiles
Which step of the 7-Step Improvement process for implementing or improving a cybersecurity program includes analyzing the operational environment to determine the likelihood and impact of a cybersecurity event? A. Step 1: Prioritize and Scope B. Step 2: Orient C. Step 3: Create a Current Profile D. Step 4: Conduct a Risk Assessment
Answer: D Rationale: Analyzing the operational environment to determine the likelihood and impact of a cybersecurity event occurs during Step 4: Conduct a Risk Assessment. Source: Step-4: Conduct a Risk Assessment
Which of the following represents the Target Profile? A. The Target Profile is the "as-is state" characterized by the alignment of standards, guidelines, and practices to the Framework Core in an implementation scenario. B. The Target Profile is the Identify Core Function alignment of standards, guidelines, and practices in an implementation scenario. C. The Target Profile is the Protect Core Function alignment of standards, guidelines, and practices in an implementation scenario. D. The Target Profile is the "to-be state" characterized by the alignment of standards, guidelines, and practices to the Framework Core in an implementation scenario.
Answer: D Rationale: Answer D is correct. The Target Profile is the "to-be state" characterized by the alignment of standards, guidelines, and practices to the Framework Core in an implementation scenario. Source: Step-5: Create a Target Profile
When creating a profile, which of the following is true? A. Subcategories may only be referenced by one informative reference control B. When referencing one or more informative references for any given category, all other functions/categories must use the same ones C. All subcategories in each function/category must only be referenced against a single informative referenced D. The subcategories of the selected category may be referenced against one or more informative references
Answer: D Rationale: As part of the flexibility of the Framework and the ability of the organization to tailor the selected controls to suit their unique context, a profile may be developed using one or more informative references. Think back to adaptation. Source: Using the Risk Assessment to Create the Profile
What is the best reason to incorporate considerations raised by NIST CSF into any digital transformation initiative? A. NIST-CSF profiles are critical part of a modern digital transformation B. If digital transformation is successful it automatically includes the cybersecurity issues discussed as part of the NIST-CSF C. Digital transformation doesn't impact buying decisions. Adding consideration of NIST-CSF ensures these issues aren't forgotten. D. NIST-CSF and digital transformation impact every aspect of life & society. It's not one or the other, it's both.
Answer: D Rationale: Digital transformation integrates digital technologies into every aspect of the organization and every aspect of life and society. The NIST-CSF also impacts every aspect of life and society because it was developed to strengthen cybersecurity threats to critical infrastructure. Source: Two slides: Digital Transformation & NIST Cybersecurity Framework (CSF) & Methodology to Protect Privacy & Civil Liberties
Implementation Tiers consider the current organizational: A. Threat environment B. Legal & regulatory requirements C. Business/mission objectives D. All of them
Answer: D Rationale: Implementation tiers require that the organization look at itself and its business environment. In addition to the above list they also would consider risk management practices and organizational constraints. Sources: Implementation Tier Objectives
When thinking about integrated risk management programs across the tiers, which of the following is true? A. Tier-2 is where its fully practiced, and at Tier-3, risk management defines the approach B. Tier-2 understand its dependencies and partner and enable collaboration where Tier-3 understands its role in a larger cybersecurity ecosystem C. Tier-2 practices have been approved but aren't fully established, and Tier-3 they are formally approved and expressed in policies D. Tier-2 provides an approach, and at Tier-3, it is practiced
Answer: D Rationale: In Tier-2, integrated risk management programs may be approved but may not be fully implemented, whereas in Tier-3 the program has been formally approved and expressed as policies. Source: Two slides: Tier-2 Risk-Informed and Tier3 Repeatable
Which of the following is the most comprehensive list of inputs to a risk management strategy? A. Threat landscape, risk constraints, risk tolerance & uncertainty B. Uncertainty, workforce skills, risk constraints & risk tolerance C. Threat landscape, workforce skills, risk tolerance & uncertainty D. Risk constraints, risk tolerance, priorities & tradeoffs, & uncertainty
Answer: D Rationale: Inputs to an organizational risk management strategy would include risk assumptions, risk constraints, priorities and tradeoffs, risk tolerance, and uncertainty. Source: Organizational Risk Frame
The Framework considers the need to tailor the set of controls an organization implements to meet specific needs. This means organizations can adapt other references in common usage. Which of the following are NOT included in the informative references but are suitable for use with the Framework? A. PCI/DSS B. ISO/IEC 27002 C. AICPA D. All of them
Answer: D Rationale: The Framework can be used to identify opportunities for new or revised standards, guidelines, or practices where additional Informative References would help organizations address emerging needs. An organization implementing a given Subcategory, or developing a new Subcategory, might discover that few Informative References, if any, cover the activity. To address that need, the organization might collaborate with technology leaders or standards bodies to draft, develop, and coordinate standards, guidelines, or practices. Source: Tailor to Suit
The Orient step of the 7-step implement and improve plan involves the identification of which of the following? A. Overall risk approach B. Regulatory requirements C. Organizational threats & vulnerabilities D. All of them
Answer: D Rationale: The Orient step seeks to identify things that need to be protected and the appropriate justification, for example, regulatory requirements. In addition, it establishes the organization overall approach to risk, such as risk philosophy and adoption of a risk management framework. It also seeks to identify both threats and vulnerabilities the organization might face to its digital assets. Source: Step 2: Orient.
Profiles are expressed in two different states; current (as-is) and target (as-desired). Which of the following statements best describes a framework profile? A. The desired outcomes and applicable references that are common across critical infrastructure sectors B. Cybersecurity activities and outcomes communicated to regulating or auditing bodies C. An expression of the reflection of an organizations progression from reactive to risk-informed D. The outcomes based on the needs that an organization has selected from the framework
Answer: D Rationale: The Profile can be characterized as the alignment of standards, guidelines, and practices to the Framework Core in an implementation scenario. Profiles can be used to identify opportunities for improving cybersecurity posture by comparing a "Current" Profile (the "as-is" state) with a "Target" Profile (the "to-be" state). Source: NIST-CSF Framework Profiles
The Recover Function enables the organization to "get back on its feet" after a cybersecurity incident. Which of the following subcategories is NOT part of the Recover Function? A. Planning B. Improvements C. Communications D. Mitigation
Answer: D Rationale: The Recover Function is about putting things right again. That requires a plan to be executed during the recovery improvements so that lessons learned are incorporated into future recoveries, and strategies can be updated and communicated to keep all the stakeholders informed. Mitigation is under Respond. Source: Respond: Framework Categories
Which of the following describe creating a Current profile? A. Describe desired cybersecurity outcomes B. Adapt to any unique organizational risk C. Take into consideration of both influences and requirements of external stakeholders D. None of them
Answer: D Rationale: The above describes the creation of a target profile. The Current profile describes existing or demonstrated cybersecurity outcomes, while the Target Profile establishes the gap between current and desired by defining desired outcomes. Source: Two slides: Step-3: Create a Current Profile & Step-5: Create a Target Profile
The Center for Internet Security (CIS) identified a set of critical security controls that are specific, actionable and effective against most pervasive and dangerous attacks. The controls are broken down into groups. Which represent the grouping of CIS Controls v7? A. Identify, Respond, Recover B. Good, Better, Best C. Basic, Essential, Organizational D. Basic, Foundational, Organizational
Answer: D Rationale: The basic controls represent "basic cybersecurity hygiene, " where the foundational controls expand the organizational defensible cybersecurity perimeter. The organizational controls are organization-wide, and address making and managing policies. Source: CIS Controls-V7
Albert Einstein said, "Everything should be made a simple as possible, but no simpler." Which of the following aspects of the principle simplify everything is true? A. Ensure there is a clear understanding of value B. Communicate value to all the stakeholders C. Identify and separate wants from needs D. All of them
Answer: D Rationale: The whole idea of this principle is that if you can reduce everything to its essentials, you will better understand both the problem and the solution and can quickly iterate your learning to refine both. Source: Simplify Everything
Select the correct Tier-3 risk management practice level of achievement from the descriptions below: A. Adapts based on lessons learned, has organization-wide risk management, and actively shares with partners B. Processes are not formalized, risk-aware by not established and collaborates with partners C. Approval but not established, aware but not established and aware of external collaboration but it hasn't been established D. Approved & expressed policies, organization-wide risk management and collaboration and partnerships
Answer: D Rationale: Tier-3 risk management practices are characterized by an approved process expressed in corporate policies, practiced organization-wide, and active external collaboration and partnerships. Source: Risk Management Practices
For the CIS ControlsTM, implementing malware and antivirus is part of continuous vulnerability management. a. True b. False
Answer: False Rationale: CIS Control 3 is Continuous Vulnerability Management. Implementing malware and antivirus is Control 8. Source: CIS Control 3 - Continuous Vulnerability Management
True or False: A threat actor requires nothing more than public information to launch an attack? a. True b. False
Answer: True. In the case of Target, the attackers attacked Target through a supplier, and the attacker used public information that Target had released about its point of sale (POS) terminals. Rationale: Take Advantage of Everything: All Information Has Value Source: Operational Sustainability - Principle Themes & Start with Operational Sustainability
In phase 1 of phased control implementation, what control comes after an inventory of hardware and software? a. Control 4 - Controlled Use of Administrative Privileges b. Control 3 - Continuous Vulnerability Management c. Control 5 - Secure Configurations of Mobile Devices, Laptops, Workstations, and Servers d. Control 7 - Email and Web Browser Protections
Answer: a Rationale: After controls 1 and 2, the next step is to lock down the discovered assets: Control 4 - Controlled Use of Administrative Privileges Source: Controls - Order of Precedence (Initiation & Basic [Startup])
When conducting a cybersecurity assessment, should you conduct an assessment before and after each phase? a. Yes b. No
Answer: a Rationale: Assessments must be before and after each phase as a way to determine if the target for the phase is met. Source: Cybersecurity Assessment
When improving by using a determinative model, which comes first? Optimize resources or optimize flows? a. Optimize flows b. Optimize resources c. Neither. These are not part of a determinative model.
Answer: a Rationale: In a determinative model, optimize flows before resources. Otherwise, resource allocation does not match the actual flows in the organization. Source: Determinative Model
What are the steps in improving people, process, and technology as part of the Fast TrackTM Improve cycle? a. Plan - Do - Study - Act b. Plan - Do - Act - Study c. Do - Study - Act - Assess d. None of them
Answer: a Rationale: The correct sequence for the improvement cycle is Plan - Do - Study Act. Source: Fast TrackTM - Implement/Improve Cycles
Which of the following defines the gap? a. The difference between the current state and the desired state b. The difference between the planned state and the desired state c. The difference between the desired state and the future state d. None of them
Answer: a Rationale: The gap is the difference between the current state and the desired state. Source: Develop Different Flow Patterns
When planning an incremental cybersecurity approach, which comes first? a. What to do b. How to do it c. When to do it d. Which one to do first
Answer: a Rationale: The initial planning needs to be what to do. Once "what" is determined, then how, when, and sequencing comes next. Source: Work Structure
True or False. Should the cybersecurity team take suppliers into account when creating the organization's target profile? a. True b. False
Answer: a Rationale: The supply chain is a critical aspect of any target profile
When planning an incremental cybersecurity approach, which is a better time horizon? a. Days b. Weeks c. Months d. Quarters
Answer: a or b are correct Rationale: When planning an iterative process, days and weeks are better than months or quarters. Source: Approach
Which of the following CIS ControlsTM should a team implement in Phase Zero of a phased adoption approach? a. Incident Response b. Security Awareness Training c. Vulnerability Assessment d. Threat Assessment
Answer: a,b Rationale: A and b are the first controls to be implemented. Though security and threat assessment occur before control implementation, these are not part of the CIS ControlsTM. Source: Controls Phased Adoption
Which of the following CIS ControlsTM should a team implement in Phase One of the phased adoption approach? a. Inventory and Control of Hardware Assets b. Continuous Vulnerability Management c. Malware Defenses d. Email and Web Browser Protections e. All of the above
Answer: a,b Rationale: Though malware defenses and email and web browser protection are essential controls, they are not part of the first six controls implemented in this phase. Source: Controls Phased Adoption
Which of the following statements is TRUE about Adopt? a. Structures the organization's approach to cybersecurity b. Evaluates cybersecurity risk management c. Creates policies for cybersecurity risk d. Operationalizes a consistent approach to cybersecurity
Answer: a,b,c Rationale: Adopt is an organizational governance action. Anything operational is a component of Adapt. Source: Adopt: What's Included in Governance for Cybersecurity?
Which of the following are examples of thinking like a threat actor? a. What can I do to infect Joe's laptop? b. What can I do to get to Sally after I've infected Joe's laptop? c. How do I get past the firewall? d. How do I get Joe to tell me about his daughter's birthday?
Answer: a,b,c,d Rationale: All of the answers are indicative of thinking like a threat actor. Even asking for a wife's name could be social engineering to learn a password. Source: Develop Small Requirements
Which of the following should be part of an incident response plan? a. Documenting the incident response procedures b. Executive management contact list c. List of security operations staff and responsibilities d. List of legal and public relations contacts
Answer: a,b,c,d Rationale: All the above are part of a comprehensive incident response plan. Source: CIS Control 19 - Incident Response & Management
Which of the following are adaptability statements? a. Can we make decisions with imperfect knowledge? b. Can we take action based on a security assessment? c. Can we make decisions at the highest possible level? d. Can we self-organize to solve little gaps before they get big?
Answer: a,b,d Rationale: Adaptive work is based on an unclear problem and solution, requiring new learning. Decisions should be at the lowest level possible to include the right institutional and operational knowledge. Source: Agility Demands
Which of the following are transparency statements? a. How does work actually get done? b. Who actually communicates what to whom? c. How does data flow through the organization? d. How do things really get improved? e. Who is designated the cybersecurity lead?
Answer: a,b,d Rationale: The key to transparency is understanding what is "really" happening, versus what people say or believe is happening. The "flow of data through the organization" is only transparent when we look at how it actually flows. Similarly, "who is really the cybersecurity lead" is a transparent statement. Source: Agility Demands
Which of the following are part of "Porter's Five Forces?" a. Threat of new entrants b. Threat of substitutes c. Threat of competition for workers d. Bargaining power of customers e. Bargaining power of suppliers f. Bargaining power of workers
Answer: a,b,d,e Rationale: Threat of competition for workers and the bargaining power of workers are internal factors. All other factors are external to the organization. Source: Unique Strategic Challenges of the Digital Era
Which of the following are components or characteristics of a threat? a. The probability that an attack will occur b. The tactics, techniques, and procedures of the attacker c. A weak password d. A misconfigured firewall e. A phishing email
Answer: a,b,e Rationale: The probability of attack, tactics, techniques, and procedures, and a phishing email are all characteristics and components of a threat. A weak password and a misconfigured firewall are vulnerabilities. Source: Understand Cyber Risk
When considering cybersecurity, what are the primary flows to address? a. Flow of work b. Flow of data c. Flow of communication d. Flow of improvement e. Flow of money f. Flow of staff
Answer: a,c,d Rationale: The three primary flows to consider are the flow of work, communication, and improvement. The cybersecurity team should extend these flows to partners and suppliers to cover the supply chain. Source: Impact Flows
Which of the following are attributes of strategic agility? a. Strategic planning framework b. Deep listening reporting c. Deep listening empowerment d. Strategic assessment capability e. Strategic governance
Answer: a,c,d,e Rationale: All of the items focus on strategic agility factors. Deep listening reporting implies a reporting structure and potential rigidity, so it is not a strategic agility factor. Source: Attributes of Strategic Agility
True or False. Governance adapts to management's decision to adopt a. True b. False
Answer: b Rationale: Management must ADAPT to governance's decision to ADOPT. The other way around leads to the failure of any cybersecurity initiative due to the lack of a strong underlying governance framework. Source: Adopt & Adapt - DX & Cybersecurity
Which of the following is the best description of a Man-in-the-middle attack? a. An intermediary between the hacker and the organization that the hacker is attacking b. A hacker monitoring/changing traffic to the organization c. A hacker on the inside of the organization, acting as a malicious insider d. None of the above
Answer: b Rationale: A MiTM attack is where an attacker sits on the wire between systems or a user and a system. From this vantage point, the hacker can see (or spoof) logins and passwords depending on the level of encryption the organization uses. Source: Generic Attack Types
Which of the following is the best description of an APT? a. Advanced Planning Technique b. Advanced Persistent Threat c. Advanced Probing Threat d. Advanced Premeditated Threat
Answer: b Rationale: APT is an advanced persistent threat. An APT is an insidious, long-acting, low-volume threat that sneaks in under most security detection systems. Source: Generic Attack Types
When conducting an adaptive phased approach for cybersecurity, which characteristic best describes phase 1? a. Initialize b. Stabilize c. Optimize d. Improvise
Answer: b Rationale: After implementing phase 0, the next step is to stabilize the environment during phase 1. Source: Work in phases
Which implementation group is characterized by the following? The organization employs people charged with managing and protecting IT infrastructure. The organization has multiple departments with different risk profiles. The organization may be subject to compliance requirements. a. 1 b. 2 c. 3 d. 4
Answer: b Rationale: An implementation group 2 organization employs people charged with managing & protecting IT infrastructure; multiple departments with different risk profiles; may have regulatory compliance. There are only 3 implementation groups. Source: Implementation Groups
Can an organization become digital with an unstructured approach to cybersecurity? a. Yes b. No
Answer: b Rationale: An organization cannot become digital without a structured approach to cybersecurity. A digital organization requires governance that spans both, becoming digital and sustainable cybersecurity posture. Source: Operational Sustainability - Principle Themes & Start with Operational Sustainability
Which of the following describes breakout time? a. The time between reconnaissance and launching an attack b. The time between the first attack and when the attack spreads c. The time between dropping the malware and when the data exfiltrates d. The time between identifying the threat and stopping the attack
Answer: b Rationale: Breakout time is the time between when the malware activates on one machine and when the adversaries start moving to other systems in the organization. Source: Threat Actors Agile & Adaptive
In phase 1 of phased control implementation, what control comes after Maintain, Monitor, and Analyze Audit Logs a. Control 8 - Malware Defenses b. Control 3 - Continuous Vulnerability Management c. Control 5 - Secure Configurations of Mobile Devices, Laptops, Workstations, and Servers d. Control 7 - Email and Web Browser Protections
Answer: b Rationale: CIS ControlsTM 3, Continuous Vulnerability Management, comes right after implementing audit logging and analysis. It is important to have a monitoring infrastructure in place before adding vulnerability management. Source: Controls - Order of Precedence (Initiation & Basic [Startup])
What CIS Control would result in implementing log management? a. Control - 3 b. Control - 6 c. Control - 9 d. Control - 10
Answer: b Rationale: CIS ControlsTM 6 is Maintenance, Monitor & Analysis of Audit Logs Source: CIS Control 6 - Maintenance, Monitor & Analysis of Audit Logs
Activities that are not context and non-mission critical should be? a. Outsourced b. Discontinued c. Redesigned d. None of them
Answer: b Rationale: If an activity is not context or mission-critical, the activity no longer serves the success of the business and should be discontinued. Source: Balance Resource Optimization Mode
True or false. In a balancing loop, the larger the gap between the current state and desired state, the smaller the influence? a. True b. False
Answer: b Rationale: In a balancing loop, the larger the gap, the stronger the influence on the loop.
When scoping ongoing improvement, what step comes after identifying business systems most at risk? a. Think like a threat actor b. Verify or create an inventory of hardware and software c. Mitigate and protect d. Learn and improve
Answer: b Rationale: Once you know the business systems at greatest risk, you have defined the scope of the improvement. The next step has to be creating a complete inventory of all assets. Without this inventory, the success of all future actions is at risk. Source: How to Scope Ongoing Improvement
True or False. Centralized decision making slows response and impedes agility in all organizations. a. True b. False
Answer: b Rationale: Though centralized decision making may slow decision making and impede agility in many organizations, some organizations can only function with this type of decision making. Source: Cultural Patterns
When creating a current profile, what do you evaluate against the organization? a. The previous profile b. Framework controls c. MITRE ATT&CK d. All of them
Answer: b Rationale: When creating the current profile, the best practice is assessing how the organization complies with a framework of controls. The framework could be NIST, CIS, CMMC, ISO, or any framework. Source: Step 3: Create Current Profile
When evaluating the cybersecurity staff capabilities, the assessor must look at skills, knowledge, and ____? a. Training b. Commitment c. Ability d. None of them
Answer: c Rationale: The three primary metrics for measuring security staff capabilities is skills, knowledge, and ability. Source: Assess Cybersecurity Capabilities
What does MVP stand for concerning a cybersecurity program? a. Most Viable Provider b. Minimum Valued Product c. Minimum Viable Product d. Most Valued Product
Answer: c Rationale: A Minimum Viable Product is the smallest amount of work that can lead to quantifiable results. Source: Prioritize Based on Most Valuable Thing to do "Next"
Which of the following best describes a zero-day vulnerability? a. The first day a new vulnerability is announced is called "day zero." b. When a new vulnerability is announced at the same time as the patch c. When a new vulnerability is announced with no patch available d. None of the above.
Answer: c Rationale: A zero-day vulnerability is one where the announcement of a vulnerability occurs before any remediation options are available. This makes zero-days impossible to stop, but organizations can mitigate the potential impact. Source: Threat Actors Exploit Vulnerabilities
To become an agile organization requires three things: governing policies, managing policies, and ____? a. Flexible technology b. Staff policies c. Operations direction d. Standard culture
Answer: c Rationale: Agile organizations require precise operations direction to implement what governance is adopting, and management is adapting. Also, culture must be flexible and may not be standard across an agile organization. Source: Establish a Strategic Approach
What does CMMC stand for? a. Cybersecurity Maturity Model Congress b. Cybersecurity Model Maturity Comparison c. Cybersecurity Maturity Model Certification d. None of them
Answer: c Rationale: CMMC is a US DoD standard called the Cybersecurity Maturity Model Certification. Source: Origins of CMMC
When conducting a risk assessment, the assessor must look at likelihood and ____? a. Cost b. Risk c. Impact d. Frequency
Answer: c Rationale: Determining risk requires understanding both the likelihood of an event and the impact of the event. A highly likely event with little impact has no impact on the overall risk posture of the organization.
Which phase of an iterative phased cybersecurity approach is considered to be establishing a beachhead? a. Phase -1 b. Phase 0 c. Phase 1 d. Phase 2
Answer: c Rationale: Establishing a beachhead occurs in phase 1. This is where the organization stabilizes the environment and closes gaps. Source: Phase 1: Establish Cybersecurity Beachhead
An organization displaying "Good Cyber Hygiene" would be what level of CMMC? a. 1 b. 2 c. 3 d. 4
Answer: c Rationale: Good cyber hygiene is the baseline for doing business with the DoD. Good cyber hygiene is level 3 of the CMMC 5-level model
Which of the following characteristics apply to a bureaucratic culture in the organization? a. High cooperation b. Novelty crushed c. Narrow responsibilities d. Risks shared b. All of them
Answer: c Rationale: High cooperation and risks shared are part of a generative organizational culture. Novelty crushed is part of a pathological organizational culture. Source: Characteristics of Culture Types: How They Process Information
When conducting an adaptive phased approach for cybersecurity, which characteristic best describes phase 3? a. Optimize b. Improvise c. Improve d. Expand
Answer: c Rationale: Once phase 1 has stabilized the organization, and phase 2 has optimized the organization, phase 3 focuses on improvement. Source: Work in phases
Which of the following characteristics apply to a pathological culture in the organization? a. Performance-oriented b. Shared risks c. Power oriented d. Cross-function tolerated e. None of them
Answer: c Rationale: Performance-oriented and shared risks are part of a generative culture organization. Crossfunction tolerated is part of a bureaucratic culture organization. Source: Characteristics of Culture Types: How They Process Information
In the following statement, what factor is missing? "Learning requires the creation, ___, and use of knowledge." a. application b. dissemination c. retention d. None of the above
Answer: c Rationale: Retention is essential for the organization to learn. Without retention, there is no base to the collective knowledge. Source: Disruptors are NOT Loose Cannons
When working with a cross-functional team, what is the benefit of documenting lessons learned? a. Provides the team with a record of participation b. There is no benefit. Spending time on documenting slows down the agile process c. Preserves institutional knowledge d. None of them
Answer: c Rationale: Teams must record the lessons-learned for institutional knowledge at future planning sessions. Source: Leverage Cross-functional Teams
What is MITRE ATT&CK? a. A database of vulnerabilities most prevalent in organizations at greatest risk b. A database of the dark web sites and locations c. A database of threat actors' tactics, techniques, and procedures d. All of them
Answer: c Rationale: The MITRE ATT&CK database is the most up-to-date database of threat actor tactics. Source: Think Like A Threat Actor
What are the steps in assessing cybersecurity posture as part of the Fast TrackTM Implement cycle? a. Assess - Internalize - Normalize - Change b. Internalize - Normalize - Change - Assess c. Assess - Change - Internalize - Normalize d. Normalize - Internalize - Change - Assess
Answer: c Rationale: The correct steps are to Assess - Change - Internalize - Normalize. All the other options have the right steps but in the wrong order for success. Source: Fast TrackTM - Implement/Improve Cycles
What is a residual gap? a. The difference between the current profile and the target profile b. The difference between the current profile and the last profile c. The difference between the target profile and the actual profile d. None of them
Answer: c Rationale: The residual gap is what is left over after moving from the current profile toward the target profile.
Why would multifactor authentication have helped to prevent the Target breach? a. It would have better protected the POS terminals from direct access b. It would have made it harder for attackers to exfiltrate data c. It would have prevented hackers from using stolen vendor ID & password d. All of the above
Answer: c Rationale: The use of multi-factor authentication would have made it impossible for the hackers to log in to Target by using the stolen ID and Password from the subcontractor. Source: General Lessons from Target Breach
The CIS Controls defines how many implementation groups? a. 5 b. 4 c. 3 d. None of them
Answer: c Rationale: There are three implementation groups. Source: Implementation Groups
Which of the following are characteristics of an organization that is disrupting culture to better position against threat actors? a. Control everything b. Mitigate nothing c. Become resilient
Answer: c Rationale: To stay ahead of bad actors, it is essential to control what you can control and mitigate what you cannot control. An organization that takes a control-everything and mitigate-nothing approach fails to move forward. Source: Shared Aspects
Which of the following are NOT part of an agile approach? a. Understand how all the parts fit together b. Develop a set of gaps c. Deliver value at the end d. Work in small cyclic movements e. Pick the right technology early f. All of them
Answer: c,e Rationale: Agility requires delivering value incrementally, rather than at the end of the project. Becoming agile is not about technology. Technology's implementation is a byproduct of agile work. Source: Becoming Agile
Of the following, which are reasons to implement a security awareness and training program? a. Empower staff to act b. Learn about social engineering and avoiding phishing c. A contact list d. All of them
Answer: d Rationale: All of the above are essential components of a security & and awareness training program. Source: CIS Control 17 - Implement a Security Awareness & Training Program
When implementing Adapt for cybersecurity, what is the correct flow of feedback? a. Security engineer to Manager to CEO b. Security analyst to Manager to CISO c. Security leader to CISO to CEO d. All of them
Answer: d Rationale: All of the options display feedback that moves from the operational level to the management level to the executive level. Source: Adapt: What's Included in Management for Cybersecurity?
Of the following choices, which are the benefits of optimizing gap size? a. Lets organizations fail fast b. Discovers problems sooner c. Facilitates mid-course corrections d. All of them
Answer: d Rationale: All of these are benefits of optimizing gap size. Source: Flow of Work
What is the correct description of CIS ControlsTM number 5? a. Inventory and Control of Software Assets b. Continuous Vulnerability Management c. Maintenance, Monitoring, and Audit Logs d. Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers e. Malware Defenses f. Data Protection
Answer: d Rationale: Control 5 is Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers. Control 5 is one of the Basic CIS ControlsTM, implemented in Phase 1 of a phased adoption approach. Source: CIS Control 5 - Secure Configurations
Which is the correct sequence for a consultant's view of the flows? a. Stabilize, Improve, Optimize b. Stabilize, Plan, Act c. Stabilize, Optimize, Study d. Stabilize, Optimize, Improve
Answer: d Rationale: Taking an outside-in (consultant's view) helps an organization see the way things are. The steps to take are to stabilize first, then optimize, then improve. Source: Consultant's View of the Flows
What is the correct sequence for a lean thinking approach? a. Plan - Do - Study - Agree b. Propose - Do - Study - Agree c. Plan - Act - Study - Agree d. None of them
Answer: d Rationale: The correct sequence is Plan - Do - Study - Adjust or Plan - Do - Study - Act. Source: Lean Thinking Applied
What is the fourth step of the NIST 7-step risk improvement plan? a. Orient b. Create a current profile c. Create a target profile d. Conduct a risk assessment
Answer: d Rationale: The fourth step is to conduct a risk assessment. Orient is the first second. Creating current and target profiles are the third and fifth steps, respectively. Source: NIST 7-Step
Which of the following describes a risk appetite? a. What can we tolerate? b. What can we afford to lose? c. What can we not afford to lose? d. All of them
Answer: d Rationale: The risk appetite for an organization is the amount of risk that an organization is willing to accept. The risk appetite includes what the organization is willing to lose and what it is not willing to lose. Source: Determine Risk Appetite
What is the second to last step of the Lockheed-Martin Cyber Kill Chain a. Actions on Objectives b. Installation c. Exploitation d. command and control e. All of them
Answer: d Rationale: The second to last step is command and control. During this step, the malware "calls home" to get instructions and further code to start exfiltrating data. Source: Operational Sustainability - Principle Themes & Start with Operational Sustainability
In a 3D Knowledge Flow Model, what is the X-axis represent? a. Knowledge of state of related value streams b. Knowledge of overall business strategy and direction c. Knowledge of past and future expected value stream contributions d. None of them
Answer: d Rationale: The x-axis tells you what was done before and what will be done after you hand off the knowledge. Source: 3D Knowledge Flow Model
What is the VOCR Model? a. Value, Outcome, Capabilities, Risks b. Value, Output, Capabilities, Risks c. Value, Outcome, Costs, Results d. None of them
Answer: d Rationale: VOCR stands for Value, Outcome, Costs, and Risks. Source: Focus on Value, Outcomes, Costs & Risks
What are the components of an adaptive approach to work? a. Problem b. Learning c. Solution d. All of them
Answer: d Rationale: All three of these components go into an adaptive approach to working. Source: Facilitate Learning
What are some approaches to protecting against zero-day vulnerabilities? a. Updated training & awareness b. Updated incident response plan c. Anti-virus d. a and b e. a,b,c
Answer: e Rationale: All three actions help to mitigate the impact of a zero-day vulnerability. Plus, increasing training and awareness and anti-virus can help to stop threat vectors that are trying to exploit the vulnerability. Source: Threat Actors Exploit Vulnerabilities
Which of the following is the first step in the Lockheed Martin Cyber Kill Chain? a. Recording b. Weaponization c. Installation d. Command and Control e. None of the above
Answer: e Rationale: The first step is Reconnaissance. Source: Lockheed-Martin Cyber Kill Chain
What is the correct description of CIS ControlsTM number 7? a. Inventory and Control of Software Assets b. Continuous Vulnerability Management c. Maintenance, Monitoring, and Audit Logs d. Data Recovery Capabilities e. Malware Defenses f. Data Protection g. None of the above
Answer: g Rationale: CIS ControlsTM number 7 is Email and Web Browser Protections. Source: CIS Control 7 - Email & Web Browser Protections
What can bad actors exploit?
Anything of value. If it has value to you, no matter how small the perceived value might be, then it has value to them.
CIS Control 18
Application Software Security
Balancing Loop
Attempts to move some current state to a desired or reference state though some action . The structure may begin with the current state greater or less than the desired state, in which case the current state may approach the desired state from above or below
CMMC Model Level 1
Basic cyber hygiene, processes performed ● Basic cybersecurity ● Achievable for small companies ● Limited resistance ● Practices performed at least ad hoc
CIS Control 12
Boundary Defenses
CIS Control 3
Continuous Vulnerability Management
CIS Control 14
Control Access Based on the Need to Know
CIS Control 4
Controlled Use of Administrative Privileges
CIS Control 13
Data Protection
CIS Control 10
Data Recovery Capabilities
Gap
Desired State interacts with the Current State. The larger the Gap, the stronger the influence to produce Action . The Action pursued moves the Current State toward the Desired State reducing the Gap . When the Action succeeds, it moves the Current State to the Desired State, thereby closing Gap, and there is no more influence toward Action
CIS Control 7
Email & Web Browser Protections
Disruptors are loose cannons - True or False
False
CMMC Model Level 3
Good cyber hygiene, processes managed ● Coverage of NIST 800-171 controls ● Extends beyond scope of CUI protection ● Resilient against moderately skilled threat actors ● Moderate resistance ● Comprehensive of knowledge of cyber assets ● Processes maintained & followed
CIS Control 17
Implement a Security Awareness & Training Program
Controls Phased Adoption (Phased Approach) - Phase 3
Improve Phase - Adding additional Controls ● Drive cybersecurity as a core/mission-critical capability ● Threat actors constantly expand capability to exploit vulnerabilities ● Apply defense-in-depth ● Requires governance ● Applied & ongoing refine & tailor
Controls Phased Adoption (Phased Approach) - Phase 1
Improve Phase - CIS 01 - 06 - Inventory & control hardware assets - Inventory & control software assets - Continuous vulnerability management - Controlled use of administrative privileges - Secure configurations - Maintenance, monitor & analysis of audit logs ● Understand threat actors ● Recognize cybersecurity is not ongoing game of leapfrog
Controls Phased Adoption (Phased Approach) - Phase 2
Improve Phase - CIS 07 - 20, no 17 or 19 - Email & web browser protections - Malware defenses - Limitation & control of network ports, protocols & services - Data recovery capabilities - Secure configurations for network devices - Boundary defenses - Data protection - Control access based on the need to know - Wireless access control - Account monitoring & control - Application software security - Penetration tests & red team exercises - Recovery ● Limit work scope ● Common points of entry ● After infiltration comes infection & changes ● Be prepared ● Organizational scope: selective small businesses & larger
CIS Control 19
Incident Response & Management
Controls Phased Adoption (Phased Approach) - Phase 0
Initiation of Adopt & Adapt Phase: CIS 17 & 19 - Implement a cybersecurity awareness & training program - Incident response management ● Plan, create & deliver cybersecurity awareness training ● Create a cybersecurity incident response "You are here!" ● Target gaps between policy & technology ● Goal: empower & enable people to develop cyber defense habits ● Ensure incident response team engage in scenario-based training
CMMC Model Level 2
Intermediate cyber hygiene, processes documented ● Inclusive of accepted cybersecurity best practice ● Resilient against unskilled threat actors ● Minor resistance ● Practices documented
CIS Control 1
Inventory & Control of Hardware Assets
CIS Control 2
Inventory & Control of Software Assets
Two Types of Vulnerabilities
Known & zero-day
What is Adaptive work?
Leading change in a situation where both the problem and the solution are unclear, and all participants require new learning
CIS Control 9
Limitations & Control of Network Ports, Protocols & Services
CIS Control 6
Maintenance, Monitor & Analysis of Audit Logs
CIS Control 8
Malware Defenses
Adapt
Management decisions in support of governance policy & direction ● Shapes operational context ● Applies real world constraints
Can you become "digital" without a structured approach to cybersecurity?
No. You cannot successfully become "digital" without adopting and adapting a structured approach to cybersecurity.
Digital Transformation Readiness Framework - Components
Operational Sustainability: Demonstrated by sufficient operational capability to perform to avoid living in constant react-mode. Organizational Agility: The capability to dynamically adjust the structure, operating processes, or functions of the organization to respond to changing market conditions. Strategic Agility: Where operational agility demonstrates the capability to change, strategic agility is knowing when to do so. Disruptive Culture: enables and supports intelligent risk-taking to enable innovation
Disruptive Culture - Principle Themes
Operationally Sustainable: a culture needs to be free to work within the bounds of the right operational and business processes to allow innovation to flourish without the shackles of rigorous and sometimes unnecessary procedures. The culture should avoid strict adherence to rules that could lead to a "destructive culture." Rather than give the impression of process immaturity, a destructive culture exhibits characteristics of malicious compliance. Operational Sustainability enables "intelligent disobedience" of the process when it makes sense to do so. Organizational Agility: requires a culture of continual service improvement combined with management support for the "business application of creativity." The creativity can be put into place through the demonstration by top management of "visible and consistent support for change," enabling the organization to adjust quickly. Strategic Agility: relies on a disruptive culture that includes a set of beliefs that put the interests of the customer first. It is part of an overall, but much more fundamental, corporate culture. This broader culture is one that follows agile values like proactivity, responsiveness, trust, support of proposals and decisions of employees, and the handling of change as opportunity and chance.
Attributes of Organizational Agility
Organizational Taxonomy: Does the organization maintain and effectively utilize an easily understood mapping that connects delivered business value to the supporting business processes and the underlying functional teams that execute those processes? Organizational Communication & Coordination: Does the team have well-defined and open lines of communication through which opportunities to pivot and the potential risks and ramifications of changes can be shared and coordinated? Organizational Autonomy: Do team leaders have the ability to make rapid, preliminary decisions regarding potential changes to operating models, structures, and processes before submission to a more extensive governance process? Operational Experimentation: Do teams embrace and effectively execute concepts such as Lean Startup, Minimum Viable Product, and 'Fail Fast' to employ rapid testing and experimentation around potential changes to operating models, structures, and processes? Organizational Collaboration: Do teams exhibit openness and willingness to collaborate with others during their experimentation, testing, and change efforts, especially when those efforts will or might impact the other functional domain? Mission-Driven Governance: Does the team embrace a mission-driven approach to decision making that actively considers the overall needs and benefits to the organization as the primary evaluation criteria for any decision to change operating models, structures or processes, especially when the change decisions span multiple groups or business units within the organization? Adaptive Leadership: Does the leadership team encourage change, celebrate experimentation, protect appropriate risk-takers, and ultimately take responsibility and accountability both for failed experiments and for the failure to appropriately pivot?
CIS Control 20
Penetration Tests & Red Team Exercises
CMMC Model Level 5
Practices advanced & progressive, processes optimized ● Highly advanced cybersecurity practices ● Reserved for most critical systems ● Resilient against most advanced threat actors ● Machine performed analytics & defensive actions ● Resilient against & detection of data exfiltration ● Autonomous knowledge of cyber assets ● Processes improvement across the organization
CMMC Model Level 4
Practices proactive, processes reviewed ● Advanced & sophisticated cybersecurity practices ● Resilient against advanced threat actors ● Defensive response performed at machine speed ● Increased resistance against & detection of data exfiltration ● Complete & continuous knowledge of cyber assets
Strategic Agility - Principle Themes
Reduced reliance on traditional planning documents: Organizational Agility is about the ability of the organization to pivot when directed; Strategic Agility is the ability to know when to pivot. Organizations must reduce reliance on long-term strategic planning documents. Instead, they must create the capability within the organization to continuously monitor shifts in the market and emerging technologies and then dynamically re-craft the strategic direction and vision to maintain a competitive advantage and mitigate potential competitive disruption. Organizational Strategic Capabilities: The organization must develop a strategic set of capabilities that enables it to rapidly detect opportunities and threats, seize strategic opportunities and ensure continued competitiveness by adapting, improving, protecting, and reconfiguring the organizational business model and assets. Continual Environmental Scanning: An organization must be able to adjust its structure and operating processes tactically within the bounds of a chosen strategy. An organization must possess the capabilities to scan the environment through formal and objective assessments and use the results to test rapidly selected strategies to ensure they are sound. To facilitate strategic change, emphasize a joint effort by multiple stakeholders in a common connected digital space to enable the organization to make quick evidence-based decisions using both internal and external assessment information.
CIS Control 5
Secure Configurations
CIS Control 11
Secure Configurations for Network Devices
Attributes of Operational Sustainability
Strategic & Functional Clarity: Does the team have a clear mission and purpose? Does it understand how team activities fit into the broader mission and purpose of the organization? Inter-Functional Integration: Are integration points between each team and other functional units well defined, understood, monitored, and measured? Organizational Discipline: Does the organization employ "just enough" process and oversight, enabled by technology, to ensure reliability and consistency without creating unnecessary bureaucracy? Governance: Does the organization have the ability to make rapid and effective decisions? Metrics- Driven Management: Does the management team utilize objective data as their primary means to manage the organization? Operational Flexibility: Has the management team created a culture that is open to change, willing to challenge the status quo? Does the management team continually look to improve to meet business demand and deliver increased value? Team Dynamics: Are team members engaged and invested in the success of the organization? Does the organization invest in the workforce to reskill and develop the staff to accommodate changing organization demands?
Attributes of Strategic Agility
Strategic Planning Framework: Does the organization utilize a flexible strategic planning framework that outlines a strategic vision, directional principles, and intentional outcomes to enable rapid shifts in strategic plans when necessary? Formalized Listening Capability: Does the organization employ a formal organizational process that continually monitors the market, competitors, and customers to rapidly identify market shifts outside of any formal strategic planning process? Deep Listening Empowerment: Has the organization embedded the need to identify potential market shifts, competitive disruptions, and changes to customer demands and needs at every level of the organization? Has it established operational protocols to continually seek, collect, and adjudicate these findings throughout the organization? Strategic Assessment Capability: Has the organization established and maintained a formal internal capability to assess potential changes to the strategic direction based on identified market opportunities or competitive threats on an on-going basis? Strategy Testing: Has the organization established mechanisms to test and measure potential changes to strategic direction rapidly? Has it established well-defined mechanisms to assess results and shift strategy, as required? Strategic Governance: Does the organization utilize a strategic governance process empowered to make organizational changes to strategic direction, outside of the usual strategic planning process based on strategic assessment and testing, including the determination of execution requirements? Strategic Shift Communication & Execution: Has the organization established precise mechanisms to communicate changes in strategic direction? Does this communication include organizational and operational impacts to maintain the ability to cause those changes to be executed effectively and realized operationally?
Operational Sustainability - Principle Themes
Sustainable Operational Performance: sustainable business process and technology operations model. Recognize and stabilize operational challenges. This is not specifically about operational excellence; instead, it addresses creating a stable capability to enhance and improve. Sustainable operational performance requires business and technology operations that are efficient concerning the use of resources and effective concerning delivery of expected outcomes. This type of efficiency and effectiveness enables organizational flexibility to scale activities. Foundational organizational discipline: Operational Sustainability is a prerequisite to provide foundational organizational discipline. The attributes of operational stability are designed to measure whether the operating models provide just enough discipline to continue to deliver expected value. Focus on organizational capabilities: The emphasis for this dimension is on organizational capabilities, not maturity. The measurement of these capabilities has the potential to reveal the ability of the organization to perform in a foundational and balanced manner. The foundation exists to achieve the organizational and strategic agility required in the Digital Era.
What are transparency statements?
The key to transparency is understanding what is "really" happening, versus what people say or believe is happening. The "flow of data through the organization" is only transparent when we look at how it actually flows. Similarly, "who is really the cybersecurity lead" is a transparent statement.
CIS Control 15
Wireless Access Control
3D Knowledge Flow Model
X-axis: ● Knowledge of past & future expected contributions to a value stream ● You know what was done before you get it and what will be done after you hand it off Y-axis: ● Knowledge of state of related value streams ● You know if what you are doing will impact other value streams or if they will impact what you are doing. Z-axis: ● Knowledge of overall business strategy & related actions ● You know what you are doing and why
Adopt
a decision that impacts organizational governance. ● Structures the organization's approach to cybersecurity ● Evaluates cybersecurity risk management ● Creates policies for cybersecurity risk
What is Porter's Five Forces Framework
a tool for analyzing the competition of a business. It draws from industrial organization (IO) economics to derive five forces that determine the competiresult.indd 23 2020-04-28 16:47:31 24 912S tive intensity and, therefore, the attractiveness (or lack of it) of an industry in terms of its profitability. An "unattractive" industry is one in which the effect of these five forces reduces overall profitability. The most unattractive industry would be one approaching "pure competition," in which available profits for all firms are driven to normal profit levels. The five-forces perspective is associated with its originator.
IG3
employs cybersecurity experts in multiple areas (e .g ., risk management, penetration testing, mobile); subject to regulatory compliance
IG2
employs people charged with managing & protecting IT infrastructure; multiple departments with different risk profiles; may have regulatory compliance
3 components of an agile organization
governing policies, managing policies, and Operations direction
IG1
small to medium size, limited IT & cybersecurity expertise
Moore's Quadrant - Context & Non-mission Critical
things no longer important to the success of the business or its mission; discontinue them
Moore's Quadrant - Core & Non-mission Critical
things that are important to differentiate the organization but haven't matured or grown in importance to become core . These things you may seek a partner to share the risk
Moore's Quadrant - Core & Mission Critical
things that you must have total control over because they are core to the business and differentiates it from all others .
Moore's Quadrant - Context & Mission Critical
while not core still require the organization to exercise control; they are mission-critical to the business but no longer serve to differentiate it . These can be outsourced
Generic Attack Types
● Advanced persistent threats (APT) ● Cross-site scripting (XSS) ● Denial-of-service (DoS) & distributed denial of service (DDoS) ● Drive-by ● Malware (viruses, worms, ransomware, spyware, Trojans and more) ● Man-in-the-middle (MitM) ● Password (default credentials & dictionary attacks) ● Phishing & spear phishing ● Remote access Trojan (RAT) ● SQL injection
CMMC Model Level 1 - Practices
● Anti-virus ● Ad hoc ● Governance ● Cybersecurity incident response
Agility Demands - Adaptability
● Can we make decisions with imperfect knowledge? ● Can we make decisions at the lowest possible level? ● Can we self-organize to solve little gaps before they get big?
Applying Lean Thinking
● Combine with deliberate adjustment ● Plan-Do-Study-Adjust ● Manage workflows
Risk types
● Compliance & regulatory ● Financial ● Operational ● Reputational ● Strategic
CMMC Model Level 4 - Practices
● Considers supply chain risk ● Threat hunting ● Use of data loss prevention (DLP) ● Includes mobile devices ● Network segmentation
Moore's Quadrant
● Core = those things that define who & what you are ● Context = everything else ● Mission-critical = those things that must be ● Non-Mission-critical = everything else that should be
How to seek organizational agility
● Create Adaptable organizational structure ● Tactical flexibility ● Organic leadership & teaming
Adopt: What's Included in Governance for Cybersecurity?
● Define policy & high-level controls ● Evaluate how organizational hierarchy supports or impedes cybersecurity
CMMC Model Level 5 - Practices
● Deploy custom organizational protections ● Real-time asset tracking ● 24x7 SOC operation ● Device authentication ● Autonomous initial response actions
Lockheed-Martin Cyber Kill Chain - Defensive Actions
● Detect ● Deny ● Disrupt ● Degrade ● Deceive ● Contain
Rapid Adoption - Steps
● Determine Risk Appetite ● Establish Cybersecurity Governance ● Assess Cybersecurity Capabilities ● Balance Resources & Risks
Adapt: What's Included in Management for Cybersecurity?
● Develop supporting management policies ● Enable a more agile approach to work (cultural change) ● Enable & support cybersecurity communication ● Manage direction & exceptions ● Apply lean thinking
Concepts of a Digital Strategy
● Distinguish vision vs. strategy ● Recognize nascent trends ● Smaller clients as opportunities ● Install new measures of success ● Consider 90-day action plans.
Characteristics of Threat Actors
● Do their homework ● Smart like us ● Patient & persistent ● Dangerous ● Agile ● Creative
Types of Impact Flows
● Flow of work ● Flow of communication ● Flow of improvement
Agility Demands - Transparency
● How does work actually get done? ● Who actually communicates what to whom? ● How do things really get improved?
How to Scope Ongoing Improvement
● Identify business systems most at risk ● Verify or create inventory ● Think like a threat actor ● Mitigate & protect ● Learn & Improve ● Wash, rinse, repeat
Types of external attacks
● Identify theft ● Business email compromise ● Ransomware ● Crypto-mining malware ● Advanced persistent threats (APTs)
Types of Impact
● Impact on people ● Impact of practice ● Impact on technology
Determinative Model
● Improvement ● Communications ● Work
CMMC Model Level 3 - Practices
● NIST 800-171 requirements met ● Multifactor authentication ● Information security continuity plan ● Communicate threat information to stakeholders
How to Assess Cybersecurity Capabilities
● Part of Implementation Group ● Balance Resources & Risks ● Risk Analysis & Management ● Requirements analysis includes cybersecurity ● Develop a learning organization ● Competency
Generative Culture Type (Concentration on the mission)
● Performance oriented ● High cooperation ● Messengers trained ● Risks shared ● Cross-function encouraged ● Novelty implemented
Pathological (Personal power)
● Power oriented ● Low cooperation ● Messengers shot ● Responsibilities shirked ● Cross-function discouraged ● Novelty crushed
Generic profile of cybersecurity attacks
● Probe/Discover vulnerabilities (reconnaissance) ● Weaponization & Infection ● Infiltration (sub-system location) ● Sub-system infection ● Data collection ● Command & control ● Data exfiltration ● Monetization
Lockheed-Martin Cyber Kill Chain - Threat Model
● Reconnaissance ● Weaponization ● Delivery ● Exploitation ● Installation ● Command and Control ● Actions on Objective
CMMC Model Level 2 - Practices
● Risk management ● Awareness & training ● Back-up & security for continuity
Bureaucratic Culture Type (Rules, positions & turf)
● Rule oriented ● Modest cooperation ● Messengers rejected ● Narrow responsibilities ● Cross-function tolerated ● Novelty viewed as problem
Most Prevalent Deficiencies
● Service access creep ● Failure to recognize & respond to personnel behavior changes ● Failure to preserve forensic evidence ● Failure to develop ongoing training & awareness ● Failure to segregate networks based on need to access ● Failure to change default passwords
Unique Strategic Challenges of the Digital Era
● Shortened planning cycles ● Shortened product delivery & life cycles ● Falling barriers to entry for competitors ● Porter's Five Forces
Rapid Adoption - based on the concept of
● Stabilize - gain control ● Optimize - ensure what you have is as good as it can be ● Improve - expand and embed the capability to continually improve
NIST 7-step Improvement
● Step 1: Prioritize & Scope ● Step 2: Orient ● Step 3: Create a current profile ● Step 4: Conduct risk assessment ● Step 5: Create target profile ● Step 6: Determine, analyze & prioritize gaps ● Step 7: Implement action plan
Components of Cybersecurity Governance
● Subset of corporate governance ● Provides specific direction for cybersecurity ● Includes risk appetite ● Protect delivery of value ● Defines & prioritizes cybersecurity risks ● Supports the creation of cybersecurity policies ● Establish basis to allocate organizational resources ● Proactive: improving cybersecurity profile ● Reactive: handling a cybersecurity incident
How to stabilize what you have?
● Sustainable operational performance ● Foundational organizational discipline ● Focus on organizational capabilities
Build a Learning Organization
● Systems thinking - The idea of the learning organization developed from a body of work called systems thinking, a conceptual framework that allows people to study businesses as bounded objects . ● Personal mastery - The commitment by an individual to the process of learning is known as personal mastery . There is a competitive advantage that accrues to an organization when the workforce can learn more quickly than the workforce of other organizations . ● Mental models - The assumptions held by individuals and organizations are called mental models . To become a learning organization, these models must be challenged to create a new & different frame of reference . ● Shared vision - The development of a shared vision is fundamental in motivating the staff to learn, as it creates a collective identity that provides focus and energy for learning . The most successful visions build on the individual visions of the employees at all levels of the organization . Traditional structures with the imposition of the company vision from above hinder the creation of a shared vision . ● Team learning - The accumulation of individual learning constitutes team learning . The benefit of team (or shared) learning is rapid staff growth that improves the problem-solving capacity of the organization through better access to knowledge and expertise
Why Is Ongoing Improvement is Critical
● Threat actors continually improve their capabilities Cybersecurity isn't implemented & done ● Make strategic commitment to inculcate cybersecurity into culture ● Trust & verify ● Zero Trust Architecture ● Threat actors continually improve their capabilities
Porter's Five Forces Components
● Threat of new entrants ● Threat of substitutes ● Bargaining power of customer ● Bargaining power of suppliers ● Competitive rivalry
Typical Mitigation Controls
● Training & awareness ● Asset inventory ● Segment the network ● Harden endpoints & servers ● Ensure proper access control & identity management ● Document, implement & maintain data protection lifecycle
How to Change Your Culture
● Understand current culture ● Consider strategy & the environment ● Frame culture target in business reality
Adaptive Approach - Quick Overview
● Understand the whole ● Break out parts ● Scope the increments ● Work in small iterations ● Deliver value incrementally
Adaptive Approach - Approach
● Work in small increments ● Limit time to ● Plan scope (what) ● Plan work (how) ● Keep iteration length & increment size small ● Easily manageable event horizons (days ◊ weeks, not months ◊ quarters) ● Predictable scope