CCT 067: Cybersecurity Governance: Mastering CISSP Domain 1.3 Exam Questions

Take a journey into the heart of cybersecurity with us as we unravel Gmail's latest recommendation for multi-factor authentication. Can you guess the three key aspects they propose for heightened security? Stay tuned as we also tackle a pertinent CISSP question on security governance, illuminating the primary purpose of an organization's security governance program. Learn how a balanced scorecard can effortlessly align security controls with business goals, pivotal to any security governance strategy.

Ever wondered about the fundamental principles of security frameworks like SABSA and COVID? We've got you covered. Hear interesting insights about the COSO framework and its prime focus, along with a deep dive into the Risk Matrix Framework (RMF). We also present an intriguing scenario where a financial giant's CEO pushes for rapid technology adoption. Plus, get a dose of reality about the critical importance of investing in cybersecurity training and the potential costs involved. Before we wrap up, we emphasize the value of a robust cybersecurity plan. So, are you ready to fortify your cybersecurity knowledge?

Gain access to 30 FREE CISSP Exam Questions each and every month by going to FreeCISSPQuestions.com and sign-up to join the team for Free. 

 

Which of the following BEST describes the fundamental purpose of an organization's security governance?

A) Implementing security technology

B) Compliance with legal regulations

C) Ensuring a secure organizational culture

D) Aligning security with business objectives

 

Answer: D

Explanation: Security governance is a framework that aligns security strategy with business objectives and risk management. While A, B, and C are related to security, D captures the main essence of security governance.

 

Which framework emphasizes continuous monitoring and risk management?

A) COBIT

B) ITIL

C) COSO

D) RMF

 

Answer: D

Explanation: The Risk Management Framework (RMF) emphasizes continuous monitoring and risk management, focusing on integrating these processes into the system development life cycle.

 

ISO/IEC 27001 is primarily concerned with what aspect of information security management?

A) Risk Management

B) Compliance Monitoring

C) Software Development

D) Physical Security

 

Answer: A

Explanation: ISO/IEC 27001 focuses on establishing, implementing, maintaining, and continually improving an information security management system within the context of the organization's overall business risks.

 

How does the application of a balanced scorecard benefit an organization’s security governance?

A) It ensures total regulatory compliance

B) It measures financial performance only

C) It balances security controls with business goals

D) It focuses exclusively on technological improvements

 

Answer: C

Explanation: The balanced scorecard is a strategic planning tool that balances different aspects of performance, including aligning security controls with business goals. It doesn’t focus solely on compliance, finance, or technology.

 

Which principle of security governance focuses on ensuring that decisions are made by individuals with the appropriate authority and responsibility?

A) Protection

B) Responsibility

C) Accountability

D) Transparency

 

Answer: C

Explanation: Accountability ensures that decisions are made by those with appropriate authority and responsibility, ensuring that actions and decisions related to security are traceable to the individual.

 

In the context of the NIST Cybersecurity Framework, what does the “Protect” function primarily emphasize?

A) Monitoring

B) Penetration Testing

C) Disaster Recovery

D) Access Control

 

Answer: D

Explanation: The "Protect" function in the NIST Cybersecurity Framework primarily emphasizes the implementation of appropriate safeguards to ensure the delivery of critical infrastructure services, including access control.

 

What is the primary goal of a Security Control Framework like NIST SP 800-53?

A) Identifying Potential Threats

B) Ensuring Compliance with Laws and Regulations

C) Establishing Security Controls and Guidelines

D) Developing Security Technologies

 

Answer: C

Explanation: NIST SP 800-53 focuses on providing guidelines and standards for implementing security controls within federal information systems. While other options might be secondary goals or related activities, the primary goal is to establish these controls and guidelines.

 

Which international standard focuses on the implementation of risk management processes integrated with the overall business risk?

A) ISO/IEC 27002

B) ISO/IEC 27005

C) ISO/IEC 27001

D) ISO/IEC 20000

 

Answer: C

Explanation: ISO/IEC 27001 focuses on information security management systems and integrates risk management processes with the organization's overall business risks.

 

What does the Sherwood Applied Business Security Architecture (SABSA) primarily aim to provide?

A) Detailed technical controls

B) A business-driven approach to security

C) Compliance with GDPR

D) Network security protocols

 

Answer: B

Explanation: SABSA is a framework and methodology for delivering cohesive information security solutions that align with the business, thus providing a business-driven approach.

 

Which of the following is NOT an underlying principle of COBIT?

A) Meeting Stakeholder Needs

B) Applying a Single Integrated Framework

C) Enabling a Holistic Approach

D) Ensuring Technological Advancement

 

Answer: D

Explanation: COBIT focuses on meeting stakeholder needs, applying a single integrated framework, and enabling a holistic approach. Technological advancement is not an underlying principle of COBIT.

 

What is the PRIMARY focus of the COSO framework?

A) Network Security

B) Internal Control within an Organization

C) Disaster Recovery

D) Incident Response

Answer: B

Explanation: The Committee of Sponsoring Organizations of the Treadway Commission (COSO) framework focuses on internal control within an organization, especially related to financial reporting.

 

Which stage of the RMF process includes the formal acceptance of the system?

A) Categorize

B) Implement

C) Authorize

D) Monitor

Answer: C

Explanation: The “Authorize” stage of the RMF process involves the formal acceptance of the system and understanding of the security controls in place.

 

In the context of security control frameworks, what does the term 'Baseline' refer to?

A) A set of minimum security controls

B) The first phase of risk assessment

C) A security incident response plan

D) A network monitoring tool

Answer: A

Explanation: In the context of security control frameworks, a 'Baseline' refers to a set of minimum security controls that serves as a starting point for system hardening and risk management.

 

Which of the following is NOT a principle of good governance as defined by the Organisation for Economic Co-operation and Development (OECD)?

A) Transparency

B) Efficiency and Effectiveness

C) Public Participation

D) Technological Implementation

Answer: D

Explanation: The OECD principles of good governance include aspects like transparency, efficiency and effectiveness, and public participation, but not technological implementation.

 

What is the purpose of Security Control Framework Mapping in an organization?

A) To define new security technologies

B) To map business strategies with security goals

C) To align different security control frameworks and standards

D) To create a network architecture

Answer: C

Explanation: Security Control Framework Mapping is used to align different security control frameworks and standards, ensuring consistency and integration across various guidelines and requirements in an organization.

 

Question 1: Risk Management Frameworks

The CEO of a large financial organization is pushing for a quicker adoption of new technologies to stay competitive. As the CISO, you decide to follow a risk management framework to ensure a balance between rapid technological development and security. Which of the following frameworks is NOT generally used for this purpose?

A) NIST SP 800-53

B) ISO/IEC 27001

C) COBIT

D) Agile

Answer: D) Agile

Explanation: Agile is a software development framework that focuses on delivering small, incremental improvements to software products. While Agile approaches can integrate security activities, they are not risk management frameworks designed to guide the organization's overall risk management processes. NIST SP 800-53, ISO/IEC 27001, and COBIT are frameworks that offer comprehensive guidelines on managing security risks in organizations.

 

Question 2: Quantitative Risk Analysis

Your organization is evaluating the financial impact of a potential data breach. The asset value is $500,000, and the Exposure Factor (EF) is 60%. What is the Single Loss Expectancy (SLE)?

A) $30,000

B) $60,000

C) $300,000

D) $500,000

Answer: C) $300,000

Explanation: Single Loss Expectancy (SLE) is calculated as Asset Value (AV) multiplied by Exposure Factor (EF). In this case, SLE = $500,000 * 0.6 = $300,000.

 

Question 3: Privacy Laws and Regulations

Which of the following privacy regulations places stringent requirements on how personal data of EU citizens can be transferred to non-EU countries?

A) HIPAA

B) GDPR

C) CCPA

D) PIPEDA

Answer: B) GDPR

Explanation: The General Data Protection Regulation (GDPR) is a European Union law that provides comprehensive privacy protections for EU citizens, including strict rules for data transfer to non-EU countries. HIPAA is specific to healthcare information in the U.S., CCPA is a California state law for consumer data, and PIPEDA is Canada's federal privacy law.

 

Question 4: Information Classification

You are working to classify a set of documents in a governmental organization. One of the documents contains information that, if disclosed, would likely cause exceptionally grave damage to national security. How should this document be classified?

A) Secret

B) Confidential

C) Top Secret

D) Sensitive But Unclassified

Answer: C) Top Secret

Explanation: In U.S. governmental classification schemes, information that could cause "exceptionally grave damage to national security" is classified as "Top Secret."

 

Question 5: Role-Based Access Control

In a Role-Based Access Control (RBAC) model, which of the following elements is NOT typically part of its design?

A) Roles

B) Permissions

C) Subjects

D) Entitlements

Answer: D) Entitlements

Explanation: RBAC is generally composed of roles, permissions, and subjects. Roles are assigned to subjects (users), and roles have permissions associated with them. Entitlements are more commonly discussed in the context of Attribute-Based Access Control (ABAC) and are not a standard element of RBAC.

 

Transcript:  

Welcome to the CISSP Cyber Training Podcast, where we provide you the training and tools you need to pass the CISSP exam the first time. Hi, my name is Sean Gerber and I'm your host for this action-packed, informative podcast. Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge. All right, let's get started. Hey y'all, sean Gerber, with CISSP Cyber Training, and today is CISSP Question Thursday. But before we get started, we're going to talk about just a quick article I was reading in Infosec Industry. It brought it up on Forbes and it's related to the changes that are happening within Gmail. Gmail is recommending that you put in place a multi-factor if you don't already have it, and the reason they're doing that is they've been. I've seen a lot of different challenges that have been happening to their various platform and one of the things that they said if you really have these three items, you need to consider putting in place your multi-factor, and one is creating and editing or importing a filter. Two is adding or forwarding addresses from a post office protocol, which is your pop right, your email pop or your IMAP protocols as well. So if you have an email that you forward to it. They'll want that in there. And then also, if you're enabling IMAP access from your settings, bottom line is they want you to add this multi-factor capability now. One interesting part of that is it already has much of this built into it. You're just going to have to. If you don't have it enabled, it's going to prompt you forward that enabling. Obviously, what they're running into is some issues with malicious actors that are trying to game the overall situation, and they recommend that you get that done as soon as you possibly can. So if you have a Gmail account, that might be something to consider. Also, as a security person and working on your CISSP understanding, some of these articles are really important, especially for some of your senior leaders, because what's going to happen is your senior leaders may have questions for you and require this of you saying, hey, I don't know what to do. If you already come with some level of knowledge around this and maybe even put out a recommendation to them. That would be a great first step in helping them. So just kind of keep that in mind. But Gmail is recommending your multi-factor is enabled, and again I come back to the fact that you will have users that are going to ask you questions specifically around this topic. Okay, let's get started on the CISSP questions and let's see what we've got today. Okay, question one which of the following best describes the fundamental purpose of an organization's security governance program? A implementing security technologies. B compliance with legal regulations. C ensuring that the secure organizational culture or D aligning security with business objectives? So again, which is the best or which best describes the fundamental purpose of an organization's security governance program? And the answer is D aligning the security with your business objectives. That is something you will deal with a lot as a CISSP and your security governance is a framework that will help align with the overall strategy that what your business is looking to accomplish. And so, again, that's really an important factor is that you always comes back to the business objectives. Question two which framework emphasizes continuous monitoring and risk management? So now they gave you some acronyms, so the key around this is you're going to have to know these acronyms to be able to understand what they are. So which framework emphasizes continuous monitoring and risk management? Covid, I tell COSO, that's C-O-S-O. And then D is RMF, romeo, mike Foxtrot, and the answer is RMF Risk Management Framework. This emphasizes continuous monitoring and risk management. On integrating these processes into your various development life cycle. Now the key question is if you get this question, what do I do? So if you're dealing with COVID, obviously that is a framework out there, but it doesn't deal with risk. It's more on the IT space. It does have a little bit of risk, but it's not totally around that. Itol and COSO are something you may or may not be aware of, but RMF you can just kind of just make the assumption it would deal with risk. So that's gonna be a tough one for you. Question three ISO 27001 is primarily concerned with what aspect of information security management A risk management, b compliance monitoring, c software development or D physical security. Question again is ISO 27001 is primarily concerned with what aspect of information security management A risk management, b compliance monitoring, c software development or D physical security. When you're dealing with ISO 27001, always think of risk management. That's the purpose behind it. It is designed specifically on risk management and information security management and its overall business risk is what it's focused on. So you could possibly come down to the compliance monitoring and maybe bite off on that, but risk management's a key factor when it comes to 27001. How does an application of a balanced scorecard benefit, an organization's security governance program. So the question is how does the application? So basically putting in place of a balanced scorecard benefit, an organization's security governance program. So the scorecard is basically what do you do, right? How is your patching doing? How is your I'm trying to think of something else your mobile program going, so on and so forth. So it's just giving you a grade right? Well, a, it ensures total regulatory compliance. B, it measures your financial performance only. C, it balances security controls with business goals. Or D, it focuses exclusively on technology improvements. So if you don't know how to answer this when you start getting into the exclusively ensures total financial or performance only. Those are key indicators. That that's might not be the right question or right answers. The actual answer is C it balances security controls with your business goals. The ultimate goal is you align your security control with your business goals is an important factor in any sort of security governance program. So again, you wanna make sure that you keep in our key in on some of those key words. Question five which principle of security governance focuses on ensuring that decisions are made by individuals with the appropriate authority and responsibility? The principle of security governance focuses on ensuring that decisions are made by individuals with appropriate authority and responsibility. The answer one of the answers protection. Okay, what that's? We're talking about principles here. The protection principle responsibility, accountability or transparency. So again, it focuses on ensuring decisions are made by individuals with the appropriate authority and their responsibility, and the answer is C accountability. This ensures that those that have the appropriate authority and responsibility can make those decisions Very tricky. Those are kinda tough ones because you get real quick. If you roll through this too fast you could just start picking on ones that are not correct. Question six in the context of NIST cybersecurity framework, what does the protect function primarily emphasize? So you're gonna focus on the protect aspect. You have A monitoring, b penetration testing, c disaster recovery or D access control. And the answer is D. The protect function of the cybersecurity framework emphasizes primarily on the implementation of appropriate safeguards to deliver critical infrastructure services and it's based on access control. Question seven what is the primary goal of the security control framework such as NIST special publication 853? The primary goal of the security control framework A identify potential threats, b ensure compliance with laws and regulations. C establishing security controls and the associated guidelines, or. D developing security technologies. So what is the primary goal of this and that is C sorry C establishing security controls and guidelines. 853 focuses on providing the guidelines and standards for implementing these security controls within, especially within, federal information systems. That's what the key point also to keep in mind is. Nist focuses on US-based federal systems. However, many use NIST because of the fact that it can be used with any organization. Question 8, which international standard focuses on the implementation of risk management processes that are integrated with the overall business risk? Again, the international focus keyword and implementation of risk management processes keyword. And then it's integrated with overall business risk. So you have ISO 2000,. 27002, iso 27005, iso 27001. And NIST 853. Again, which one is it International standard focuses on this. So it would be the ISO 27001 focuses on risk management with the organization's overall risks. Okay, question 9, what does the Sherwood Applied Business Security Architecture, sabsa, primarily aim to provide? Now, when I first took to see ISSP, I had no idea what this would be and honestly, even on my job, I'm not too totally connected with SABSA. But one thing that I started doing some digging into this I figured you know what? Let's throw this out there as a question and then see what you think. Well answer. We'll go through some of the responses A detailed technical controls. B business driven approach to security. C compliance with GDPR. Or D network security protocols. D is, if you don't know what this is, focus on the name Sherwood Applied Business Security Architecture. So if it's a business keyword, it's a security architecture. So if it's an architecture, it's not going to divide or design specifically on detailed technical controls. Most architecture is not in a detail, it's more of a larger abstract environment. Compliance with GDPR, as question C or as answer C no, it's not focused on that because it really doesn't get into. It could, potentially, because it's business related, but I wouldn't glob onto that one. And then network security protocols. It doesn't have anything to do with network security protocols. So if you had to narrow it down, you potentially could go with B and C, but the actual answer is B, the business driven approach to security. It's a framework and a methodology for delivering a cohesive information security solution that aligns with your business, thus providing a business driven approach. Okay, so which of the following is not an underlying principle of COVID? So we talked about this before. What is COVID? That's one of the frameworks that deals specifically around IT and well, so let's, if you know that, going into it, then the answers would be meeting stakeholders needs is one answer. It's A, meeting or applying a single integrated framework. That would be B or C enabling a holistic approach. Or D ensuring technological advancement. Okay, so which of the following is not an underlying principle of COVID? Okay, so it's easy to glob onto the wrong one on this. But meets the stakeholders need. That would be a principle that you would want it to do. Applying a single integrated framework COVID is an integrated framework. You'd want that to be the case. C, enabling a holistic approach. It's more all about. It's a full up again, basically around the whole situation. Or D, ensuring technological advancement. Now, even though COVID focuses on IT and it focuses on that aspect of it, it's not an underlying principle of COVID. Okay, it focuses. Covid focuses on the stakeholders needs, your integrated framework, and enabling a holistic approach. So again, think about the question which is not an underlying principle, an underlying principle of COVID? Again, it's highly focused on IT and the technological aspects, but it's not ensuring that the technological advancement is occurring. Okay, what is the primary focus of COSO framework? Okay, so the COSO framework is a committee on sponsoring organizations and of a treadway commission. Okay, so that's really hard right, but it's basically that's the purpose of COSO. Now the focus of it, since it is a committee sponsoring organizations of the treadway commission okay, this focuses on internal controls within an organization, especially related to financial reporting. So, as you're going down this path, you may not have heard of COSO before is it is a focus on internal financial reporting. So, when we look at the questions, what is the primary focus of COSO? A network security no. B internal controls within an organization Possibly. C disaster recovery Not really. D incident response Not really. So the answer would have to be B. So again, you got to understand the COSO framework, even if you didn't know COSO framework. If you understand it's probably not dealing with the disaster recovery or incident response, because both of them would probably fall within a very similar area. You could throw those out. Network security it doesn't. I've never talked about that too much in our podcast, so it probably isn't one that would fall into that. So you then break it down to an internal control within an organization. Next question which stage of the RMF process includes the formal acceptance of a system? A categorize, b implement, c authorize or D monitor. So we're talking about the risk matrix framework, right, the risk management framework. So that's the RMF. The risk management framework, what includes the formal acceptance of the system? A categorize, b implement, c authorize or D monitor. And the answer is C authorize. Authorize is the stage in which the RMF process involves the formal acceptance of the system and understanding the security controls that are in place. In the context of security controls or the security control framework. Which or what does the term baseline refer to? Okay, so in the context of security control frameworks, what does the term baseline refer to? A a set of minimum security controls. B the first phase in a risk assessment. C the security incident response plan or D the network monitoring tool. So you're looking at a baseline again. That's the sets, the beginning, the minimum security standards. What would that be? A a set of minimum security controls or standards that you have in place. That is your baseline. This is the point, the starting point for your system hardening and in your overall risk management strategy. Okay, I'm going to give you a couple of scenario questions real quick here. The CEO of a large financial organization is pushing for a quicker adoption of new technologies to stay competitive. As the CISO, you decide to follow a risk management framework to ensure a balance between rapid technology development and security. Which of the following is not generally used for this purpose? So you're looking for a risk management framework, okay, to help balance between rapid technology and security. So, and you're also looking for a quick adoption. So the following frameworks NIST 853. So again, look at the negatives. This is not generally used for this purpose. Nist 853, iso 27001, covid or Agile. So, as we've talked about in the podcast those are the top three are frameworks. Agile is not a framework. It's a well, it is a framework, but it's a software development framework. It is not specifically around the overall risk management process that you would be tied to, typically to 853 or ISO 27001 or COVID. Sorry, can't speak, but again, agile is a framework focused on software development, so it is not used for this specific purpose. Okay, so next question your organization is evaluating the financial impact of a potential data breach. The asset value is $500,000. So the one asset you're looking at the value of it. Okay, when we talk about this whole plan of figuring out your single loss expectancy, this is your SLE. The asset value, av, is $500,000. The exposure factor is 60%, which basically means 60% when you were exposed. What is the single loss expectancy that you can, you could, attribute to this potential data breach? You have $30,000. You have $60,000. You have $300,000, or you have $500,000. Again. So the overall single loss expectancy of an exposure factor of 60% is $300,000. So you basically take $600,000, or not $600,000, you take $500,000 times 60% and that will give you your single loss expectancy of $300,000. Okay, thank you so much for today. All you're all done. I hope you have a wonderful day. Go out to cispsybertrainingcom and you can check out what I've got there. It's available to you at any time and there's a lot of great stuff, from the blueprints to the videos, to questions you can ask me directly. I answer those. I do really do. So please head on out to cispsybertraining and go sign up for my free three 30 days of CISP questions, if you want that, or just going out there and see what other products we have available. I guarantee you you will not be disappointed. All right, have a wonderful day and we'll catch you on the flip side, see you.