Which of the following informative references specifically caters to financial institutions by integrating cybersecurity and regulatory compliance guidelines into a single framework?
A.
CRI Profile
B.
OWASP
C.
CSA STAR ITIL
Correct Answer: A
Explanation:
Cyber Risk Institute (CRI) Profile provides a comprehensive framework that integrates cybersecurity and
regulatory compliance guidelines specifically tailored for financial institutions, helping them address both
cybersecurity threats and regulatory requirements. Information Technology Infrastructure Library (ITIL)
offers best practices for IT service management, focusing on aligning IT services with business needs. It
does not specifically address the unique cybersecurity and regulatory compliance integration for financial
institutions. Open Web Application Security Project (OWASP) provides a comprehensive framework
focused on improving the security of software and web applications, offering best practices but not
specifically designed for the regulatory integration required by financial institutions. Cloud Security
Alliance (CSA) Security, Trust and Assurance Registry (STAR) primarily focuses on providing security
assurance in cloud services and is not tailored specifically for financial institutions or regulatory
compliance integration.
Question #2 (Topic: demo questions)
Which of the following is the purpose of the Recover function in the NIST Cybersecurity Framework?
A.
Assess the organization's compliance with cybersecurity policies
B.
Develop and implement plans for resilience and restoration from incidents
C.
Establish protections from cybersecurity threats
D.
Quickly identify cybersecurity breaches
Correct Answer: B
Explanation:
The Recover function in the NIST Cybersecurity Framework helps an organization develop and
implement appropriate activities to maintain resilience plans and restore any capabilities or services that
were impaired due to a cybersecurity incident. The Protect function in the NIST Cybersecurity
Framework is used by organizations to develop and implement safeguards to ensure the delivery of
critical services and the protection of physical and digital assets against cyber threats. The Detect
function in the NIST Cybersecurity Framework is used by organizations to develop and implement
appropriate activities to identify the occurrence of a cybersecurity event through timely discovery and
analysis of anomalies, indicators of compromise, and other potentially adverse events.
Question #3 (Topic: demo questions)
How can an organization use its NIST Cybersecurity Framework profile to develop its cybersecurity
strategy?
A.
To dictate the exact technologies that must be implemented
B.
To identify which cybersecurity regulations are applicable internationally
C.
To automate the response to all identified cybersecurity threats
D.
To identify gaps between current practices and desired outcomes
Correct Answer: D
Explanation:
Using a profile helps an organization understand where it stands and what it needs to improve to reach
its desired cybersecurity state, effectively guiding strategic development. Profiles guide the overall
approach and goals rather than specifying particular technologies. Profiles are specific to organizational
needs and do not directly identify applicable international regulations. While profiles help in planning
responses, they do not automate responses to cybersecurity threats.
Question #4 (Topic: demo questions)
Ahealthcare provider uses an outdated version of medical record software that no longer receives
security updates. What does this situation expose the organization to?
A.
A threat posed by external hackers specifically targeting the healthcare sector
B.
A vulnerability due to unsupported software containing unpatched security flaws
C.
A risk mitigation strategy involving the upgrade of software systems
D.
The effectiveness of current cybersecurity training for healthcare staff
Correct Answer: B
Explanation:
Using outdated software that no longer receives updates exposes the organization to vulnerabilities, as
these systems are more susceptible to known exploits and security breaches. Staff training is essential
but does not directly relate to the vulnerability described, which involves outdated software. While
external hackers pose a threat, the scenario specifically highlights a vulnerability in the organization's
use of outdated software. The scenario describes a current vulnerability, not the implementation of a risk
mitigation strategy.
Question #5 (Topic: demo questions)
Asmall retail company with limited cybersecurity resources primarily reacts to security incidents as they
occur, without a formal policy or plan in place. Their cybersecurity efforts are ad hoc and not coordinated
among departments. Based on this scenario, which implementation tier best describes the company's
current cybersecurity posture?
Tier 1 (Partial) describes organizations with an ad hoc and uncoordinated approach to cybersecurity,
which relies on reactive, rather than proactive, measures. Tier 3 (Repeatable) indicates well-established,
consistent cybersecurity practices, which clearly does not apply to the company’s situation as described.
Tier 2 (Risk Informed) would not fit as it suggests that the company has at least some risk-informed
approaches, which is not evident in the scenario described. Tier 4 (Adaptive) involves an adaptive,
proactive approach to cybersecurity management, far advanced from the company's described practices.