QUESTIONS AND ANSWERS SURE A+
✔✔Disruptive innovation (2:84) - ✔✔Creates a new market eventually displacing old or
outdated technology or process: examples - cars (mass produced) digital music, digital
photography, PCs, smartphones, telephones, wikipedia
✔✔Jobs to be done Theory (2:86) - ✔✔customers don't just buy products, they hire
solutions to get jobs done. Provides insight into what customers actually want and value
✔✔Security Framework - Need for (2:92) - ✔✔provide a blueprint for building security
programs, managing risk, and communicating about security using a common
vocabulary. Examples are ISO 2700, COBIT, ENISA Evaluation Framework, FFIEC
Cybersecurity assessment tool, NIST Cybersecurity framework.
✔✔NIST Cybersecurity Framework (2:94) - ✔✔3 Parts: Core, Implementation tiers, and
profiles. Defines common language for managing security risk.
✔✔NIST - Framework Core (2:94) - ✔✔Identify - Planning activities to understand
business needs and threats that can prioritized; Protect - Activities that prevent or
contain the impact of security incidents; Detect - Activities that identify security
incidents; Respond - Incident response activities; Recover - Activities that restore
normal operations and reduce impact of security incidents.
✔✔NIST - Framework Core (cont'd) (2:94) - ✔✔Helps organizations describe the
current cybersecurity posture, describe their target state for cybersecurity, Identify and
prioritize opportunities for improvement within the context of a continuous and
repeatable process; assess progress towards the target state; Communicate among
internal and external stakeholders about cybersecurity risk.
✔✔Framework Categories - Identify (2:96) - ✔✔Asset Management, Business
environment, Governance, Risk Assessment, Risk Management Strategy, Supply chain
Risk management
✔✔Framework Categories - Protect (2:97) - ✔✔Access Control (PR.AC), Awareness &
training (PR.AT), Data Security (PR.DS), Information Protection Processes and
Procedures (PR.IP), Maintenance (PR.MA), Protective Technology (PR.PT)
✔✔Tips for using CyberSecurity Framework (2:99) - ✔✔Defines a comprehensive set of
activities that can be conducted by your security program. New programs can use the
framework as a guiding light
✔✔Measuring Maturity (2:100) - ✔✔Defines four implementation tiers that represent an
"increasing degree of rigor and sophistication in cybersecurity risk management
practices. Tier 1 - Partial; Tier 2 - Risk informed; Tier 3 - Repeatable; Tier 4 - Adaptive
,✔✔Maturity Models - Types (2:101/2) - ✔✔These provide a way to measure
organizational capabilities and identify areas for improvement. Examples include
Capability Maturity Model Integration (CMMI), ESG Maturity Model, Gartner ITScore,
CyberSecurity Capability Maturity Model (C2M2), Building Security in Maturity Model
(BSIMM), Open Software Assurance Maturity Model (OpenSAMM), Capability
Immaturity Model (CIMM) - 4 Levels - Level 0 to 3
✔✔Enterprise Strategy Group (ESG) Security model (2:103) - ✔✔Lays out a
progression for basic, progressing, and advanced organizaitons in 4 Categories -
Philosophy, People, Process, Technology
✔✔Capability Immaturity Model Integration (CMMI) (2:104) - ✔✔Defines what should be
done to improve performance. Defines 5 maturity levels and 3 areas of focus including
CMMI for development (CMMI-Dev) for product and service development, CMMI for
services (CMMI-SVC) for service establishment and management, CMMI for aquisition
(CMMI-ACQ) for product service and acquisition.
✔✔Capability Immaturity Model Integration (CMMI) Maturity Levels (2:105) - ✔✔Level 1
- initial, Level 2 - Repeatable, Level 3 - Defined, Level 4 - Managed, Level 5 -
Optimizing.
✔✔security controls (2:107) - ✔✔Strong security controls are the foundation of any
program. Examples include NIST SP 800-53, Critical Security Controls (CSC),
Australian Signals Directorate (ASD) Mitigation strategies
✔✔NIST SP 800-53 (2:108) - ✔✔Security and Privacy Controls for Federal Information
Systems and Organizations: and is a comprehensive control catalog containing a large
number of security controls that you can potentially use in your program.
✔✔CIS Security Controls (2:109) - ✔✔Center for internet security; security controls
developed and maintained by the CIS & are a subset of the comprehensive catalog in
NIST SP 800-53
✔✔Mapping Controls to the Security Framework (2:110) - ✔✔Maps the CSC to other
commonly used security frameworks, compliance standards, and control guidance.
✔✔Gap analysis (2:115) - ✔✔Contains three steps 1 - Identify the future state; 2 -
Analyze current situation; 3 - Defining actions/proposals that bridge the gap between
current and future state.
✔✔Security Roadmap (2:126) - ✔✔Developing plan of action for security program
, ✔✔Roadmap Development (2:126-129) - ✔✔3-step process; Step 1 - Identify what is
being done today, Step 2 - Map Current Capabilities to maturity levels, Step 3 -
Prioritize new initiatives to increase maturity
✔✔Decision Matrix analysis (2:130) - ✔✔too utilized to rank initiatives and inform
decisions. Categories include Cost, Ability to execute, stakeholder support, threat
defense.
✔✔Business Case (The why?) (2:136) - ✔✔helps to estimate costs and benefits of
various initiatives; Helps management determine resource allocation.
✔✔Business case (what is it) (2:137) - ✔✔Captures the reason for an initiative and lays
out a problem and the potential solutions. Includes underlying assumptions and
rationale,
✔✔Business Case (Different approaches) (2:139) - ✔✔Cost approach - how much does
it cost to recover, Industry comparison approach - what are comparable firms doing,
Business innovation approach - what can i gain from this?
✔✔Business Case (Cost approach) (2:140-141) - ✔✔Numbers include direct and
indirect costs, i.e. engaging in forensics experts, credit monitoring, in-house
investigations and communication, extrapolated value of customer loss. Issues that may
arise, numbers aren't always accurate - over/under estimates
✔✔Business Case (Industry comparison approach) (2:144) - ✔✔What is reasonable for
security based on Industry, size, market position, region; and can be analyzed by
Spending and Maturity comparisons
✔✔Business Case (Industry comparison approach - Spending Comparison) (2:144) -
✔✔Provides a rough understanding of organizational maturity and can indicate whether
spending has been focused solely on meeting mandatory requirements, has expanded
the necessary requirements.
✔✔Business Case (Industry comparison approach - Maturity Comparison) (2:146) -
✔✔Comparing your security program to others, via Information Sharing & Analysis
Centers (ISAC), Community projects, Research and consulting organizations.
✔✔BSIMM Maturity Comparison Model Radar Chart (2:149) - ✔✔represents
organizational maturity level compared to your overall industry for various security
capabilities in the protect area of NIST Cybersecurity Framework.
✔✔Business Case (Business Innovation approach) (2:151) - ✔✔Business opportunities;
business requirements; business risk