ISC CPA Exam
CIS control 2: inventory and control of software assets - answer-Actively manage all software on the
network so that only authorized software is installed and can execute, and that unauthorized and
unmanaged software is found and prevented from installation or execution.
NIST CSF Framework Core - Components - answer-Identify
Protect
Detect
Respond
Recover
NIST - Identify CORE - answer-Focuses on creating canonical records of the assets an organization uses
to support information processing operations
NIST - Protect CORE - answer-Focuses on safeguards and access controls to networks, applications and
other devices deployed as well as regular updates to security software, including encryption for sensitive
information, data backups, plans for disposing of files or unused devices
NIST - Detect CORE - answer-Identifies the tools and resources needed to detect active cybersecurity
attacks, which includes monitoring network access points, user
NIST - Respond CORE - answer-Outlines how a company should contain a cybersecurity event, react
using planned responses that mitigate losses, and notify all affected parties
NIST - Recover CORE - answer-Focuses on supporting the restoration of a company's network to normal
operations through repairing equipment, restoring backed up files or environments, and positioning
employees to rebound with the right response
NIST CSF - Implementation Tiers THINK INTEGRATION - answer-Tier 1 - Partial (lowest level)
Tier 2 - Risk Informed
, Tier 3 - Repeatable
Tier 4 - Adaptive (highest level)
NIST CSF - Tier 1 (Partial) - answer-Risk management process - Risk management is ad hoc (on the fly)
and reactive where prioritization of info security efforts is not strategic or directed by organizational
priority.
Risk Management Program Integration - Incident management is ad hoc and not integrated into
organizational processes.
External Participation - Corporate cybersecurity is isolated, and the organization does not evaluate
external risks
NIST CSF - Tier 2 (Risk-informed) - answer-Risk management process- cybersecurity prioritization is
based on organizational risk, and management approves cybersecurity efforts; however, cybersecurity
may be isolated from organizational processes
Risk management program integration - The rest of the organization is aware of cybersecurity, but not
managing securely. There is awareness, but no integration
External participation - There is awareness of how the security risks impact the organization, but
inconsistent actions are taken to respond to those tasks
NIST CSF - Tier 3 (Repeatable) - answer-Risk management process- utilizes cybersecurity in planning and
has enshrined cybersecurity practices that are documented
Risk management program integration- organizational risk approach to cybersecurity where
cybersecurity is integrated into planning and regularly communicated among senior leadership
External participation- governance structures internally to manage cyber risk
NIST CSF - Tier 4 (Adaptive) - answer-Risk management process- based on iterative improvement based
on internal and extern
CIS control 2: inventory and control of software assets - answer-Actively manage all software on the
network so that only authorized software is installed and can execute, and that unauthorized and
unmanaged software is found and prevented from installation or execution.
NIST CSF Framework Core - Components - answer-Identify
Protect
Detect
Respond
Recover
NIST - Identify CORE - answer-Focuses on creating canonical records of the assets an organization uses
to support information processing operations
NIST - Protect CORE - answer-Focuses on safeguards and access controls to networks, applications and
other devices deployed as well as regular updates to security software, including encryption for sensitive
information, data backups, plans for disposing of files or unused devices
NIST - Detect CORE - answer-Identifies the tools and resources needed to detect active cybersecurity
attacks, which includes monitoring network access points, user
NIST - Respond CORE - answer-Outlines how a company should contain a cybersecurity event, react
using planned responses that mitigate losses, and notify all affected parties
NIST - Recover CORE - answer-Focuses on supporting the restoration of a company's network to normal
operations through repairing equipment, restoring backed up files or environments, and positioning
employees to rebound with the right response
NIST CSF - Implementation Tiers THINK INTEGRATION - answer-Tier 1 - Partial (lowest level)
Tier 2 - Risk Informed
, Tier 3 - Repeatable
Tier 4 - Adaptive (highest level)
NIST CSF - Tier 1 (Partial) - answer-Risk management process - Risk management is ad hoc (on the fly)
and reactive where prioritization of info security efforts is not strategic or directed by organizational
priority.
Risk Management Program Integration - Incident management is ad hoc and not integrated into
organizational processes.
External Participation - Corporate cybersecurity is isolated, and the organization does not evaluate
external risks
NIST CSF - Tier 2 (Risk-informed) - answer-Risk management process- cybersecurity prioritization is
based on organizational risk, and management approves cybersecurity efforts; however, cybersecurity
may be isolated from organizational processes
Risk management program integration - The rest of the organization is aware of cybersecurity, but not
managing securely. There is awareness, but no integration
External participation - There is awareness of how the security risks impact the organization, but
inconsistent actions are taken to respond to those tasks
NIST CSF - Tier 3 (Repeatable) - answer-Risk management process- utilizes cybersecurity in planning and
has enshrined cybersecurity practices that are documented
Risk management program integration- organizational risk approach to cybersecurity where
cybersecurity is integrated into planning and regularly communicated among senior leadership
External participation- governance structures internally to manage cyber risk
NIST CSF - Tier 4 (Adaptive) - answer-Risk management process- based on iterative improvement based
on internal and extern
