ISC 1 Regulations, Standards, and
Frameworks Exam Questions with
Complete Answers
Framework Profiles - ANSWER-mechanisms by which NIST recommends
companies measure cybersecurity risk and can establish roadmap to minimize such
risk
- can be thought as implementation guides with insight specific to a particular
industry
-NIST recommends organizing framework profiles into a current profile, target profile,
and a gap-analysis
Privacy Framework - ANSWER-protect individuals data as used in data processing
applications
similar structure to NIST CSF and it expresses control objectives in the form of a
Framework core and there is a degree of overlap to to NIST CSF
8 functions for the privacy framework (same 5 as CSF) and : - ANSWER-Govern:
best governance structure for privacy risks
Control: best management structure for privacy risks
Communicate: should organization drive dialogue around privacy risks
Framework Profiles and Implementation Tiers - ANSWER-operate identically to NIST
CSF framework profiles and this framework recommends creating a current and
target profile and developing a gap analysis and roadmap for improvement
Tiers also mirror those found in NIST CSF
NIST Security and Privacy Controls (NIST SP 800-53) for Info Systems and
Organizations - ANSWER-controls applicable to all info systems and has become
standard for federal info security systems
- stricter standard than the other two and controls are designed for protecting info
systems against sophisticated threats
Purpose is to help organizations identify the security and privacy controls needed to
manage risk
NIST SP 800-53 Target audience - ANSWER-individuals with: system oversight
responsibilities, system development responsibilities, logistical or disposition related
, responsibilities, security and privacy implementation responsibilities and assessment
and monitoring responsibilities
Three control implementation approaches that NIST SP 800-53 implements on a
per-control basis: - ANSWER-1. Common (Inheritable): implement controls at
organization level
2. System-specific: implement controls at info system level
3. Hybrid: implement at organization level where appropriate and remainder at info
system level
Privacy Laws - ANSWER-exist to protect an individual's private life and keep
personal details out of the public domain
Privacy laws regulate how those entrusted with private info must collect, process,
maintain, and disclose it
Data breaches - ANSWER-exposure of confidential info to unauthorized persons and
there are 2 categories:
1. Unintentional: results from negligence or error
2. Intentional: results from bad actors illegally gaining access to data
Health Insurance Portability and Accountability Act (HIPPA) - ANSWER-adopts
national standards promoting health care privacy and security
applies to specific health care-related entities and businesses and includes the
following:
- health care providers, health plans, etc.
Privacy Ryle permits a covered entity to use and disclose PHI: - ANSWER--to the
individual
- for treatment, payment, and health care operations
- with valid authorization
- for public interest and benefit activities provided by the law
HIPPA requires safeguards for covered entities or business associates, including: -
ANSWER-1. Administrative Safeguards: security management processes, workforce
security, contingency plans
2. Physical Safeguards: facility access controls, workstation use, etc.
3. Technical Safeguards: access controls, audit contrls, data integrity controls
General Data Protection Regulation (GDPR) - ANSWER-provides circumstances
when it is lawful to process personal data, such as with proper consent or when
complying with legal obligation and applies to:
- data processors based in EU
Frameworks Exam Questions with
Complete Answers
Framework Profiles - ANSWER-mechanisms by which NIST recommends
companies measure cybersecurity risk and can establish roadmap to minimize such
risk
- can be thought as implementation guides with insight specific to a particular
industry
-NIST recommends organizing framework profiles into a current profile, target profile,
and a gap-analysis
Privacy Framework - ANSWER-protect individuals data as used in data processing
applications
similar structure to NIST CSF and it expresses control objectives in the form of a
Framework core and there is a degree of overlap to to NIST CSF
8 functions for the privacy framework (same 5 as CSF) and : - ANSWER-Govern:
best governance structure for privacy risks
Control: best management structure for privacy risks
Communicate: should organization drive dialogue around privacy risks
Framework Profiles and Implementation Tiers - ANSWER-operate identically to NIST
CSF framework profiles and this framework recommends creating a current and
target profile and developing a gap analysis and roadmap for improvement
Tiers also mirror those found in NIST CSF
NIST Security and Privacy Controls (NIST SP 800-53) for Info Systems and
Organizations - ANSWER-controls applicable to all info systems and has become
standard for federal info security systems
- stricter standard than the other two and controls are designed for protecting info
systems against sophisticated threats
Purpose is to help organizations identify the security and privacy controls needed to
manage risk
NIST SP 800-53 Target audience - ANSWER-individuals with: system oversight
responsibilities, system development responsibilities, logistical or disposition related
, responsibilities, security and privacy implementation responsibilities and assessment
and monitoring responsibilities
Three control implementation approaches that NIST SP 800-53 implements on a
per-control basis: - ANSWER-1. Common (Inheritable): implement controls at
organization level
2. System-specific: implement controls at info system level
3. Hybrid: implement at organization level where appropriate and remainder at info
system level
Privacy Laws - ANSWER-exist to protect an individual's private life and keep
personal details out of the public domain
Privacy laws regulate how those entrusted with private info must collect, process,
maintain, and disclose it
Data breaches - ANSWER-exposure of confidential info to unauthorized persons and
there are 2 categories:
1. Unintentional: results from negligence or error
2. Intentional: results from bad actors illegally gaining access to data
Health Insurance Portability and Accountability Act (HIPPA) - ANSWER-adopts
national standards promoting health care privacy and security
applies to specific health care-related entities and businesses and includes the
following:
- health care providers, health plans, etc.
Privacy Ryle permits a covered entity to use and disclose PHI: - ANSWER--to the
individual
- for treatment, payment, and health care operations
- with valid authorization
- for public interest and benefit activities provided by the law
HIPPA requires safeguards for covered entities or business associates, including: -
ANSWER-1. Administrative Safeguards: security management processes, workforce
security, contingency plans
2. Physical Safeguards: facility access controls, workstation use, etc.
3. Technical Safeguards: access controls, audit contrls, data integrity controls
General Data Protection Regulation (GDPR) - ANSWER-provides circumstances
when it is lawful to process personal data, such as with proper consent or when
complying with legal obligation and applies to:
- data processors based in EU