Chapter 4: Frameworks questions and
correct solutions
Framework - correct answer ✔✔ A basic structure underlying a system, concept, or text
Purpose of frameworks in IT and Cybersecurity - correct answer ✔✔ To provide structure to the
ways in which we manage risks, develop enterprise architectures and secure all our assets.
NIST Risk Management Framework (RMF) - correct answer ✔✔ Step 1 Categorize Systems &
Data (Data Owner) *based on sensitively of information to be stored, transmitted and
processed. *
Step 2 Select Controls (System Owner)
*common controls, system-specific controls, and hybrid controls*
Step 3 Implement Controls (Custodians)
Step 4 Assess Controls *are they effective*
Step 5 Authorize Information System *get approval to connect our information system into out
broader architecture and operate it*
Step 5 Monitor
ISO/IEC 27005 - correct answer ✔✔ Focused on risk treatment , this joint international
organization for standardization/international electrotechnical commission framework is best
used in conjunction with ISO/IEC 27000 Series standards.
OCTAVE Method - correct answer ✔✔ The operationally critical threat, asset, and vulnerability
evaluation framework, developed at Carnegie Mellon university is focused on risk assessment.
-self directed, meaning that it sues a small team of representatives of IT and the business sides
of the organization to conduct the analysis. divided into 3 phases *First, analysis team defines
the threat profiles bases on assets that are critical to the business. Second, looks at the
, organizations technology infrastructure to identify vulnerabilities that might be exploited by
those threats. third, team analyses and classifies individual risks as high, medium, or low and
develops mitigations strategies for each.
FAIR - correct answer ✔✔ Focuses on precisely measuring the probabilities of incidents and
their impacts. (Qualitative vs Quantitive)
ISO/IEC 27000 Series - correct answer ✔✔ This is a series of international standards on how to
develop and maintain information security management systems , it is common for
organizations to seek an ISO/IEC 270001 certification by an accredited third party.
NIST Cybersecurity Framework - correct answer ✔✔ Driven by the need to secure government
systems, NIST developed this widely used and comprehensive framework for risk driven
information security.
Framework core - correct answer ✔✔ Identify, Protect, Detect, Respond, Recover
Identify (NIST) - correct answer ✔✔ Understand your organizations business context, rosaries,
and risks.
Protect (NIST) - correct answer ✔✔ Develop appropriate controls to mitigate risk in ways that
make sense.
Detect (NIST) - correct answer ✔✔ Discover apprioate controls to mitigate risk in ways that
make sense.
Respond (NIST) - correct answer ✔✔ Quickly contain the effects of anything that threatens your
security.
correct solutions
Framework - correct answer ✔✔ A basic structure underlying a system, concept, or text
Purpose of frameworks in IT and Cybersecurity - correct answer ✔✔ To provide structure to the
ways in which we manage risks, develop enterprise architectures and secure all our assets.
NIST Risk Management Framework (RMF) - correct answer ✔✔ Step 1 Categorize Systems &
Data (Data Owner) *based on sensitively of information to be stored, transmitted and
processed. *
Step 2 Select Controls (System Owner)
*common controls, system-specific controls, and hybrid controls*
Step 3 Implement Controls (Custodians)
Step 4 Assess Controls *are they effective*
Step 5 Authorize Information System *get approval to connect our information system into out
broader architecture and operate it*
Step 5 Monitor
ISO/IEC 27005 - correct answer ✔✔ Focused on risk treatment , this joint international
organization for standardization/international electrotechnical commission framework is best
used in conjunction with ISO/IEC 27000 Series standards.
OCTAVE Method - correct answer ✔✔ The operationally critical threat, asset, and vulnerability
evaluation framework, developed at Carnegie Mellon university is focused on risk assessment.
-self directed, meaning that it sues a small team of representatives of IT and the business sides
of the organization to conduct the analysis. divided into 3 phases *First, analysis team defines
the threat profiles bases on assets that are critical to the business. Second, looks at the
, organizations technology infrastructure to identify vulnerabilities that might be exploited by
those threats. third, team analyses and classifies individual risks as high, medium, or low and
develops mitigations strategies for each.
FAIR - correct answer ✔✔ Focuses on precisely measuring the probabilities of incidents and
their impacts. (Qualitative vs Quantitive)
ISO/IEC 27000 Series - correct answer ✔✔ This is a series of international standards on how to
develop and maintain information security management systems , it is common for
organizations to seek an ISO/IEC 270001 certification by an accredited third party.
NIST Cybersecurity Framework - correct answer ✔✔ Driven by the need to secure government
systems, NIST developed this widely used and comprehensive framework for risk driven
information security.
Framework core - correct answer ✔✔ Identify, Protect, Detect, Respond, Recover
Identify (NIST) - correct answer ✔✔ Understand your organizations business context, rosaries,
and risks.
Protect (NIST) - correct answer ✔✔ Develop appropriate controls to mitigate risk in ways that
make sense.
Detect (NIST) - correct answer ✔✔ Discover apprioate controls to mitigate risk in ways that
make sense.
Respond (NIST) - correct answer ✔✔ Quickly contain the effects of anything that threatens your
security.
