Isaca NIST-COBIT-2019 ISACA Implementing the NIST Cybersecurity Framework using COBIT 2019 Exam Practice Test

Page: 1 / 14
Total 50 questions
Question 1

The seven high-level CSF steps generally align to which of the following in COBIT 2019?



Answer : A

The seven high-level CSF steps generally align to the high-level phases of the COBIT 2019 implementation guide, which are: What are the drivers?; Where are we now?; Where do we want to be?; What needs to be done?; How do we get there?; Did we get there?; and How do we keep the momentum going?12. These phases provide a structured approach for implementing a governance system using COBIT 2019, and can be mapped to the CSF steps of Prioritize and Scope, Orient, Create a Current Profile, Conduct a Risk Assessment, Create a Target Profile, Determine, Analyze and Prioritize Gaps, and Implement Action Plan34.


Question 2

The goals cascade supports prioritization of management objectives based on:



Answer : C

The goals cascade is a mechanism that translates the stakeholder needs into specific, actionable, and customized goals at different levels of the enterprise12. The stakeholder needs are the drivers of the governance system and reflect the expectations and requirements of the internal and external parties that have an interest or influence on the enterprise34. The goals cascade supports the prioritization of management objectives based on the stakeholder needs, as well as the alignment of the enterprise goals, the alignment goals, and the governance and management objectives12.


Question 3

What is the MOST important reason to compare framework profiles?



Answer : C

The most important reason to compare framework profiles is to identify gaps between the current and target state of cybersecurity activities and outcomes, and to prioritize the actions needed to address them12. Framework profiles are the alignment of the functions, categories, and subcategories of the NIST Cybersecurity Framework with the business requirements, risk tolerance, and resources of the organization3. By comparing the current profile (what is being achieved) and the target profile (what is needed), an organization can assess its cybersecurity posture and develop a roadmap for improvement4.


Question 4

The CSF Implementation Tiers distinguish three fundamental dimensions of risk management to help enterprises evaluate which of the following?



Answer : A

The CSF Implementation Tiers distinguish three fundamental dimensions of risk management to help enterprises evaluate their cybersecurity posture, which is the alignment of their cybersecurity activities and outcomes with their business objectives and risk appetite12. The Tiers range from Partial (Tier 1) to Adaptive (Tier 4) and describe the degree of rigor, integration, and collaboration of the organization's cybersecurity risk management practices12.


Question 5

Within the CSF Core structure, which type of capability can be implemented to help practitioners recognize potential or realized risk to enterprise assets?



Answer : C

The Detection capability is the type of capability within the CSF Core structure that can help practitioners recognize potential or realized risk to enterprise assets. The Detection capability consists of six categories that enable timely discovery of cybersecurity events, such as Anomalies and Events, Security Continuous Monitoring, and Detection Processes12.


Question 6

Analysis is one of the categories within which of the following Core Functions?



Answer : A

Analysis is one of the six categories within the Detect function of the NIST Cybersecurity Framework. The Analysis category aims to identify the occurrence of a cybersecurity event by performing data aggregation, correlation, and analysis12.


Question 7

What does a CSF Informative Reference within the CSF Core provide?



Answer : C

A CSF Informative Reference within the CSF Core provides a citation to a related activity from another standard or guideline that can help an organization achieve the outcome described in a CSF Subcategory12. For example, the Informative Reference for ID.AM-1 (Physical devices and systems within the organization are inventoried) is COBIT 5 APO01.01, which states 'Maintain an inventory of IT assets'3.


Page:    1 / 14   
Total 50 questions