Match each Recover Function component with its primary activity.
Component
Disaster Recovery
Business Continuity
Data Restoration
Impact Analysis
Primary Activity
A) Implementing backup solutions
B) Ensuring minimum disruption to operations
C) Recovering data post-incident
D) Assessing the effect on business and finances
- A . Disaster Recovery – A
Business Continuity – B
Data Restoration – C
Impact Analysis – D - B . Disaster Recovery – A
Business Continuity – B
Data Restoration – D
Impact Analysis – C - C . Disaster Recovery – A
Business Continuity – C
Data Restoration – B
Impact Analysis – D - D . Disaster Recovery – B
Business Continuity – A
Data Restoration – C
Impact Analysis – D
What is the primary focus of the BIA?
- A . Prevents threats to the environment
- B . Determines criticality of assets to the business
- C . Identifies roles and responsibilities for asset recovery
- D . Maintains controls for recovery
What are the five categories that make up the Response function?
- A . Response Planning, Data Security, Communications, Analysis, and Mitigation
- B . Response Planning, Communications, Analysis, Mitigation, and Improvements
- C . Mitigation, Improvements, Maintenance, Response Planning, and Governance
- D . Awareness and Training, Improvements, Communications, Analysis, and Governance
In the NIST Cybersecurity Framework, the "Tiers" component is used to assess which of the following?
- A . Cybersecurity incident response
- B . The organization’s risk management maturity
- C . Network encryption standards
- D . The organization’s compliance with regulations
What contains a predefined set of efforts that describes an organization’s mission/business critical processes, and defines how they will be sustained during and after a significant disruption?
- A . Disaster Recovery Plan
- B . Risk Assessment Strategy
- C . Business Continuity Plan
- D . Business Impact Analysis
What entity offers a framework that is ideally suited to handle an organization’s operational challenges?
- A . COBIT
- B . COSO
- C . NIST
- D . ISO
Which of the following best describes the purpose of the Detect Function within the NIST Cybersecurity Framework?
- A . To identify potential security incidents
- B . To develop disaster recovery plans
- C . To create security awareness among employees
- D . To restrict access to critical systems
What type of controls are crucial within the Identify Function for inventory classification?
- A . Physical security controls
- B . Data security controls
- C . Classification and access controls
- D . Network access controls
Your organization has been breached. The attacker has sent an email demanding $100,000 in cryptocurrency in exchange for not dumping all your customer information onto the dark web. Following the RACI Matrix model outlined in your IRP, you have informed all parties, contained the breach, and eradicated the threat.
What needs to be done next?
- A . Update response strategies
- B . Performs forensics
- C . Investigate notifications from detection systems
- D . Categorize incidents consistent with Response Plan
A new employee is starting work at your company. When should they be informed of the company’s security policy?
- A . Based on human resource policy
- B . After the first security infraction
- C . Annual security policy review
- D . During regular security awareness sessions
What activity informs situational awareness of the security status of an organization’s systems?
- A . IDP
- B . RMF
- C . ISCM
- D . DPI
What are the main components of the NIST Cybersecurity Framework?
- A . Core, Categories, and Tiers
- B . Functions, Profiles, and Tiers
- C . Categories, Tiers, and Profiles
- D . Core, Tiers, and Profiles
Which tools can support the Detect Function’s goal of identifying cybersecurity events? (Select two)
- A . Intrusion Detection Systems (IDS)
- B . Identity and Access Management (IAM)
- C . Security Information and Event Management (SIEM)
- D . Disaster Recovery Planning (DRP) tools
Which activity is crucial in the Respond Function to ensure proper documentation of the steps taken during a cybersecurity incident?
- A . Continuous monitoring
- B . Incident analysis
- C . Communications planning
- D . Incident documentation
When implementing the NIST Cybersecurity Framework, what is the first step in the implementation process?
- A . Conduct a risk assessment
- B . Define the current cybersecurity profile
- C . Identify gaps in security policies
- D . Create a communication plan
What is a consideration when developing a Disaster Recovery Plan?
- A . Define scenarios by type and scope of impact
- B . Develop termination strategies
- C . Exchange essential information between stakeholders
- D . Method to terminate incident responses
What contains a predefined set of instructions or processes that describes the management policy, procedures, and written plan defining recovery of information systems?
- A . RAS
- B . DRP
- C . BIA
- D . BCP
What is an accurate statement concerning the Cyber Resilient Lifecycle (CRLC) and the Cybersecurity Framework (CSF)?
- A . The CRLC is focused on business resiliency; the CSF is focused on providing a framework.
- B . The CRLC can be used to make the CSF actionable.
- C . The CRLC is focused on cybersecurity; the CSF is focused on science and technology.
- D . The CRLC and CSF are separate frameworks, and are used separately.
What is part of the Pre-Recovery phase?
- A . Backup validation
- B . Validate functionality
- C . Restore assets
- D . Monitor assets
A company is conducting awareness training for all employees to recognize phishing attacks.
This activity aligns with which part of the Protect Function?
- A . Access Control
- B . Protective Technology
- C . Awareness and Training
- D . Data Security
When evaluating a cybersecurity framework, COBIT 2019 emphasizes ___ as a key design factor for tailoring the framework to the organization.
- A . Compliance obligations
- B . Organizational risk appetite
- C . Current technology infrastructure
- D . Employee cybersecurity training
What is a recommended usage of the Detect function?
- A . Implement following the Protect Function
- B . Remain confidential to IT management
- C . Communicate to appropriate levels
- D . Eliminate risks among systems
The ___ function in the NIST Cybersecurity Framework is responsible for identifying vulnerabilities and threats that may affect the organization.
- A . Protect
- B . Identify
- C . Detect
- D . Recover
An organization’s security team is analyzing logs from its Security Information and Event Management (SIEM) system to identify unusual patterns.
Which subcategory of the Detect Function does this activity support?
- A . Detection Processes
- B . Anomalies and Events
- C . Continuous Monitoring
- D . Security Awareness
The Backup Recovery Plan is dependent on what effort?
- A . PR.DS
- B . RTO
- C . BIA
- D . SDLC
The CSF recommends that the Communication Plan for an IRP include audience, method of communication, frequency, and what other element?
- A . Incident category
- B . Message criteria
- C . Incident severity
- D . Templates to use
The __________ component of the Respond Function involves ensuring that all affected parties, both internal and external, receive timely updates during an incident.
- A . Communications Plan
- B . Recovery Strategy
- C . Incident Analysis
- D . Continuous Monitoring
What database is used to record and manage assets?
- A . Configuration Management Database
- B . Asset Inventory Management Database
- C . High Availability Mirrored Database
- D . Patch Management Inventory Database
A retail company experiences a data breach affecting customer records. The Incident Response Plan calls for immediate containment and communication with affected customers.
Which Respond Function subcategories are directly addressed in this response?
- A . Detection and Analysis
- B . Containment and Communication
- C . Recovery and Documentation
- D . Risk Assessment and Training
Which category addresses the detection of unauthorized code in software?
- A . PR.DS
- B . DE.DP
- C . PR.AT
- D . DE.CM
You have been tasked with documenting mission critical procedures of an organization that need to be sustained through a significant disruption.
What document would you develop?
- A . Business Continuity Plan
- B . Business Impact Assessment
- C . Risk Analysis Report
- D . Regression Test Plan
Match each Respond Function component with its primary purpose.
Component
Containment
Communications Plan
Incident Analysis
After-Action Review
Purpose
A) Limiting the spread of the incident
B) Guidelines for internal and external updates
C) Identifying the root cause of the incident
D) Evaluating response effectiveness
- A . Containment – A
Communications Plan – B
Incident Analysis – C
After-Action Review – D - B . Containment – A
Communications Plan – C
Incident Analysis – B
After-Action Review – D - C . Containment – A
Communications Plan – D
Incident Analysis – C
After-Action Review – B - D . Containment – C
Communications Plan – B
Incident Analysis – A
After-Action Review – D
When conducting a risk assessment as part of the NIST Cybersecurity Framework, which of the following elements is critical for identifying risks?
- A . Industry benchmarks
- B . Asset inventory
- C . Organizational policies
- D . Network topology
Which of the following is NOT one of the five core functions of the NIST Cybersecurity Framework?
- A . Protect
- B . Detect
- C . Validate
- D . Identify
What activity is supported by the Protect function in the NIST Cybersecurity Framework Core?
- A . Take action regarding a detected cybersecurity event
- B . Manage cybersecurity risk to systems, assets, and data
- C . Ensure delivery of critical infrastructure services
- D . Ensure resilience and restore services impacted by a cybersecurity event
Which of the following is essential for ensuring "timely recovery to normal operations" as defined in the Recover Function?
- A . Continuous monitoring
- B . Regular training sessions
- C . A Business Continuity Plan (BCP)
- D . Security access controls
What determines the technical controls used to restrict access to USB devices and help prevent their use within a company?
- A . Block use of the USB devices for all employees
- B . Written security policy prohibiting the use of the USB devices
- C . Acceptable use policy in the employee HR on-boarding training
- D . Detect use of the USB devices and report users
Which NIST Cybersecurity Framework tier describes an organization that adapts its cybersecurity practices based on evolving threats?
- A . Tier 1: Partial
- B . Tier 2: Risk-Informed
- C . Tier 3: Repeatable
- D . Tier 4: Adaptive
Your organization was breached. You informed the CSIRT and they contained the breach and eradicated the threat.
What is the next step required to ensure that you have an effective CSRL and a more robust cybersecurity posture in the future?
- A . Determine change agent
- B . Update the BIA
- C . Conduct a gap analysis
- D . Update the BCP
The NIST Cybersecurity Framework is structured around which main elements? (Select two)
- A . Core
- B . Tiers
- C . Objectives
- D . Roadmaps
Within the Protect Function, what is the purpose of implementing access control subcategory controls?
- A . To enhance network traffic analysis
- B . To manage who can access specific assets and systems
- C . To improve disaster recovery planning
- D . To facilitate endpoint protection
What is the purpose of a baseline assessment?
- A . Enhance data integrity
- B . Determine costs
- C . Reduce deployment time
- D . Determine risk
Your data center uses a diesel generator as backup for two different power grids provided by your regional power company. During a period of unprecedented heat, you experience brown-outs on both grids simultaneously.
The diesel generator starts up but only runs for two minutes before it also shuts down, leaving your entire data center down until grid power can be restored. Further inspection reveals a clogged fuel filter.
Failing to schedule preventive service for the backup generator is a failure in which function?
- A . Recover
- B . Respond
- C . Detect
- D . Protect
When should event analysis be performed?
- A . Only when requested by an auditor
- B . Routinely for all events collected on a mission critical system
- C . Only at the discretion of an authorized security analyst
- D . After an event is triggered by the detection system
What is a consideration when performing data collection in Information Security Continuous Monitoring?
- A . Data collection efficiency is increased through automation.
- B . The more data collected, the better chances to catch an anomaly.
- C . Collection is used only for compliance requirements.
- D . Data is best captured as it traverses the network.
In COBIT 2019, the design of a cybersecurity framework requires ___ to ensure that organizational objectives align with cybersecurity outcomes.
- A . Governance principles
- B . Communication strategies
- C . Management involvement
- D . Framework mapping
What procedure is designed to enable security personnel to detect, analyze, contain, eradicate, respond, and recover from malicious computer incidents such as unauthorized changes to system hardware, software, or data?
- A . Emergency Analysis Plan
- B . Crisis Communication Plan
- C . Disaster Recovery Plan
- D . Incident Response Plan
In the context of the Recover Function, which of the following are critical for achieving business resiliency? (Select two)
- A . Risk assessment tools
- B . Disaster recovery testing
- C . Incident response procedures
- D . Cloud-based backup solutions
After a cybersecurity incident, which Respond Function activity focuses on assessing what went well and what could be improved?
- A . Threat intelligence gathering
- B . Root cause analysis
- C . After-action review
- D . Continuous monitoring
A security audit of the systems on a network must be performed to determine their compliance with security policies.
Which control should be used for the audit?
- A . PR.DS
- B . DE.CM
- C . RS.MI
- D . ID.AM
The primary goal of the COBIT 2019 governance system is to ensure that ___ aligns with the overall business strategy.
- A . Cybersecurity risks
- B . IT operations
- C . Network uptime
- D . External compliance standards
The ___________ component of the Detect Function is responsible for identifying unusual patterns or activities that may indicate a threat.
- A . Incident Response
- B . Anomalies and Events
- C . Threat Assessment
- D . Disaster Recovery
Tiers in the NIST Cybersecurity Framework help organizations assess their level of ___.
- A . Technical maturity
- B . Cybersecurity governance
- C . Risk management
- D . Vendor compliance
An organization is creating a customized version of the NIST Cybersecurity Framework to align with its unique risk profile and business requirements. They are currently mapping their organizational priorities and risk tolerance to the framework functions.
Which part of the NIST Framework are they focusing on?
- A . Core
- B . Tiers
- C . Profiles
- D . Objectives
Match each Detect Function component with its primary purpose.
Component
Continuous Monitoring
Anomalies and Events
Detection Processes
Threat Intelligence
Purpose
A) Real-time observation for suspicious activities
B) Identifying unusual patterns
C) Formalizing detection protocols
D) Analyzing data to identify threats
- A . Continuous Monitoring – A
Anomalies and Events – B
Detection Processes – C
Threat Intelligence – D - B . Continuous Monitoring – A
Anomalies and Events – B
Detection Processes – D
Threat Intelligence – C - C . Continuous Monitoring – A
Anomalies and Events – C
Detection Processes – B
Threat Intelligence – D - D . Continuous Monitoring – D
Anomalies and Events – B
Detection Processes – C
Threat Intelligence – A
Rank order the relative severity of impact to an organization of each plan, where “1” signifies the most impact and “4” signifies the least impact.
Which protective technologies are typically associated with the Protect Function? (Select two)
- A . Data encryption
- B . Business impact analysis
- C . Access management
- D . Threat intelligence analysis
What is the primary purpose of the COBIT 2019 governance framework in the context of cybersecurity?
- A . To improve firewall configurations
- B . To ensure alignment between business goals and cybersecurity strategy
- C . To enforce external compliance regulations
- D . To manage software development processes
COBIT 2019’s focus on cybersecurity risk aligns with which NIST Cybersecurity Framework component?
- A . Respond
- B . Profiles
- C . Governance
- D . Tiers
The ___ function of the NIST Cybersecurity Framework ensures timely identification of cybersecurity events.
- A . Respond
- B . Identify
- C . Detect
- D . Recover
Which of the following are key components of an Incident Response Plan? (Select two)
- A . Identification and containment procedures
- B . Inventory and classification of assets
- C . Communication guidelines
- D . Budget allocation for new technology
What categories are specifically contained within the Identify function?
- A . Asset Management
Governance
Risk Assessment - B . Communications
Supply Chain Management
Business Environment - C . Business Environment
Asset Management
Anomalies and Events - D . Supply Chain Risk
Data Security
Response Planning
What is the main goal of a gap analysis in the Identify function?
- A . Determine security controls to improve security measures
- B . Determine actions required to get from the current profile state to the target profile state
- C . Identify gaps between Cybersecurity Framework and Cyber Resilient Lifecycle pertaining to that function
- D . Identify business process gaps to improve business efficiency
How does the COBIT 2019 Framework assist organizations in managing cybersecurity risks?
- A . By providing technical control implementation guidance
- B . By defining roles and responsibilities for governance and risk management
- C . By conducting vulnerability scans
- D . By developing encryption standards
The __________ process ensures that businesses can continue essential operations with minimal interruption after a cybersecurity incident.
- A . Incident Detection
- B . Business Continuity
- C . Access Control
- D . Incident Response
Which COBIT 2019 component aligns most closely with the "Respond" function of the NIST Cybersecurity Framework?
- A . Risk management
- B . Incident response
- C . Cybersecurity budgeting
- D . IT compliance
How does COBIT 2019 enhance the implementation of the NIST Cybersecurity Framework?
- A . By providing detailed technical configurations
- B . By offering a governance structure for managing risks
- C . By aligning with external vendor practices
- D . By defining specific recovery processes
An organization is creating a disaster recovery plan. They want to ensure all critical assets are accounted for and prioritized.
Which component of the Identify Function should they emphasize?
- A . Maintenance of access control lists
- B . Continuously updated inventory of assets
- C . Implementation of endpoint detection
- D . Real-time threat intelligence feeds
The Identify Function helps establish a ___________ to assess and categorize organizational assets by their importance.
- A . Baseline configuration
- B . Risk mitigation strategy
- C . Comprehensive inventory
- D . Security awareness program
What does the Identify Function facilitate in the context of Disaster Recovery and Incident Response planning?
- A . The identification of stakeholders
- B . The development of communication protocols
- C . Continuous asset inventory and classification
- D . Implementation of security controls
Which document is designed to limit damage, reduce recovery time, and reduce costs where possible to the organization?
- A . Business Impact Analysis
- B . Business Continuity Plan
- C . Risk Assessment Strategy
- D . Incident Response Plan
The Disaster Recovery Plan must document what effort in order to address unrecoverable assets?
- A . RTO savings
- B . Recovery priority
- C . Recovery resources
- D . Recovery resources
Which mechanism within the NIST Cybersecurity Framework describes a method to capture the current state and define the target state for understanding gaps, exposure, and prioritize changes to mitigate risk?
- A . Functions
- B . Profiles
- C . Tiers
- D . Categories
Which of the following are benefits of implementing continuous monitoring within the Detect Function? (Select two)
- A . Early detection of security incidents
- B . Improved access control management
- C . Enhanced visibility of network activity
- D . Reduction in hardware costs
In the NIST Cybersecurity Framework, which of the following components is key to ensuring continuity in critical functions after a cybersecurity event?
- A . Protect
- B . Identify
- C . Recover
- D . Detect
The NIST Cybersecurity Framework relies on which of the following to guide organizations through effective cybersecurity risk management?
- A . Tiers and Profiles
- B . Incident Response Plans
- C . Vendor Management Frameworks
- D . Network Architecture Policies
Match the following components of the Identify Function with their main purpose.
Component
Asset Inventory
Risk Assessment
Classification Controls
Business Impact Analysis
Purpose
A) Listing and updating assets needing cybersecurity
B) Determining likelihood and impact of cybersecurity risks
C) Categorizing assets based on criticality
D) Identifying essential business functions for recovery
- A . Asset Inventory – A
Risk Assessment – B
Classification Controls – C
Business Impact Analysis – D - B . Asset Inventory – A
Risk Assessment – B
Classification Controls – D
Business Impact Analysis – C - C . Asset Inventory – A
Risk Assessment – C
Classification Controls – B
Business Impact Analysis – D - D . Asset Inventory – D
Risk Assessment – C
Classification Controls – B
Business Impact Analysis – A
COBIT 2019 complements the NIST Cybersecurity Framework by focusing on what aspect of cybersecurity risk management?
- A . Monitoring technical network controls
- B . Governance and oversight
- C . Ensuring incident response
- D . Increasing encryption strength
Which NIST Cybersecurity Framework function should be executed before any others?
- A . Respond
- B . Protect
- C . Recover
- D . Identify
An organization has a policy to respond “ASAP” to security incidents. The security team is having a difficult time prioritizing events because they are responding to all of them, in order of receipt.
Which part of the IRP does the team need to implement or update?
- A . Scheduling of incident responses
- B . ‘Post mortem’ documentation
- C . Classification of incidents
- D . Containment of incidents
One of the five core functions in the NIST Cybersecurity Framework is ___, which focuses on minimizing the impact of cybersecurity events.
- A . Recover
- B . Detect
- C . Protect
- D . Respond
Which function of the NIST Cybersecurity Framework focuses on ensuring the organization is able to identify and contain the impact of cybersecurity incidents?
- A . Recover
- B . Respond
- C . Detect
- D . Identify
A key consideration in implementing a Disaster Recovery Plan (DRP) is the __________, which defines how quickly systems need to be restored.
- A . Recovery Time Objective (RTO)
- B . Business Impact Assessment (BIA)
- C . Cyber Resilience Protocol
- D . Security Control Evaluation
Within the Protect Function, ___________ involves limiting access to only those individuals who need it for their work.
- A . Awareness Training
- B . Threat Detection
- C . Access Control
- D . Disaster Recovery
What process is used to identify an organization’s physical, digital, and human resource, as required in their Business Impact Analysis?
- A . Risk Management Strategy
- B . Risk Assessment
- C . Risk Treatment
- D . Asset Inventory
In which function is the SDLC implemented?
- A . Respond
- B . Protect
- C . Detect
- D . Recover
Which function of the NIST Cybersecurity Framework should be prioritized first in building a cybersecurity strategy?
- A . Identify
- B . Protect
- C . Detect
- D . Recover
Match each Protect Function subcategory with its main focus.
Subcategory
Data Security
Awareness Training
Protective Technology
Baseline Configuration
Focus
A) Ensuring only authorized personnel have access
B) Educating employees on cybersecurity practices
C) Implementing tools to safeguard systems and networks
D) Establishing a secure starting point for systems
- A . Data Security – A
Awareness Training – B
Protective Technology – C
Baseline Configuration – D - B . Data Security – A
Awareness Training – D
Protective Technology – C
Baseline Configuration – B - C . Data Security – A
Awareness Training – B
Protective Technology – D
Baseline Configuration – C - D . Data Security – B
Awareness Training – A
Protective Technology – C
Baseline Configuration – D
In COBIT 2019, which design factor is essential for tailoring the implementation of the NIST Cybersecurity Framework to an organization’s needs?
- A . Organizational culture
- B . Compliance regulations
- C . External threats
- D . Budget limitations
The network security team in your company has discovered a threat that leaked partial data on a compromised file server that handles sensitive information. Containment must be initiated and addresses by the CSIRT. Service disruption is not a concern because this server is used only to store files and does not hold any critical workload.
Your company security policy required that all forensic information must be preserved.
Which actions should you take to stop data leakage and comply with requirements of the company security policy?
- A . Disconnect the file server from the network to stop data leakage and keep it powered on for further analysis.
- B . Shut down the server to stop the data leakage and power it up only for further forensic analysis.
- C . Restart the server to purge all malicious connections and keep it powered on for further analysis.
- D . Create a firewall rule to block all external connections for this file server and keep it powered on for further analysis.