Pass the Isaca Isaca Certification NIST-COBIT-2019 Questions and answers with CertsForce

A CSF Informative Reference within the CSF Core provides a citation to a related activity from another standard or guideline that can help an organization achieve the outcome described in a CSF Subcategory12. For example, the Informative Reference for ID.AM-1 (Physical devices and systems within the organization are inventoried) is COBIT 5 APO01.01, which states "Maintain an inventory of IT assets"3.

References: 1: Informative References: What are they, and how are they used? | NIST 2: Everything to Know About NIST CSF Informative References | Axio 3: NIST Cybersecurity Framework v1.1 - CSF Tools - Identity Digital

The function of the CSF that is addressed by incorporating governance, risk, and compliance (GRC) elements into the implementation plan is Identify, which assists in developing an organizational understanding to managing cybersecurity risk to systems, people, assets, data, and capabilities. GRC elements help to define the governance program, the legal and regulatory requirements, the risk management strategy, and the supply chain risk management strategy of the organization12.

ReferencesThe Five Functions | NISTNIST Cybersecurity Framework 2.0: Understanding the "Govern" Function

One of the framework principles established by NIST is to ensure that the framework is consistent and aligned with existing regulatory and legal requirements that are relevant to cybersecurity12.

References: 1: Cybersecurity Framework | NIST 2: Framework Documents | NIST

The primary reason for establishing open communication between all participants and stakeholders as part of the implementation phase is to ensure issues can be identified and resolved, as this can facilitate the collaboration, coordination, and feedback among the involved parties, and help to overcome the challenges and risks that may arise during the implementation12.

ReferencesConnecting COBIT 2019 to the NIST Cybersecurity Framework - ISACAQuestions and Answers | NIST

This CSF step involves documenting the existing category and subcategory outcome achievements, by using the implementation status to indicate the degree to which the cybersecurity outcomes defined by the CSF Subcategories are currently being achieved by the organization12. The Current Profile reflects the current cybersecurity posture of the organization, and helps to identify the gaps and opportunities for improvement3 .

References: 1: Cybersecurity Framework Components | NIST 2: Cybersecurity Framework v1.1 - CSF Tools - Identity Digital 3: Implementing the NIST Cybersecurity Framework Using COBIT 2019 | ISACA : REVIEW OF IMPLEMENTING THE NIST CYBERSECURITY FRAMEWORK USING COBIT 2019.

The organization’s asset register should primarily align to configuration management, because it is a process that maintains an accurate and complete inventory of the organization’s I&T assets and their relationships12. Configuration management supports the implementation of Step 2: Orient and Step 3: Create a Current Profile, because it helps to identify the systems, people, assets, data, and capabilities that are within the scope of the cybersecurity program, and to assess their current cybersecurity outcomes34.

References: 1: COBIT 2019 Framework – ITSM Docs - ITSM Documents & Templates 2: COBIT 2019 Design Guide: Designing an Information and Technology Governance Solution 3: Cybersecurity Framework Components | NIST 4: Implementing the NIST Cybersecurity Framework Using COBIT 2019 | ISACA

A clear understanding of the likelihood and impact of cybersecurity events is critical for the success of CSF Step 6, as it helps to prioritize the gaps and actions based on the risk assessment and the cost-benefit analysis of the proposed solutions12.

References7 Steps to Implement & Improve Cybersecurity with NISTNIST CSF: The seven-step cybersecurity framework process

Executives are the role that will benefit most from a better understanding of the current cybersecurity posture by applying the CSF. This is because executives are responsible for setting the strategic direction, objectives, and priorities for the organization, as well as overseeing the allocation of resources and the management of risks1. By applying the CSF, executives can gain a comprehensive and consistent view of the cybersecurity risks and capabilities of the organization, and align them with the business goals and requirements2. The CSF can also help executives communicate and collaborate with other stakeholders, such as regulators, customers, suppliers, and partners, on cybersecurity issues3.

References: 1: Implementing the NIST Cybersecurity Framework Using COBIT 2019 | ISACA 2: Cybersecurity Framework | NIST 3: Framework Documents | NIST

According to the ISACA guide, engaging business and IT process owners for internal expertise is most important for successful execution of CSF implementation Step 6, as they can provide valuable insights into the current and desired states of the processes, the gaps and potential solutions, and the costs and benefits of the implementation1. They can also help to align the cybersecurity program with the business objectives and risk appetite of the organization.

ReferencesImplementing the NIST Cybersecurity Framework Using COBIT 2019, page 17.

The goals cascade is a mechanism that translates the stakeholder needs into specific, actionable, and customized goals at different levels of the enterprise12. The stakeholder needs are the drivers of the governance system and reflect the expectations and requirements of the internal and external parties that have an interest or influence on the enterprise34. The goals cascade supports the prioritization of management objectives based on the stakeholder needs, as well as the alignment of the enterprise goals, the alignment goals, and the governance and management objectives12.

References: 1: COBIT 2019 Goals Cascade: A Blueprint for Success 2: COBIT 2019 Framework – ITSM Docs - ITSM Documents & Templates 3: COBIT | Control Objectives for Information Technologies | ISACA 4: Aligning IT goals using the COBIT5 Goals Cascade