Isaca NIST-COBIT-2019 ISACA Implementing the NIST Cybersecurity Framework using COBIT 2019 Exam Practice Test

The seven high-level CSF steps generally align to the high-level phases of the COBIT 2019 implementation guide, which are: What are the drivers?; Where are we now?; Where do we want to be?; What needs to be done?; How do we get there?; Did we get there?; and How do we keep the momentum going?12. These phases provide a structured approach for implementing a governance system using COBIT 2019, and can be mapped to the CSF steps of Prioritize and Scope, Orient, Create a Current Profile, Conduct a Risk Assessment, Create a Target Profile, Determine, Analyze and Prioritize Gaps, and Implement Action Plan34.

References: 1: COBIT 2019 Implementation Guide 2: COBIT 2019 Implementation - ISACA 3: Implementing the NIST Cybersecurity Framework Using COBIT 2019 | ISACA 4: REVIEW OF IMPLEMENTING THE NIST CYBERSECURITY FRAMEWORK USING COBIT 2019.

A gap assessment is the most critical process tool to performing Implementation Phase 3, as it helps to identify the current and desired states of the selected processes, and the gaps and potential solutions to bridge them. A gap assessment also helps to create a detailed business case and a high-level program plan for the implementation12.

References7 Phases in COBIT Implementation | COBIT Certification - SimplilearnCOBIT 2019 Design and Implementation COBIT Implementation, page 31.

One of the framework principles established by NIST is to ensure that the framework is consistent and aligned with existing regulatory and legal requirements that are relevant to cybersecurity12.

References: 1: Cybersecurity Framework | NIST 2: Framework Documents | NIST

The most beneficial result of an effective CSF implementation plan is that cybersecurity risk management practices are formalized and institutionalized, which means that the organization has established and maintained a consistent and comprehensive approach to managing cybersecurity risks across its systems, processes, and people. This result can help the organization to reduce the likelihood and impact of cybersecurity events, improve its resilience and compliance, and enhance its reputation and trust12.

ReferencesPublic Draft: The NIST Cybersecurity Framework 2, page 1.Cybersecurity Framework | NIST

The Detection capability is the type of capability within the CSF Core structure that can help practitioners recognize potential or realized risk to enterprise assets. The Detection capability consists of six categories that enable timely discovery of cybersecurity events, such as Anomalies and Events, Security Continuous Monitoring, and Detection Processes12.

References: 1: The Five Functions | NIST 2: Cybersecurity Framework | NIST

The goals cascade is a mechanism that translates the stakeholder needs into specific, actionable, and customized goals at different levels of the enterprise12. The stakeholder needs are the drivers of the governance system and reflect the expectations and requirements of the internal and external parties that have an interest or influence on the enterprise34. The goals cascade supports the prioritization of management objectives based on the stakeholder needs, as well as the alignment of the enterprise goals, the alignment goals, and the governance and management objectives12.

References: 1: COBIT 2019 Goals Cascade: A Blueprint for Success 2: COBIT 2019 Framework – ITSM Docs - ITSM Documents & Templates 3: COBIT | Control Objectives for Information Technologies | ISACA 4: Aligning IT goals using the COBIT5 Goals Cascade

The objective of COBIT Implementation Phase 3 is to set an improvement target and identify gaps and potential solutions using COBIT’s guidance. This involves creating a detailed business case and a high-level program plan for the implementation.

ReferencesCOBIT 2019 Design and Implementation COBIT Implementation, page 31.7 Phases in COBIT Implementation | COBIT Certification - Simplilearn

The primary reason for establishing open communication between all participants and stakeholders as part of the implementation phase is to ensure issues can be identified and resolved, as this can facilitate the collaboration, coordination, and feedback among the involved parties, and help to overcome the challenges and risks that may arise during the implementation12.

ReferencesConnecting COBIT 2019 to the NIST Cybersecurity Framework - ISACAQuestions and Answers | NIST

Analysis is one of the six categories within the Detect function of the NIST Cybersecurity Framework. The Analysis category aims to identify the occurrence of a cybersecurity event by performing data aggregation, correlation, and analysis12.

References: 1: The Five Functions | NIST 2: Cybersecurity Framework Components | NIST

Identifying quick wins for implementation first is the best approach to gain support for the process, as it can demonstrate the value and feasibility of the project, and motivate the stakeholders to overcome the resistance and embrace the change12. Quick wins are those actions that can be implemented rapidly and easily, and that can produce visible and measurable results3.

References7 Phases in COBIT Implementation | COBIT Certification - SimplilearnImplementing the NIST Cybersecurity Framework Using COBIT 2019, page 17.What is a Quick Win? - Definition from Techopedia

According to the NIST Cybersecurity Framework, an organization should review cyber threat information from internal and external sources to gain a better understanding of the likelihood and impact of cybersecurity events. This information can help the organization to identify potential threats, vulnerabilities, and consequences, and to assess the current and target profiles of its cybersecurity posture12.

ReferencesIdentifying and Estimating Cybersecurity Risk for Enterprise Risk Management, page 19.COBIT VS NIST : A Comprehensive Analysis - ITSM Docs

This is an objective of Implementation Phase 3: Where Do We Want to Be?, because it involves defining the desired state of the enterprise’s governance and management system, based on the stakeholder needs, drivers, and scope12. This objective also includes developing a business case that provides the rationale and justification for the improvement program, and a high-level program plan that outlines the scope, objectives, approach, and resources of the program3 .

References: 1: COBIT 2019 Implementation Guide 2: COBIT 2019 Implementation - ISACA 3: Business Case Development - ISACA : How to Write a Business Case for Cybersecurity Projects | Infosec

Defining business cases is a primary input into Steps 2 and 3: Orient and Create a Current Profile, because it involves identifying the business drivers, mission, objectives, and risk appetite of the organization, as well as the scope and boundaries of the cybersecurity program12. A business case is a document that provides the rationale and justification for initiating a cybersecurity project or program, and describes the expected benefits, costs, risks, and alternatives34.

References: 1: Cybersecurity Framework Components | NIST 2: Implementing the NIST Cybersecurity Framework Using COBIT 2019 | ISACA 3: Business Case Development - ISACA 4: How to Write a Business Case for Cybersecurity Projects | Infosec

This represents a best practice for completing CSF Step 3: Create a Current Profile, because it involves collaborating with relevant stakeholders to identify the current cybersecurity outcomes and implementation status of the organization12. Engaging in a dialogue and obtaining input can help to ensure that the Current Profile reflects the business drivers, mission, objectives, and risk appetite of the organization, as well as the scope and boundaries of the cybersecurity program34.

References: 1: Cybersecurity Framework Components | NIST 2: Getting Started with the NIST Cybersecurity Framework: A Quick Start Guide3 3: Implementing the NIST Cybersecurity Framework Using COBIT 2019 | ISACA 4: NIST CSF: The seven-step cybersecurity framework process5

The primary function of COBIT Implementation Phase 7 is to provide an opportunity for closing the loop for communication workflow, which means to ensure that the results and feedback of the implementation are reported and communicated to the relevant stakeholders, and that the lessons learned and best practices are captured and shared for future reference12.

References7 Phases in COBIT Implementation | COBIT Certification - SimplilearnCOBIT 2019 Design and Implementation COBIT Implementation, page 31.