CISSP Question #288: Real Exam Question with Answer & Explanation

Question

A company was ranked as high in the following National Institute of Standards and Technology (NIST) functions: Protect, Detect, Respond and Recover. However, a low maturity grade was attributed to the Identify function. In which of the following the controls categories does this company need to improve when analyzing its processes individually?

Options

• AAsset Management, Business Environment, Governance and Risk Assessment
• BAccess Control, Awareness and Training, Data Security and Maintenance
• CAnomalies and Events, Security Continuous Monitoring and Detection Processes
• DRecovery Planning, Improvements and Communications

Explanation

The NIST Cybersecurity Framework organizes security activities into five core functions, each containing specific control categories. A low maturity in the 'Identify' function points to deficiencies in the categories that fall under it.

Common mistakes.

• B. Access Control, Awareness and Training, Data Security, and Maintenance are control categories belonging to the 'Protect' function of the NIST CSF, not the 'Identify' function, and the company already scores high in Protect.
• C. Anomalies and Events, Security Continuous Monitoring, and Detection Processes are control categories within the 'Detect' function of the NIST CSF, which the company already has a high maturity rating for.
• D. Recovery Planning, Improvements, and Communications are control categories that belong to the 'Recover' function of the NIST CSF, in which the company already demonstrates high maturity.

Concept tested. NIST CSF Identify function control categories

Reference. https://www.nist.gov/cyberframework/framework

No community discussion yet for this question.