COURSE 2 – PLAY IT SAFE: MANAGE SECURITY RISKS

Module 2: Security Frameworks and Controls

GOOGLE CYBERSECURITY PROFESSIONAL CERTIFICATE

Coursera Study Guide

Enroll in Coursera Google Cybersecurity Professional Certificate

TABLE OF CONTENT

INTRODUCTION – Security Frameworks and Controls

In this course, the emphasis is on delving into security frameworks and controls, offering a comprehensive exploration of the fundamental elements within the confidentiality, integrity, and availability (CIA) triad. The curriculum places a spotlight on Open Web Application Security Project (OWASP) security principles, providing valuable insights into industry-standard practices.

Additionally, participants will gain proficiency in the intricacies of security audits, further enhancing their understanding of proactive measures to fortify digital landscapes. This review highlights the course’s focus on essential security concepts, equipping learners with a robust foundation in contemporary cybersecurity principle

Learning Objectives

  • Define and describe the purpose of security frameworks and controls.
  • Describe the CIA triad.
  • Explain the National Institute of Standards and Technology (NIST) frameworks.
  • Identify security principles.
  • Examine how businesses use security frameworks and controls to protect business operations.
  • Define security audits.
  • Explore common elements of internal security audits.

TEST YOUR KNOWLEDGE: MORE ABOUT FRAMEWORKS AND CONTROLS

1. How do security frameworks enable security professionals to help mitigate risk?

  • They are used to establish laws that reduce a specific security risk.
  • They are used to refine elements of a core security model known as the CIA triad.
  • They are used to create unique physical characteristics to verify a person’s identity.
  • They are used to establish guidelines for building security plans. (CORRECT)

Security frameworks are used to establish guidelines for building security plans that enable security professionals to help mitigate risk.

2. Competitor organizations are the biggest threat to a company’s security.

  • True
  • False (CORRECT)

People are the biggest threat to a company’s security. This is why educating employees about security challenges is essential for minimizing the possibility of a breach.

3. Fill in the blank: Security controls are safeguards designed to reduce _____ security risks.

  • broadscale
  • public
  • specific (CORRECT)
  • general

Security controls are safeguards designed to reduce specific risks.

4. A security analyst works on a project designed to reduce the risk of vishing. They developed a plan to protect their organization from attackers who could exploit biometrics. Which type of security control does this scenario describe?

  • Encryption
  • Ciphertext
  • Classification
  • Authentication (CORRECT)

This describes authentication, which is the process of implementing controls to verify who someone or something is before granting access to specific resources within a system.

TEST YOUR KNOWLEDGE: THE CIA TRIAD

1. What is the CIA triad?

  • A foundational security model used to set up security policies and systems (CORRECT)
  • A set of security controls used to update systems and networks
  • Ongoing validation processes involving all employees in an organization
  • A mandatory security framework involving the selection of appropriate controls

The CIA triad is a foundational security model used to set up security policies and systems. The core principles of the model are confidentiality, integrity, and availability.

2. Which element of the CIA triad specifies that only authorized users can access specific information?

  • Integrity
  • Access
  • Confidentiality (CORRECT)
  • Confirmation

Confidentiality specifies that only authorized users can access specific information.

3. A security analyst discovers that certain data is inaccessible to authorized users, which is preventing these employees from doing their jobs efficiently. The analyst works to fix the application involved in order to allow for timely and reliable access. Which element of the CIA triad does this scenario describe?

  • Capacity
  • Integrity
  • Availability (CORRECT)
  • Applicability

Correct!

4. Fill in the blank: According to the CIA triad, _____ refers to ensuring that an organization’s data is verifiably correct, authentic, and reliable.

  • Availability
  • Credibility
  • Accuracy
  • Integrity (CORRECT)

According to the CIA triad, integrity refers to ensuring that an organization’s data is verifiably Correct, authentic, and reliable.

5. Fill in the blank: The CIA triad is a model that helps inform how organizations consider _____ when setting up systems and security policies.

  • risk (CORRECT)
  • access
  • data
  • assets

The confidentiality, integrity, availability (CIA) triad is a model that helps inform how organizations consider risk when setting up systems and security policies.

TEST YOUR KNOWLEDGE: NIST FRAMEWORKS

1. What is the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF)?

  • A collection of security principles focused on maintaining confidentiality, integrity, and availability
  • A set of security controls that help analysts determine what to do if a data breach occurs
  • A required business framework for ensuring security updates and repairs are successful
  • Standards, guidelines, and best practices that organizations follow voluntarily in order to manage cybersecurity risk (CORRECT)

The NIST CSF is a voluntary framework that consists of standards, guidelines, and best practices to manage cybersecurity risk.

2. Fill in the blank: The five core functions that make up the CSF are: identify, protect, detect, _____, and recover.

  • respond (CORRECT)
  • reflect
  • reevaluate
  • regulate

The five core functions that make up the CSF are: identify, protect, detect, respond, and recover.

3. Fill in the blank: The CSF _____ function relates to monitoring systems and devices in an organization’s internal network to help security teams manage potential cybersecurity risks and their effects.

  • respond                      
  • identify (CORRECT)
  • protect
  • recover

The CSF identify function relates to monitoring systems and devices in an organization’s internal network to help security teams manage potential cybersecurity risks and their effects.

4. What does a security analyst’s work involve during the CSF recover function?

  • Contain, neutralize, and analyze security incidents
  • Protect an organization through the implementation of employee training
  • Pinpoint threats and improve monitoring capabilities
  • Return affected systems back to normal operation (CORRECT)

During the recover function, a security analyst’s work involves returning affected systems back to normal operation.

TEST YOUR KNOWLEDGE: OWASP PRINCIPLES AND SECURITY AUDITS

1. A security analyst disables certain software features to reduce the potential vulnerabilities that an attacker could exploit at their organization. Which OWASP security principle does this scenario describe?

  • Minimize the attack surface (CORRECT)
  • Fix security issues Correctly
  • Defense in depth
  • Separation of duties

This scenario describes minimizing the attack surface.

2. Fill in the blank: A security _____ is a review of an organization’s security controls, policies, and procedures against a set of expectations.

  • audit (CORRECT)
  • survey
  • examination
  • classification

A security audit is a review of an organization’s security controls, policies, and procedures against a set of expectations.

3. A security professional closely examines their organization’s network, then evaluates potential risks to the network. Their goal is to ensure internal safeguards and processes are effective. What security concept does this scenario describe?

  • Controls assessment (CORRECT)
  • Security recommendations
  • Compliance regulations
  • Communicating results

This scenario describes a controls assessment. A controls assessment involves closely reviewing an organization’s existing assets, then evaluating potential risks to those assets in order to ensure internal controls and processes are effective.

4. A security professional is asked to communicate the results of an internal security audit to stakeholders. What should be included in that communication? Select three answers.

  • A list of risks and compliance requirements that need to be addressed (CORRECT)
  • A summary of the audit’s scope and goals (CORRECT)
  • A recommendation about how to improve the organization’s security posture (CORRECT)
  • A list of questions for stakeholders to answer

When communicating the results of an internal audit to stakeholders, the communication should include a summary of the audit’s scope and goals; a list of risks and compliance requirements that need to be addressed; and a recommendation about how to improve the organization’s security posture.

PORTFOLIO ACTIVITY: CONDUCT A SECURITY AUDIT

1. You reviewed the scope, goals, and risk assessment report.

  • Yes (CORRECT)
  • No

Correct!

2. You considered risks to Botium Toys’ customers, employees, and/or assets, based on controls and compliance best practices that are or are not currently implemented.

  • Yes (CORRECT)
  • No

Correct

3. You reviewed the control categories document.

  • Yes (CORRECT)
  • No

Correct

4. You selected “yes” or “no” for each control listed.

  • Yes (CORRECT)
  • No

Correct

5. You selected “yes” or “no” for each compliance best practice.

  • Yes (CORRECT)
  • No

Correct

MODULE 2 CHALLENGE

1. What is the purpose of a security framework?

  • Create security controls to protect marketing campaigns
  • Establish policies to expand business relationships
  • Build plans to help mitigate risks and threats to data and privacy (CORRECT)
  • Develop procedures to help identify productivity goals

Correct

2. Which of the following characteristics are examples of biometrics? Select all that apply.

  • Eye scan (CORRECT)
  • Fingerprint (CORRECT)
  • Palm scan (CORRECT)
  • Password

Correct

3. Which of the following statements accurately describe the CSF? Select all that apply.

  • The protect function of the CSF involves returning affected systems back to normal operation.
  • The identify function of the CSF involves managing cybersecurity risk and its effects on an organization’s people and assets. (CORRECT)
  • Implementing improvements to a security process is part of the respond function of the CSF. (CORRECT)
  • The CSF is a voluntary framework that consists of standards, guidelines, and best practices to manage cybersecurity risk. (CORRECT)

Correct

4. A security team establishes controls, including permission settings that will be used to create multiple security points that a threat actor must get through to breach their organization. Which OWASP principle does this scenario describe?

  • Defense in depth (CORRECT)
  • Separation of duties
  • Principle of least privilege
  • Keep security simple

Correct

5. What are some of the primary objectives of an internal security audit? Select all that apply.

  • Help security teams identify organizational risk (CORRECT)
  • Avoid fines due to a lack of compliance (CORRECT)
  • Reduce the amount of data on a network
  • Determine what needs to be improved in order to achieve the desired security posture (CORRECT)

Correct

6 Fill in the blank: In an internal security audit, _____ involves identifying potential threats, risks, and vulnerabilities in order to decide what security measures should be implemented.

  • establishing the scope and goals
  • conducting a risk assessment (CORRECT)
  • communicating to stakeholders
  • assessing compliance

Correct

7. A security analyst performs an internal security audit. They determine that the organization needs to install surveillance cameras at various store locations. What are they working to establish?

  • Physical controls (CORRECT)
  • Technical controls
  • Administrative controls
  • Communication controls

Correct

8. What information is typically communicated to stakeholders after completion of an internal security audit? Select three answers.

  • Comprehensive details about each part of the process
  • Compliance regulations to be adhered to (CORRECT)
  • Strategies for improving security posture (CORRECT)
  • Results and recommendations (CORRECT)

Correct

9. How do organizations use security frameworks to develop an effective security posture?

  • As a guide to identify threat actor strategies
  • As a policy to protect against phishing campaigns
  • As a policy to support employee training initiatives
  • As a guide to reduce risk and protect data and privacy (CORRECT)

Correct

10. Fill in the blank: A security professional uses _____ to convert data from a readable format to an encoded format.

  • authentication
  • encryption (CORRECT)
  • authorization
  • confidentiality

Correct

11. You work as a security analyst for a community organization that has large amounts of private data. Which core principle of the CIA triad do you use to ensure private information is kept safe?

  • Consistency
  • Integrity
  • Availability
  • Confidentiality (CORRECT)

Correct

12. A security team considers how to avoid unnecessarily complicated solutions when implementing security controls. Which OWASP principle does this scenario describe?

  • Principle of least privilege
  • Keep security simple (CORRECT)
  • Defense in depth
  • Fix security issues correctly

Correct

13. Fill in the blank: The planning elements of an internal security audit include establishing scope and _____, then conducting a risk assessment.

  • goals (CORRECT)
  • limitations
  • controls
  • compliance

Correct

14. What information is typically communicated to stakeholders after completion of an internal security audit? Select three answers.

  • Strategies for improving security posture (CORRECT)
  • Existing risks that need to be addressed now or in the future (CORRECT)
  • Detailed data about past cybersecurity incidents
  • A summary of the goals (CORRECT)

Correct

15. What does a security professional use to create guidelines and plans that educate employees about how they can help protect the organization?

  • Security hardening
  • Security posture
  • Security framework (CORRECT)
  • Security audit

Correct

16. Fill in the blank: An employee using multi-factor authentication to verify their identity is an example of the _____ process.

  • encryption
  • integrity
  • confidentiality
  • authentication (CORRECT)

Correct

17. What are some of the primary objectives of an internal security audit? Select all that apply.

  • Limit traffic on an organization’s firewall
  • Enable security teams to assess controls (CORRECT)
  • Identify any security gaps or weaknesses within an organization (CORRECT)
  • Help security teams Correct compliance issues (CORRECT)

Correct

18. You work as a security analyst at a bank and need to ensure that customers can access their account information. Which core principle of the CIA triad are you using to confirm their data is accessible to them?

  • Integrity
  • Accuracy
  • Availability (CORRECT)
  • Confidentiality

Correct

19. Which of the following statements accurately describe the CSF? Select all that apply.

  • The CSF is a voluntary framework that consists of standards, guidelines, and best practices to manage cybersecurity risk.  (CORRECT)
  • Restoring affected files or data is part of the recover function of the CSF. (CORRECT)
  • The identify function of the CSF involves returning affected systems back to normal operation.
  • The detect function of the CSF involves improving monitoring capabilities to increase the speed and efficiency of detections. (CORRECT)

Correct

20. A security team has just finished addressing a recent security incident. They now conduct tests to ensure that all of their repairs were successful. Which OWASP principle does this scenario describe?

  • Fix security issues Correctly (CORRECT)
  • Minimize attack surface area
  • Principle of least privilege
  • Separation of duties

Correct

21. A security analyst performs an internal security audit. They focus on the human component of cybersecurity, such as the policies and procedures that define how their company manages data. What are they working to establish?

  • Compliance controls
  • Administrative controls (CORRECT)
  • Technical controls
  • Physical controls

Correct

22. What information is typically communicated to stakeholders after completion of an internal security audit? Select three answers.

  • Questions about specific controls
  • Results and recommendations (CORRECT)
  • A summary of the scope (CORRECT)
  • A list of existing risks (CORRECT)

Correct

23. Fill in the blank: A security professional uses _____ to verify that an employee has permission to access a resource.

  • integrity
  • authorization (CORRECT)
  • admission
  • encryption

Correct

24. Fill in the blank: In an internal security audit, _____ refers to identifying people, assets, policies, procedures, and technologies that might impact an organization’s security posture.

  • implementing administrative controls
  • goals
  • scope (CORRECT)
  • completing a controls assessment

Correct

Previous Module
Next Module

Subscribe to our site

Get new content delivered directly to your inbox.

Quiztudy Top Courses

Popular in Coursera

Liking our content? Then, don’t forget to ad us to your BOOKMARKS so you can find us easily!

Subscribe