




























































































Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
This exam assesses foundational understanding of the NIST CSF Core (Identify–Protect–Detect–Respond–Recover), Profiles, and Implementation Tiers. Candidates must map controls to cybersecurity objectives, interpret CSF categories/subcategories, understand risk-based planning, and evaluate organizational cybersecurity maturity. Scenario items reinforce the ability to translate business needs into CSF-aligned security practices.
Typology: Exams
1 / 111
This page cannot be seen from the preview
Don't miss anything!





























































































Question 1. Which of the following best describes the primary purpose of the NIST Cybersecurity Framework (CSF)? A) To enforce mandatory cybersecurity controls for all U.S. organizations. B) To provide a voluntary, risk‑based approach for managing and reducing cybersecurity risk. C) To replace all existing industry‑specific security standards. D) To certify organizations as “cyber‑secure.” Answer: B Explanation: The CSF is a voluntary, risk‑based framework designed to help organizations manage and reduce cybersecurity risk, not to mandate or certify compliance. Question 2. Who is the intended primary audience for the NIST CSF? A) Only federal agencies. B) Executives, risk managers, and cybersecurity practitioners across all sectors. C) End‑users of IT systems. D) Software vendors exclusively. Answer: B Explanation: The framework is written for a broad audience, including senior leaders, risk managers, and technical staff, to facilitate shared understanding of cybersecurity risk.
Question 3. Which of the following components is NOT part of the CSF structure? A) Core. B) Implementation Tiers. C) Profiles. D) Certification Levels. Answer: D Explanation: The CSF consists of the Core, Implementation Tiers, and Profiles. It does not contain certification levels. Question 4. In the CSF terminology, what does “Current Profile” refer to? A) The set of cybersecurity outcomes an organization wishes to achieve. B) The organization’s existing cybersecurity outcomes. C) The industry‑wide best practices for security. D) The regulatory requirements applicable to the organization. Answer: B Explanation: The Current Profile describes the cybersecurity outcomes an organization is presently achieving. Question 5. Which term defines the amount of risk an organization is willing to accept in pursuit of its objectives? A) Risk Management.
D) EO 14028 – Enhancing the nation’s cybersecurity. Answer: B Explanation: Executive Order 13636 (2013) directed the development of a framework to improve critical infrastructure cybersecurity, leading to the CSF. Question 8. The addition of which function distinguishes CSF version 2.0 from the original version? A) Identify. B) Govern. C) Protect. D) Recover. Answer: B Explanation: CSF 2.0 introduced the “Govern” (GV) function to address governance, risk management, and compliance activities. Question 9. Which Core function focuses on developing and implementing safeguards to limit the impact of a cybersecurity event? A) Identify. B) Protect. C) Detect. D) Respond. Answer: B
Explanation: The Protect function is dedicated to implementing safeguards that ensure delivery of critical services and limit impact. Question 10. In the Protect function, which category deals with limiting access to assets through authentication and authorization? A) PR.AA – Identity Management and Access Control. B) PR.DS – Data Security. C) PR.PS – Platform Security. D) PR.IR – Technology Infrastructure Resilience. Answer: A Explanation: PR.AA specifically addresses identity management, authentication, and access control mechanisms. Question 11. Which subcategory under PR.DS refers to the use of encryption to protect data at rest? A) PR.DS‑1: Data is classified. B) PR.DS‑2: Data is protected (e.g., encryption) while in transit. C) PR.DS‑3: Data is protected (e.g., encryption) at rest. D) PR.DS‑4: Integrity checking mechanisms are used. Answer: C Explanation: PR.DS‑3 explicitly states that data at rest is protected using encryption or similar methods.
Question 14. In the Recover function, “Improvements” (RC.IM) primarily deals with: A) Updating the incident response playbook based on lessons learned. B) Encrypting backup data. C) Deploying intrusion detection systems. D) Conducting continuous monitoring of network traffic. Answer: A Explanation: RC.IM focuses on incorporating lessons learned from incidents into future recovery and resilience activities. Question 15. Which Implementation Tier is characterized by informal, reactive risk management that is incident‑driven? A) Tier 1 – Partial. B) Tier 2 – Risk‑Informed. C) Tier 3 – Repeatable. D) Tier 4 – Adaptive. Answer: A Explanation: Tier 1 (Partial) describes organizations with informal, reactive risk management practices. Question 16. An organization that has documented, organization‑wide policies and consistent communication about cybersecurity is most likely at which Tier?
A) Tier 1. B) Tier 2. C) Tier 3. D) Tier 4. Answer: C Explanation: Tier 3 (Repeatable) signifies formal, documented policies and consistent communication across the organization. Question 17. Which Tier reflects a proactive, continuously improving cybersecurity posture that is integrated into the organizational culture? A) Tier 1. B) Tier 2. C) Tier 3. D) Tier 4. Answer: D Explanation: Tier 4 (Adaptive) describes organizations that are proactive, risk‑adaptive, and continuously improving. Question 18. What is the primary purpose of a “Profile” in the CSF? A) To certify an organization’s compliance with NIST standards. B) To select specific Categories and Subcategories that align with business objectives.
Answer: C Explanation: GV.SC specifically focuses on cybersecurity supply chain risk management. Question 21. In the Identify function, “Asset Management” (ID.AM) includes which of the following activities? A) Conducting penetration testing on external networks. B) Maintaining an inventory of physical devices and software. C) Developing a business continuity plan. D) Implementing multi‑factor authentication. Answer: B Explanation: ID.AM is about inventorying and managing assets such as devices, software, and data. Question 22. Which subcategory under ID.RA (Risk Assessment) involves prioritizing identified risks based on potential impact? A) ID.RA‑1: Threats are identified. B) ID.RA‑2: Vulnerabilities are identified. C) ID.RA‑3: Risk is prioritized based on impact and likelihood. D) ID.RA‑4: Risk assessments are performed annually. Answer: C
Explanation: ID.RA‑3 explicitly states that risk is prioritized considering impact and likelihood. Question 23. The “Business Environment” (ID.BE) category helps an organization understand: A) The technical specifications of its firewalls. B) Its mission, objectives, and role within critical infrastructure. C) The pricing models of security vendors. D) The number of active user accounts. Answer: B Explanation: ID.BE focuses on the organization’s mission, objectives, and position within the broader critical infrastructure sector. Question 24. Which of the following is an example of a “Technology Infrastructure Resilience” (PR.IR) activity? A) Conducting user awareness training. B) Implementing system redundancy and failover mechanisms. C) Classifying data based on sensitivity. D. Monitoring network traffic for anomalies. Answer: B Explanation: PR.IR deals with maintaining resilient systems, such as redundancy and capacity planning.
Question 27. The “Roles, Responsibilities, and Authorities” (GV.RR) category ensures which of the following? A) That all employees have the same level of access. B) Clear accountability for managing cybersecurity risk across the organization. C) That only the IT department can make security decisions. D. That risk assessments are performed quarterly. Answer: B Explanation: GV.RR establishes clear roles and accountability for cybersecurity risk management. Question 28. Which of the following best illustrates a “Current Profile” activity? A) Defining the organization’s future security goals. B) Mapping existing security controls to CSF subcategories. C) Selecting new security technologies for the next fiscal year. D. Conducting a market analysis of security vendors. Answer: B Explanation: Creating a Current Profile involves assessing which CSF subcategories are already being met. Question 29. In the context of the CSF, “Informative References” are:
A) Mandatory legal regulations. B) Standards, guidelines, and best‑practice documents that support the Framework’s outcomes. C) Internal policies that supersede the CSF. D. Vendor‑specific security certifications. Answer: B Explanation: Informative References provide additional guidance and examples to help implement the CSF. Question 30. Which of the following statements about the CSF’s relationship to Enterprise Risk Management (ERM) is correct? A) The CSF replaces ERM for all organizations. B) The CSF is a subset of ERM focusing specifically on cybersecurity risk. C) ERM is a component of the CSF’s Protect function. D. The CSF only applies to IT risk, not business risk. Answer: B Explanation: The CSF complements ERM by providing a cybersecurity‑specific lens within the broader risk management process. Question 31. The “Govern” function’s “Policy” (GV.PO) category is primarily concerned with: A) Drafting, reviewing, and enforcing cybersecurity policies.
C) PR.PS‑1 and PR.PS‑2. D. DE.CM‑1 and DE.CM‑2. Answer: A Explanation: PR.DS‑2 addresses encryption in transit, while PR.DS‑3 addresses encryption at rest. Question 34. Which Core function would you consult to develop a formal incident response plan? A) Identify. B) Protect. C) Respond. D) Recover. Answer: C Explanation: The Respond function includes RS.MA, which focuses on establishing and executing an incident response plan. Question 35. The “Recovery Planning” (RC.RP) category is most closely aligned with which business activity? A) Conducting employee background checks. B. Developing and testing Business Continuity and Disaster Recovery plans. C. Performing regular penetration testing. D. Managing software license inventories.
Answer: B Explanation: RC.RP directly addresses the creation, maintenance, and testing of recovery procedures. Question 36. An organization wants to adopt a “risk‑informed” approach but has not yet formalized organization‑wide policies. Which Implementation Tier does this align with? A) Tier 1 – Partial. B) Tier 2 – Risk‑Informed. C) Tier 3 – Repeatable. D) Tier 4 – Adaptive. Answer: B Explanation: Tier 2 describes organizations that have approved but not fully organization‑wide risk‑informed practices. Question 37. Which of the following is an example of a “Detection Process” (DE.DP) activity? A. Conducting quarterly tabletop exercises to test detection capabilities. B. Installing firewalls on the perimeter network. C. Developing a data classification scheme. D. Negotiating service level agreements with vendors. Answer: A
Question 40. A firm wants to ensure that its supply chain partners meet the same cybersecurity standards. Which Govern subcategory should it address? A) GV.SC – Cybersecurity Supply Chain Risk Management. B) GV.PO – Policy. C) GV.OC – Organizational Context. D) GV.RM – Risk Management Strategy. Answer: A Explanation: GV.SC deals directly with managing cybersecurity risks associated with suppliers and third parties. Question 41. In the CSF, which function is primarily responsible for establishing a baseline of normal operations? A) Identify. B) Detect. C) Respond. D) Recover. Answer: B Explanation: DE.AE (Anomalies and Events) within the Detect function focuses on establishing baselines and identifying deviations. Question 42. Which of the following best describes a “Target Profile”? A) The set of security controls mandated by law.
B) Desired cybersecurity outcomes an organization aims to achieve. C) The current inventory of assets. D) The list of all known vulnerabilities. Answer: B Explanation: The Target Profile defines the future state the organization wants to reach. Question 43. Which CSF Core function would you consult to improve employee security awareness? A) Identify. B) Protect. C) Detect. D) Respond. Answer: B Explanation: PR.AT (Awareness and Training) under the Protect function focuses on workforce education. Question 44. Which subcategory under PR.PS (Platform Security) addresses secure configuration management? A) PR.PS‑1: Baseline configurations are established and maintained. B) PR.PS‑2: Software updates are applied promptly. C) PR.PS‑3: Vulnerability scanning is performed regularly.