Isaca Updated NIST-COBIT-2019 Exam Questions and Answers by hidayah

According to the NIST Cybersecurity Framework, an organization should review cyber threat information from internal and external sources to gain a better understanding of the likelihood and impact of cybersecurity events. This information can help the organization to identify potential threats, vulnerabilities, and consequences, and to assess the current and target profiles of its cybersecurity posture12.

ReferencesIdentifying and Estimating Cybersecurity Risk for Enterprise Risk Management, page 19.COBIT VS NIST : A Comprehensive Analysis - ITSM Docs

According to the NIST Cybersecurity Framework, gaps identified between the current and target profiles should be addressed through a risk-based approach, which enables an organization to gauge the resources needed and prioritize the mitigation of gaps in a cost-effective manner. This approach also aligns the cybersecurity program with the business objectives and risk appetite of the organization12.

ReferencesExamples of Framework Profiles | NISTWhat is the NIST Cybersecurity Framework? | IBM

This principle corresponds to the CSF application stating that CSF profiles support flexibility in content and structure, because both emphasize the need for tailoring the governance system to the specific context and requirements of the enterprise12. The CSF profiles are based on the enterprise’s business drivers, risk appetite, and current and target cybersecurity posture3. The COBIT 2019 design factors are a set of parameters that influence the design and operation of the governance system, such as enterprise strategy, size, culture, and regulatory environment4.

References: 1: COBIT | Control Objectives for Information Technologies | ISACA 2: COBIT 2019 Framework – ITSM Docs - ITSM Documents & Templates 3: Framework Documents | NIST 4: Introduction to COBIT Principles - Testprep Training Tutorials

This is a key activity of COBIT Implementation Phase 2: Where Are We Now?, because it involves assessing the current state of the enterprise’s governance and management system, as well as its strengths, weaknesses, opportunities, and threats12. This activity also includes identifying the relevant stakeholders, drivers, and scope of the implementation program. Therefore, this activity requires a thorough understanding of the external laws, regulations, and contractual obligations that apply to the enterprise and its I&T activities34.

References: 1: COBIT 2019 Implementation Guide 2: COBIT 2019 Implementation - ISACA 3: Compliance with External Requirements - Morland-Austin 4: COBIT 5 : Key Concepts and Principles of COBIT 5 Explained