Good CCSFP Exam Dumps Save Your Preparation Time

Page 1 of 5

1. Requirement Statement scores are averaged to determine Control Reference and Domain scores.

True

False

2. An e1, i1, or r2 validated assessment must be performed by an approved HITRUST assessor.

True

False

3. The scoring of Requirement Statements is used to calculate the overall Domain score.

True

False

4. If an organization has a policy against uploading sensitive data to third parties, what option would facilitate providing evidence to the HITRUST QA team to support maturity level scoring?

Live QA

QA Tasks

Onsite visit by QA team

Escalated QA

5. On an r2 Validated Assessment any domain that scores less than a 61 will result in what type of report? [0142]

Validated Report with Certification

Readiness Assessment Report

Validated Report without Certification

Accepted Report

6. Which assessment type is the most tailorable to an organization's risk profile?

Interim

Bridge

7. An r2 certification is good for how many years?

Two years provided an interim assessment is performed, all CAPs have been remediated, and all N/As discharged

Two years provided an interim assessment is performed and interim requirements are met

Two years regardless

Until there has been a significant change in the in-scope environment

8. David, a member of an external assessor org, helped his client remediate a control gap. As part of the validation process David can then review the remediation for appropriateness. [0141]

True

False

9. The AI Risk Assessment compliance factor is used to obtain the HITRUST AI Security Certification. [0007]

True

False

10. Why would an organization want to have multiple assessment objects? [0175]

An organization has multiple business units with varied security requirements

An organization has multiple platforms that may present unique risks

Relevant controls could differ depending on risks across an organization’s implemented systems

All of the above

None of the above

Page 2 of 5

11. If the client and the External Assessor disagree on assessment scope, HITRUST will determine the final scope. [0027]

True

False

12. An organization uses system administrators to measure firewall configuration security. Assuming the seven Measured criteria are met, a Tier 4 strength would be an appropriate starting point to determine the Measured compliance rating.

True

False

13. Which assessment type allows users to select any HITRUST authoritative source?

Readiness Assessment

Validated Assessment

r2 Assessment

e1 Assessment

None of the above

14. Should a company always select the most current version of the CSF framework? [0163]

No, the tool will select the version

Yes

No, the assessor should select the version

No, a company can select any active version of the framework that best fits their needs

15. To perform a rapid assessment, the assessment and/or insights report must each contain more than 60 requirements.

True

False

16. Gaps with required CAPS must have documented remediation plans within the assessment object before submission to HITRUST QA.

True

False

17. On an r2 assessment, HITRUST requires evidence to be linked to all maturity levels that score above 25% for Policy and Procedure, and over 0% for Implementation, Measured, and Managed.

True

False

18. Control Objectives are a statement of the desired result or purpose to be achieved by implementing control procedures into a particular process.

True

False

19. Under which version of the CSF did the framework go industry agnostic and HIPAA became its own regulatory factor?

v9.2

v9.3

v9.0

v9.4

v9.1

20. The HITRUST CSF applies to covered information across all transmission and storage methods.

True

False

Page 3 of 5

21. What can the Illustrative Procedures be used for? (Select all that apply)

Consistency in testing between the Assessed Entity and the External Assessor

Implementation testing guidance

Optional procedures

The basis for an assessor test plan

22. MyCSF analytics can be used to visualize data within an assessment object as well as across all assessment objects within an organization.

True

False

23. The HITRUST CSF is updated on an annual basis.

True

False

24. What is an example of a secondary scoping component that could be related to the requirement statement that reads:

"The organization destroys (e.g., disk wiping, degaussing, shredding, disintegration, grinding, incineration, pulverization, or melting) media containing sensitive information when it is no longer needed for business or legal reasons."

Shred bins

Fire extinguishers

Trash cans

Fire bags

Storage boxes

25. Select the four general risk factor categories used when scoping r2 assessments.

Technical

General

Organizational

Compliance

Operational

Privacy

26. Which version of the CSF supports a traversable requirement statement portfolio? [0107]

v9.2

v9.4

v9.6.1

27. Where can you go to view a reporting dashboard for your organization?

Within the Illustrative Procedure

Within the administration tab on the MyCSF portal's home page

Dashboards are only provided within the certified CSF report

Within the analytics tab on the MyCSF portal's home page

Within the library tab on the MyCSF portal's home page

28. Measured and Managed Maturity Levels can be scored for some, but not all, requirements in an r2 assessment object.

True

False

29. The HITRUST CSF is built upon the following model: [0134]

Control Objectives, Control Reference, COBIT Controls

Functions, Categories, Sub-Categories

Control Categories, COBIT controls, Implementation levels

Control Categories, Control Objectives, Control Reference

30. A pharmacy that accepts Medicare/Medicaid and also takes credit cards should include which regulatory factors in their assessment?

FISMA

FTC Red Flags Rule

PCI-DSS

FedRAMP

CMS (Centers for Medicare and Medicaid Services) Minimum Security Requirements (High)

Page 4 of 5

31. The process of testing Requirement Statements within the HITRUST CSF includes: (Select all that apply) [0026]

Interviewing of organizational personnel

Remediating deficient controls

Sampling populations

Examination of documentation

Testing of the technical implementation

32. A sample of laptops is being selected to ensure AV software has been properly installed/configured. Where should the population be pulled from? [0173]

The AV console, as it lists all laptops with AV installed

The IT asset inventory, for capital assets only

The IT asset inventory, for a list of all laptops

The Risk Register, as it lists all firewalls with AV installed

33. An r2 Requirement Statement that scores at a 37 would yield which result?

No Gap

HITRUST Certification

Risk Acceptance

Function Gap

Gap with possible required CAP

34. Documents placed in the document repository can be accessed across multiple assessment objects. [0113]

False

True

35. Once an assessment has been submitted to the assessor, can the assessed entity change their responses?

Yes, if the assessor reverts the Requirement Statement

Yes, if HITRUST reverts the Requirement Statement

36. 1.An organization has identified a number of components needed for an assessment. These components cover systems/applications for customers in the states of Massachusetts and Nevada.

Assuming management wants corresponding regulatory factors to be included in their assessment, which regulatory factors would apply? (Select all that apply)

State of Massachusetts Data Protection Act

CMS Minimum Security Requirements (High)

State of Nevada Security of Personal Information Requirements

Texas Health and Safety Code

Subject to De-ID Requirements

37. The Certified CSF Practitioner (CCSFP) designation is good for how many years?

4 years

1 year provided the CHQP has been completed

3 years provided annual refresher training has been completed

2 years with no refresher training

38. Which of the following are true with e1, i1, and r2 assessment types? (Select all that apply)

All evaluate core cybersecurity hygiene

All can vary requirement statement counts based on added compliance factors

r2 assessments can include fewer than 19 domains, while e1 and i1 assessments require 19 domains

All require testing of the control implementation

39. Would the certification threshold be met in an e1 assessment if all Requirement Statements had Implemented scored at 50%?

Yes

40. On an r2 assessment, when considering the CAP vs. gap decision, will CAPs be required if a Control Reference has an aggregate raw score of 72.5 across Requirement Statements with gaps?

Yes

Page 5 of 5

41. Where in MyCSF can the CSF framework be browsed?

Home

Tasks

Administration

Reference Library

42. Is additional work required by the assessor to generate the NIST Cybersecurity Framework Report?

Yes

43. Which type of assessments must be performed to be eligible for certification? [0158]

e1 Readiness Assessment

an e1, i1 or an r2 Validated Assessment

Customized Assessment

Targeted Assessment

[email protected]

Mon - Sat 9:00am - 6:00pm

Good CCSFP Exam Dumps Save Your Preparation Time

Related

Posts

About Us

EMAIL

Services

Opening Hours