Section 1: IT Governance, Frameworks & Regulatory Standards

NIST · COBIT 2019 · CIS Controls · HIPAA · GDPR · PCI DSS

MAPS TO AICPA Area I: Information Systems & Data Management (governance & frameworks: COBIT, COSO, NIST risk frameworks) and Area II: Security, Confidentiality & Privacy (the privacy and data-security regulations: HIPAA, GDPR, PCI DSS). These are heavily tested foundational topics.

1.1 NIST Cybersecurity Framework (CSF 2.0)

The NIST CSF is a voluntary framework that helps an organization manage and reduce cybersecurity risk. Version 2.0 (the current version) is built around six Functions.

CLARIFY Your notes listed seven items and included "Control." The CSF has six Functions only. "Control" is a Function of the NIST Privacy Framework (1.2), not the CSF.
FunctionPurpose
GovernEstablishes and monitors the cybersecurity risk-management strategy, expectations, and policy (governance policies/processes, risk strategy, roles & responsibilities, awareness & training, oversight). Newly elevated as its own Function in CSF 2.0.
IdentifyUnderstands the organization's assets, suppliers, and related cyber risks, identify what you need to protect (asset inventory, business environment, risk assessment, supply-chain risk).
ProtectImplements safeguards (identity management, authentication & access control, data security, awareness & training, platform protection, maintenance).
DetectFinds and analyzes possible attacks/compromises in a timely way (continuous monitoring, anomaly/event detection).
RespondTakes action on a detected incident, contain it, mitigate losses, communicate with affected parties.
RecoverRestores assets and operations, repair equipment, restore from backups, return to normal.
CSF 2.0 six Functions (official order): GIPDRR
  • G: Govern
  • I: Identify
  • P: Protect
  • D: Detect
  • R: Respond
  • R: Recover

CSF Implementation Tiers

Tiers describe how rigorous and mature an organization's risk-management practices are (a characterization, not a maturity "grade").

TierNameCharacteristics
Tier 1PartialAd hoc, reactive, "impulsive", risk managed informally and inconsistently.
Tier 2Risk-InformedRisk practices approved but may not be organization-wide; only the most important areas covered.
Tier 3RepeatableFormalized, organization-wide practices with standardized technology and policies.
Tier 4AdaptiveContinuous improvement; assumes it will be attacked; formal documented policies and advanced technology.

Organizational Profiles & the five-step process

Current Profile: the cybersecurity outcomes achieved today. Target Profile: the desired future outcomes prioritized. The repeatable five-step approach: (1) scope the organizational profile, (2) gather the information needed, (3) create the profile, (4) perform a gap analysis (current vs. target), (5) implement the action plan and update the profile, iterating.

1.2 NIST Privacy Framework

Provides a common language for identifying, managing, and communicating privacy risk from how an organization processes data. Built to be used with the CSF.

CLARIFY Your notes listed eight functions (including Detect/Respond/Recover). The Privacy Framework has five Functions. Detect, Respond, and Recover are CSF Functions, when a privacy event is also a security event, you reach over to the CSF for those.
FunctionQuestion it answers
Identify-PWhat are the privacy risks from our data processing? (Inventory data processing, map data flows, assess risk.)
Govern-PWhat governance structure best manages privacy risk? (Policies/processes, risk strategy, awareness & training, monitoring.)
Control-PWhat management structure lets the organization manage data with adequate granularity? (Data-processing policies, management, disassociated processing.)
Communicate-PHow does the organization enable dialogue about privacy risk with individuals and stakeholders?
Protect-PWhat data-protection safeguards reduce privacy risk? (Shared with the CSF's Protect Function.)

CSF vs. Privacy Framework

Similarities: both manage data/information-system risk; both can use the Protect Function. Differences: the Privacy Framework focuses on privacy risk in data processing and uniquely includes Control-P and Communicate-P; the CSF focuses on cybersecurity events and includes Govern, Identify, Protect with Detect/Respond/Recover.

1.3 NIST SP 800-39: Managing Information Security Risk

An integrated, organization-wide approach to managing information-security risk as a continuous, iterative process from senior leadership to operations. Four components:

  1. Risk Framing: sets the context for risk decisions: assumptions, constraints, risk tolerance, priorities, trade-offs.
  2. Risk Assessment: identifies threats, vulnerabilities, likelihood, and potential impact.
  3. Risk Response: develops/selects responses (mitigate, transfer, accept, avoid) consistent with risk tolerance.
  4. Risk Monitoring: continuously tracks effectiveness of responses and changes in the environment.

Example (cloud adoption): Framing, leadership defines acceptable risk; Assessment, IT identifies vulnerabilities/impact; Response, encryption & MFA; Monitoring, ongoing review of logs and alerts.

1.4 NIST SP 800-53: Security & Privacy Controls

The detailed "control catalog" for federal information systems, far stricter and more granular than the CSF or Privacy Framework.

Implementation approachWhere the control is applied
Common (Inheritable)Implemented once at the organization level and inherited by individual systems.
System-SpecificTailored to and applied at the individual information-system level.
HybridA combination, organization-level where appropriate, the remainder at the system level.

1.5 Data Breaches & Breach Costs

Unintentional breach: results from negligence or error. Intentional breach: bad actors illegally gaining access. Breach costs fall into: (1) detection & escalation, (2) notification, (3) post-breach response, and (4) lost business & revenue (loss of customer trust reduces revenue).

1.6 HIPAA

2026 UPDATE The 2026 blueprint added HIPAA key-term definitions as testable content, be precise about defined terms (e.g., covered entity, electronic protected health information / ePHI).

HIPAA Safeguards

AdministrativePhysicalTechnical
Contingency plans; information-access management; security awareness & training.Facility access controls; workstation use; workstation security; device & media controls.Access control; audit controls; data-integrity controls; person/entity authentication; transmission security.

HIPAA Security Rule

Covered entities must: (1) ensure the confidentiality, integrity, and availability of all electronic PHI; (2) protect against reasonably anticipated threats; (3) protect against reasonably anticipated impermissible uses/disclosures; and (4) ensure workforce compliance.

The three security objectives for ePHI: CIA
  • C: Confidentiality
  • I: Integrity
  • A: Availability

1.7 GDPR: General Data Protection Regulation

Who it applies to

Rectification: the individual's right to correct or complete inaccurate or incomplete personal data.

Principles for processing personal data

  1. Lawfulness, fairness, transparency.
  2. Purpose limitation: specified, explicit, legitimate purposes (further processing allowed for public-interest archiving, research, statistics).
  3. Data minimization: adequate, relevant, limited to what is necessary.
  4. Accuracy: accurate and kept up to date.
  5. Storage limitation: kept only as long as necessary.
  6. Integrity and confidentiality: processed securely against unauthorized processing, loss, destruction, damage.
CLARIFY GDPR Article 5 actually states seven principles, the six above plus Accountability (the controller is responsible for, and must demonstrate, compliance). Many review courses teach six; know the seventh exists.

1.8 EU–US Data Transfer

2026 UPDATE "Safe Harbor" and the "Privacy Shield" are both obsolete. Safe Harbor was invalidated in 2015 (Schrems I) and Privacy Shield in 2020 (Schrems II). The mechanism in force today is the EU–US Data Privacy Framework (DPF), adopted July 10, 2023, which lets self-certified US companies lawfully receive personal data transferred from the EU.

Concept to retain: the EU restricts transfers of personal data to countries it considers to lack "adequate" protection; transatlantic transfer frameworks bridge that gap. The current one is the DPF (companies may also rely on tools such as Standard Contractual Clauses).

1.9 PCI DSS: Payment Card Industry Data Security Standard

Purpose: a standard from the PCI Security Standards Council to protect cardholder data and ensure secure payment processing. Scope: every entity that stores, processes, or transmits cardholder data. A core requirement is protecting cardholder data with strong cryptography during transmission over open, public networks.

The six goalsExamples
1. Build & maintain a secure network & systemsMaintain firewall configurations.
2. Protect account dataStrong cryptography for cardholder data in transit over public networks.
3. Maintain a vulnerability-management programAnti-malware, secure development, regular patching/AV updates.
4. Implement strong access-control measuresAuthenticate access; restrict by need-to-know.
5. Regularly monitor & test networksDetect weaknesses and unauthorized access.
6. Maintain an information-security policyPolicies/procedures to manage information security.

1.10 CIS Controls & Implementation Groups

The CIS Controls are recommended actions and best practices to strengthen cyber defenses, helping organizations prioritize by risk and resources, defend against common and advanced threats, support compliance, and drive continuous improvement.

Design principles: Context (expand scope/practicality with examples), Coexistence (align with evolving standards including NIST CSF 2.0), Consistency (minimize disruption to control users).

Implementation Groups (self-assessed, by size/risk)

IGTypical organizationGoal / focus
IG1Small/midsize; limited IT & expertise; non-sensitive data; cannot tolerate long downtime.Essential cyber hygiene, block common attacks; keep the company operational.
IG2 (incl. IG1)IT staff supporting multiple departments with varied risk; holds sensitive client data; can tolerate short interruptions.Enhanced, protect client data & trust; biggest concern is loss of trust from a breach.
IG3 (incl. IG1 & IG2)Large/regulated/critical infrastructure with security experts across domains.Enterprise-grade, high-impact data & public welfare; attacks can harm the company and the public.

Selected CIS control families

ControlWhat it does
03, Data ProtectionClassify and label data based on sensitivity.
04, Secure ConfigurationEstablish/maintain secure baseline settings (harden systems; move off insecure defaults).
05, Account ManagementCreate, authorize, maintain, and disable accounts; keep an account inventory.
06, Access Control MgmtGrant/manage/revoke access rights and privileges (least privilege).
08, Audit Log ManagementCapture the time and detail of events such as crashes and restorations.
09, Email & Web Browser ProtectionsCounter phishing (including attacks targeting executives who control funds).
10, Malware Defensese.g., disable autorun/autoplay for removable media.
12, Network Infrastructure MgmtSecurely manage and keep network devices current; maintain secure architecture.
13/14, Network Monitoring & DefenseComprehensive monitoring; IDS log/analyze traffic past the firewall; centralize alerting.
15, Service Provider MgmtVet third-party providers (e.g., review their SOC reports) when they access sensitive data.
16, Application Software SecurityManage the security life cycle of software to find & fix weaknesses before exploitation.
17, Incident Response MgmtEstablish policies, plans, roles, training, and communication to prepare for and react to attacks.

1.11 COBIT 2019: IT Governance Framework

A flexible, comprehensive toolkit for IT governance that helps ensure IT supports business goals, manages risk, and delivers value.

Six principles for a governance system

  1. Provide stakeholder value: balance benefits, risk, and resources via an actionable strategy.
  2. Holistic approach: consider diverse components together, focusing on how they interrelate.
  3. Dynamic governance system: when one part changes, weigh the impact on the whole.
  4. Distinct from management: governance and management are clearly separated.
  5. Tailored to enterprise needs: customize up front using design factors (structure, culture, goals).
  6. End-to-end governance: cover all processes that involve information and technology, not just IT.

Three principles for a governance framework

Based on a conceptual model (identify components and relationships); Open and flexible (a "living document"); Aligned to major standards (regulations, frameworks, standards).

Governance & management objectives

DomainFocus
EDM: Evaluate, Direct, Monitor (Governance)Those charged with governance evaluate objectives, direct management to achieve them, and monitor whether they are met.
APO: Align, Plan, OrganizeOverall IT strategy & supporting activities; managing data, infrastructure, architecture, budgeting, risk.
BAI: Build, Acquire, ImplementDefine, procure, deploy, and integrate IT solutions into business processes.
DSS: Deliver, Service, SupportOperations, service requests, problems, continuity, security services, business-process controls.
MEA: Monitor, Evaluate, AssessMonitor performance, internal control, and compliance.

Seven components of a governance system: processes; organizational structures; principles, policies & frameworks; information; culture, ethics & behavior; people, skills & competencies; and services, infrastructure & applications.

Design factors (examples): enterprise strategy; enterprise goals; risk profile; I&T-related issues; threat landscape; compliance requirements; role of IT (support, factory, turnaround, strategic); sourcing model; implementation methods; technology-adoption strategy (first mover, follower, slow adopter).

IT governance responsibilities

WhoResponsibility
Board of directorsSets governance policies.
ExecutivesEnsure an IT governance structure exists and is executed effectively.
Middle managementCarry out, implement, and enforce policies; organize teams, monitor compliance, report issues.
End usersFollow the processes and procedures.
EXAM TIP The most common ISC trap is mixing up the frameworks. Anchor each: CSF = cybersecurity (6 Functions); Privacy Framework = privacy risk (5 Functions, adds Control-P & Communicate-P); 800-39 = enterprise risk process (Frame/Assess/Respond/Monitor); 800-53 = the strict federal control catalog; COBIT = IT governance; CIS = prioritized defensive controls with IG1–IG3.