Browse Exams Pricing

ExamsCGRCQuestions

CGRC Exam Questions

724 real CGRC exam questions with expert-verified answers and explanations. Page 1 of 15.

Question #1Security and Privacy Governance, Risk Management, and Compliance Program
An event or situation that has the potential for causing undesirable consequences or impact. Response:
Threat EventRisk ManagementSecurity Definitions
Question #2Implementation of Security and Privacy Controls
In which type of access control do user ID and password system come under? Response:
Access ControlTechnical ControlsAuthenticationPasswords
Question #3Security and Privacy Governance, Risk Management, and Compliance Program
The Organization Level (Tier 1) strategy addresses/requires........ Response:
Organizational StrategyTier 1Risk AssessmentRisk Management Program
Question #4Security and Privacy Governance, Risk Management, and Compliance Program
Individual, group, organization, or government that conducts or has the intent to conduct detrimental activities. Response:
AdversaryThreat ActorRisk ManagementCybersecurity Terminology
Question #5Compliance Maintenance
Choose from the following options the U.S. government repository of standards-based vulnerability management data where you can easily find the NIST standards for guidance on conti...
NVDVulnerability ManagementNIST StandardsContinuous Monitoring
Question #6Scope of the System
In the case of a complex information system, where a "leveraged authorization" that involves two agencies will be conducted, what is the minimum number of system boundaries/accredi...
Leveraged AuthorizationSystem BoundaryAccreditation BoundaryMulti-agency Collaboration
Question #7Assessment/Audit of Security and Privacy Controls
What is the MOST appropriate action to take after weaknesses or deficiencies in controls are corrected? Response:
Control RemediationControl ReassessmentSecurity Control Lifecycle
Question #8Security and Privacy Governance, Risk Management, and Compliance Program
You are the project manager for GHY Project and are working to create a risk response for a negative risk. You and the project team have identified the risk that the project may no...
Risk ManagementRisk Response StrategiesRisk TransferenceNegative Risk
Question #9Security and Privacy Governance, Risk Management, and Compliance Program
Which of the following are the goals of risk management? Each correct answer represents a complete solution. Choose three. Response:
Risk Management GoalsRisk IdentificationRisk AssessmentCost-Benefit Analysis
Question #10Security and Privacy Governance, Risk Management, and Compliance Program
What would be the impact level due to the loss of CIA that could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, in...
Impact levelsSecurity categorizationRisk assessmentFIPS 199
Question #11System Compliance
Which of the following is not an authorization decision identified in the RMF? Response:
RMFAuthorization DecisionsATONIST SP 800-37
Question #12Security and Privacy Governance, Risk Management, and Compliance Program
Sensitivity of a system based on the _________ processed, stored, and transmitted by the system. Response:
System SensitivityData ClassificationRisk AssessmentInformation Security Fundamentals
Question #13Security and Privacy Governance, Risk Management, and Compliance Program
Which of the following terms related to risk management represents the estimated frequency at which a threat is expected to occur? Response:
Risk ManagementQuantitative Risk AnalysisAnnualized Rate of Occurrence (ARO)
Question #14Security and Privacy Governance, Risk Management, and Compliance Program
Where would you find standard guidance for determining an organization's risk appetite? Response:
NIST SP 800-39Risk AppetiteRisk ManagementInformation Security Governance
Question #15Security and Privacy Governance, Risk Management, and Compliance Program
The FISMA defines three security objectives for information and information systems: Response:
FISMASecurity ObjectivesCIA TriadInformation Security
Question #16Compliance Maintenance
Which of the following tasks are identified by the Plan of Action and Milestones document? Each correct answer represents a complete solution. Choose all that apply. Response:
POA&MNIST RMFCompliance TrackingRemediation Planning
Question #17Implementation of Security and Privacy Controls
Authentication ensures that system users are who they say the are. At Colvine Tech, a system user must prove identity by providing an email address, a password, and answer a securi...
Authentication factorsSingle-factor authenticationAccess controlIdentity management
Question #18Security and Privacy Governance, Risk Management, and Compliance Program
The ability to quickly adapt and recover from any known or unknown changes to the environment through holistic implementation of risk management, contingency, and continuity planni...
ResilienceRisk ManagementContingency PlanningContinuity Planning
Question #19Security and Privacy Governance, Risk Management, and Compliance Program
A written plan for recovering one or more information systems at an alternate facility in response to a major hardware or software failure or destruction of facilities. Response:
Disaster Recovery PlanDRPInformation System RecoveryBusiness Continuity
Question #20Security and Privacy Governance, Risk Management, and Compliance Program
The loss of confidentiality, integrity, or availability could be expected to have a limited adverse effect; a serious adverse effect, or a severe or catastrophic adverse effect on...
Risk ManagementImpact AnalysisConfidentiality, Integrity, AvailabilityAdverse Effects
Question #21Implementation of Security and Privacy Controls
Which of the following techniques are used after a security breach and are intended to limit the extent of any damage caused by the incident? Response:
Security ControlsCorrective ControlsIncident ResponseDamage Limitation
Question #22Security and Privacy Governance, Risk Management, and Compliance Program
The official management decision given by a senior organizational official to authorize operation of an information system and to explicitly accept the risk to organizational opera...
Authorization to Operate (ATO)Risk AcceptanceManagement DecisionInformation System Security
Question #23Security and Privacy Governance, Risk Management, and Compliance Program
Which of the following are the common roles with regard to data in an information classification program? Each correct answer represents a complete solution. Choose all that apply....
Data RolesInformation ClassificationData GovernanceResponsibility Matrix
Question #24Scope of the System
What RMF artifact establishes the scope of protection for an IS and encompass people, process, and info tech that are part of the system?
System Scope DefinitionRMF TerminologyInformation System Components
Question #25Security and Privacy Governance, Risk Management, and Compliance Program
The loss of confidentiality, integrity, or availability that could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets,...
Impact LevelsRisk CategorizationCIA TriadAdverse Effects
Question #26Assessment/Audit of Security and Privacy Controls
The findings from a security control assessment are documented in which of the following documents? Response:
Security Assessment ReportNIST RMFSecurity Control AssessmentDocumentation
Question #27Security and Privacy Governance, Risk Management, and Compliance Program
The security control type for an information system that primarily are implemented and executed by people (as opposed to systems). Response:
Security control typesOperational controlsControl classification
Question #28Implementation of Security and Privacy Controls
The security controls for an information system that primarily are implemented by people (as opposed to systems) are known as Response:
Security controlsOperational controlsControl classification
Question #29System Compliance
The authorizing official may determine that additional information supporting the authorization package is needed. The additional documentation may include all but one of the follo...
Authorization PackageAuthorizing Official (AO)Risk Management Framework (RMF)Documentation
Question #30Security and Privacy Governance, Risk Management, and Compliance Program
A business-based framework for government wide improvement developed by the Office of Management and Budget that is intended to facilitate efforts to transform the federal governme...
Federal Enterprise Architecture (FEA)OMBGovernment TransformationBusiness Frameworks
Question #31Compliance Maintenance
You are working as a project manager in your organization. You are nearing the final stages of project execution and looking towards the final risk monitoring and controlling activ...
Risk MonitoringRisk ControlProject Management Process OutputsRequested Changes
Question #32Scope of the System
Defining the types of information needed by the organization to successfully carry out identified missions and business processes as well as defining the organization's internal an...
NIST SP 800-60Information ClassificationInformation FlowSecurity Categorization
Question #33Selection and Approval of Framework, Security, and Privacy Controls
The set of minimum security controls defined for a low - impact, moderate-impact, or high-impact information system. Response:
Security ControlsControl BaselinesSystem CategorizationNIST RMF
Question #34Scope of the System
The security category of information 1 is determined to be: Confidentiality, low; Integrity, moderate; and availability, Moderate. The security category for information 2 is determ...
Security CategorizationCIA TriadInformation ClassificationFIPS 199
Question #35Security and Privacy Governance, Risk Management, and Compliance Program
The emphasis of the revised NIST SP 800-37 process is on............. Response:
NIST SP 800-37Risk Management Framework (RMF)Continuous MonitoringRisk-based Decision Making
Question #36Security and Privacy Governance, Risk Management, and Compliance Program
Which of the following is NOT an objective of the security program? Response:
Security Program ManagementSecurity ObjectivesInformation Security GovernanceSecurity Planning
Question #37Assessment/Audit of Security and Privacy Controls
Certification and Accreditation (C&A or CnA) is a process for implementing information security. Which of the following is the correct order of C&A phases in a DITSCAP assessment?...
C&ADITSCAPSecurity Assessment PhasesInformation Security Process
Question #38Security and Privacy Governance, Risk Management, and Compliance Program
Prepare, Categorize, select, and implement are steps or phases of the risk management framework which can be described as Response:
Risk Management Framework (RMF)NIST RMF StepsSystem Authorization ProcessPre-certification
Question #39Security and Privacy Governance, Risk Management, and Compliance Program
A citizen of the United States or an alien lawfully admitted for permanent residence. Agencies may, consistent with individual practice, choose to extend the protections of the Pri...
Privacy ActE-Government ActIndividual definitionData Subject
Question #40Selection and Approval of Framework, Security, and Privacy Controls
The property of being genuine and being able to be verified and trusted; confidence in the validity of a transmission, a message, or message originator. Response:
AuthenticitySecurity PrinciplesInformation Security ConceptsControl Objectives
Question #41Security and Privacy Governance, Risk Management, and Compliance Program
In which of the following elements of security does the object retain its veracity and is intentionally modified by the authorized subjects? Response:
Security PrinciplesIntegrityCIA TriadData Veracity
Question #42Security and Privacy Governance, Risk Management, and Compliance Program
What is the purpose of a Privacy impact assessment? Response:
Privacy Impact Assessment (PIA)PIIPrivacy Risk ManagementConfidentiality
Question #43Scope of the System
A discrete set of resources organized for the collection, processing, maintenance, or disposition of information best describes one of the following Response:
Information SystemsSystem DefinitionNIST Terminology
Question #44Security and Privacy Governance, Risk Management, and Compliance Program
Who is primarily responsible for the withdrawal and decommissioning of and information system? Response:
Information System OwnerRoles and ResponsibilitiesSystem DecommissioningSystem Lifecycle
Question #45Selection and Approval of Framework, Security, and Privacy Controls
Tailoring refers to the process by which a security control baseline is modified based on all but one of the following: Response:
Security Control TailoringSecurity Control BaselineNIST RMFSecurity Categorization
Question #46Security and Privacy Governance, Risk Management, and Compliance Program
Which of the following statements about the authentication concept of information security management is true? Response:
AuthenticationInformation Security ConceptsIdentity Management
Question #47Scope of the System
What is the first SDLC phase; which maps to the first two RMF steps (Categorization, Select Controls)? Response:
SDLC PhasesRMF StepsSystem InitiationControl Selection
Question #48Compliance Maintenance
True or False; After an ATO is granted, ongoing continuous monitoring is performed on all identified security controls as well as physical environment, etc.. Response:
Continuous MonitoringAuthority to Operate (ATO)Post-ATO ActivitiesRMF
Question #49Assessment/Audit of Security and Privacy Controls
The security control assessor for Colvine Tech will be conducting a comprehensive level assessment on an information system at Colvine Tech. Which controls must be assessed separat...
Common ControlsSecurity Control AssessmentControl InheritanceRMF
Question #50Assessment/Audit of Security and Privacy Controls
What is the comprehensive assessment of the management, operational, and technical security controls in an information system, made in support of security accreditation, to determi...
CertificationSecurity Controls AssessmentAccreditation SupportRMF

Page 1 of 15Next

study smarter, certify faster.

Product

Browse Exams
Pricing
PDF Downloads

Resources

Blog
Glossary
Topics
FAQ
Contact Us

Legal

Terms of Service
Privacy Policy
Cookie Policy
DMCA
Refund Policy

Company

About
Contact

© 2026 NerdExam. All rights reserved.Built for IT professionals

NerdExam is a trading name of WADL Solutions Limited, a company incorporated in Hong Kong (CR# 80143234). Registered office: Unit 2904-05, 29/F, Universal Trade Centre, 3 Arbuthnot Road, Central, Hong Kong.

CompTIA, AWS, Cisco, Microsoft, Google Cloud, Oracle, VMware, and other certification names referenced on this site are trademarks of their respective owners. NerdExam is not affiliated with, endorsed by, or sponsored by any certification vendor.