CGRC · Question #49
CGRC Question #49: Real Exam Question with Answer & Explanation
The correct answer is A: Common Controls. Common controls are security controls that are designed to be inherited by multiple information systems and are typically assessed independently by a common control provider. Therefore, the individual assessor for a specific system only confirms the inheritance and ongoing effect
Question
The security control assessor for Colvine Tech will be conducting a comprehensive level assessment on an information system at Colvine Tech. Which controls must be assessed separately, not by the assessor for colvine Tech? Response:
Options
- ACommon Controls
- BManagement controls
- CFailed controls
- DAlternative controls
Explanation
Common controls are security controls that are designed to be inherited by multiple information systems and are typically assessed independently by a common control provider. Therefore, the individual assessor for a specific system only confirms the inheritance and ongoing effectiveness of these shared controls, rather than conducting a full re-assessment.
Common mistakes.
- B. Management controls, like other control types (operational, technical), are part of the system's overall control set and would be assessed by the system's assessor.
- C. Failed controls indicate deficiencies within the system and would certainly be a focus of the system's assessor for remediation, not assessed separately.
- D. Alternative controls (or compensating controls) are implemented by the system and would be assessed by the system's assessor to determine their effectiveness.
Concept tested. Common controls assessment responsibility
Reference. https://csrc.nist.gov/glossary/term/common-control
Topics
Community Discussion
No community discussion yet for this question.