CGRC Question #51: Real Exam Question with Answer & Explanation

The correct answer is C: Recommendations for remediation. A security assessment plan outlines how an assessment will be conducted, including its scope, methodology, and rules of engagement. Recommendations for remediation are outputs of the assessment, not components of the plan itself.

Assessment/Audit of Security and Privacy Controls

Question

A security assessment plan comprises of all of the following except one Response:

Options

AScope
BMethodology
CRecommendations for remediation
DRules of engagement

Explanation

A security assessment plan outlines how an assessment will be conducted, including its scope, methodology, and rules of engagement. Recommendations for remediation are outputs of the assessment, not components of the plan itself.

Common mistakes.

A. Scope is a fundamental component of an assessment plan, defining what systems, data, and processes will be included or excluded from the evaluation.
B. Methodology outlines the specific approaches, tools, and techniques that will be used during the security assessment to achieve its objectives.
D. Rules of engagement specify the boundaries, communication protocols, and acceptable activities for the assessment team during the execution phase.

Concept tested. Security assessment plan components

Reference. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53Ar5.pdf

Topics

#Security Assessment Plan#Assessment Planning#Audit Planning

Community Discussion

No community discussion yet for this question.

Full CGRC Practice Browse All CGRC Questions