Browse Exams Pricing

ExamsCGRCQuestions

CGRC Exam Questions

724 real CGRC exam questions with expert-verified answers and explanations. Page 10 of 15.

Question #451Security and Privacy Governance, Risk Management, and Compliance Program
The authorizing official may choose to authorize the system to operate only for a short period of time if it is necessary to test the system in the environment of operation before...
Authorization ProcessInterim Authority to Test (IATT)Authorizing Official (AO)Risk Management Framework (RMF)
Question #452Security and Privacy Governance, Risk Management, and Compliance Program
Measure of confidence that the security features, practices, procedures, and architecture of an information system accurately mediates and enforces the security policy. Response:
AssuranceSecurity Policy EnforcementSystem ConfidenceGovernance
Question #453Scope of the System
What are the four phases for interconnecting systems? Response:
System interconnectionPlanning phaseNIST SP 800-47System boundaries
Question #454Assessment/Audit of Security and Privacy Controls
The guidelines in this publication apply to the security controls defined in NIST Special Publication 800 53 in an effort to enable more consistent, comparable, and repeatable asse...
NIST SP 800-53ASecurity Control AssessmentAssessment GuidelinesNIST Publications
Question #455Security and Privacy Governance, Risk Management, and Compliance Program
Which of the following control families belongs to the management class of security controls? Response:
Control familiesControl classificationManagement controlsRisk assessment
Question #456System Compliance
Which of the following requires all general support systems and major applications to be fully certified and accredited before these systems and applications are put into productio...
Federal ComplianceSecurity AuthorizationFISMAOMB Policy
Question #457Selection and Approval of Framework, Security, and Privacy Controls
An authentication method uses smart cards as well as usernames and passwords for authentication. Which of the following authentication methods is being referred to? Response:
AuthenticationMulti-factor authentication (MFA)Security controls
Question #458Compliance Maintenance
Who has the responsibility to track corrective actions to their completion keeping the approving authority informed with periodic updates as directed? Response:
Roles and ResponsibilitiesInformation System Owner (ISO)Corrective ActionsCompliance Monitoring
Question #459Assessment/Audit of Security and Privacy Controls
Volatile security controls are assessed more frequently with objective to establish security control effectiveness or to support the calculation of a metric. Which of the following...
Security ControlsControl FamiliesConfiguration ManagementControl Assessment Frequency
Question #460Security and Privacy Governance, Risk Management, and Compliance Program
Risks with low ratings of probability and impact are included on a ____ for future monitoring. Response:
Risk ManagementRisk MonitoringWatchlistLow Impact Risks
Question #461Security and Privacy Governance, Risk Management, and Compliance Program
Which of the following objectives are defined by integrity in the C.I.A triad of information security systems? Each correct answer represents a part of the solution. Choose three....
CIA TriadIntegrityInformation Security Principles
Question #462Compliance Maintenance
What is the system development life cycle phase for step six of the RMF for a new system? Response:
RMF Step 6Continuous MonitoringSDLC PhasesControl ImplementationControl Assessment
Question #463Selection and Approval of Framework, Security, and Privacy Controls
Mark works as a Network Administrator for NetTech Inc. He wants users to access only those resources that are required for them. Which of the following access control models will h...
Access Control ModelsRole-Based Access Control (RBAC)Least PrivilegeNetwork Security
Question #464Assessment/Audit of Security and Privacy Controls
Developmental testing and evaluation is a type of control Assessment and its activities include the following except one. Response:
Developmental TestingControl Assessment ActivitiesSDLC SecurityAuditing
Question #465Selection and Approval of Framework, Security, and Privacy Controls
To help review or design security controls, they can be classified by several criteri
Security control typesPhysical security controlsControl classificationAsset protection
Question #466Assessment/Audit of Security and Privacy Controls
Who has primary responsibility to develop a report of the results of the security and privacy control assessments, including recommendations for correcting deficiencies in the impl...
Roles and ResponsibilitiesSecurity Control Assessor (SCA)Control AssessmentSecurity Assessment Report
Question #467Security and Privacy Governance, Risk Management, and Compliance Program
The transfer of risk is one of the five risk treatment methods pointed out in NIST 800-37 Rev 2. Choose an example of risk transfer from the following options. Response:
Risk TransferRisk Treatment MethodsNIST 800-37Warranty
Question #468Scope of the System
A part of tailoring guidance providing organizations with specific policy/regulatory -related, technology-related, system component allocation-related, operational/environmental-re...
Scoping guidanceSecurity control tailoringSecurity control baselineNIST RMF
Question #469Security and Privacy Governance, Risk Management, and Compliance Program
Information Security management is a process of defining the security controls in order to protect information assets. The first action of a management program to implement informa...
Security program objectivesInformation security managementSecurity governanceProgram establishment
Question #470Security and Privacy Governance, Risk Management, and Compliance Program
Which of the following are phases of the National Institute of Standards and Technology (NIST) Risk Management Framework? Response:
NIST RMFRisk Management FrameworkRMF PhasesCybersecurity Frameworks
Question #471Assessment/Audit of Security and Privacy Controls
Assessment plans should be prepared _______ of the testing and forwarded to all involved for review and approval. Response:
Assessment planningSecurity assessmentCompliance assessment
Question #472System Compliance
Risk assessments at the organizational level leverages aggregated information from system-level risk assessment results, continuous monitoring and any startegic risk considerations...
Risk AssessmentAuthorization to Operate (ATO)Authorization Limit DateSystem Compliance
Question #474Security and Privacy Governance, Risk Management, and Compliance Program
A specific category of information (e.g., privacy, medical, proprietary, financial, investigative, contractor sensitive, security management), defined by an organization or in some...
Information typesData classificationRegulatory complianceOrganizational policy
Question #475Implementation of Security and Privacy Controls
What is the name of the formal document that provides an overview of security requirements for the information system and describes the security controls in place or planned for me...
System Security PlanNIST RMFSecurity DocumentationSecurity Controls
Question #476Assessment/Audit of Security and Privacy Controls
Security testing conducted from inside the organization's security perimeter. Response:
Security TestingInternal TestingSecurity AssessmentPerimeter Security
Question #477Security and Privacy Governance, Risk Management, and Compliance Program
ISO 17799 has two parts. The first part is an implementation guide with guidelines on how to build a comprehensive information security infrastructure and the second part is an aud...
ISO 17799Information Security DomainsInformation Security PolicyBusiness Continuity Management
Question #478Security and Privacy Governance, Risk Management, and Compliance Program
Which of the following components ensures that risks are examined for all new proposed change requests in the change control system? Response:
Integrated Change ControlRisk ManagementChange ManagementSystem Changes
Question #479Selection and Approval of Framework, Security, and Privacy Controls
Which document in support of the authorization package contains the well-defined set of security controls for an information system? Response:
System Security Plan (SSP)Authorization PackageSecurity ControlsRisk Management Framework (RMF)
Question #480Selection and Approval of Framework, Security, and Privacy Controls
NIST SP 800-53 describes a family of controls as: Response:
NIST SP 800-53Control FamiliesInformation Security ControlsDefinitions
Question #481Assessment/Audit of Security and Privacy Controls
What are the 2 activities involved in certification testing? Response:
Control AssessmentDocumentationCertification Testing
Question #482Assessment/Audit of Security and Privacy Controls
In which of the following testing methodologies do assessors use all available documentation and work under no constraints, and attempt to circumvent the security features of an in...
Penetration testingSecurity testingAssessment methodologiesVulnerability assessment
Question #483Scope of the System
Any information system (including any telecommunications system) used or operated by an agency or by a contractor of an agency, or other organization on behalf of an agency. Respon...
National Security SystemSystem ClassificationNIST RMF TerminologyAgency Systems
Question #484Implementation of Security and Privacy Controls
A differential backup stores files that were created or modified since the last full backup. Therefore, if a file is changed after the previous full backup, a differential backup w...
Differential BackupData BackupData Protection
Question #485Security and Privacy Governance, Risk Management, and Compliance Program
Which FIPS publication specifies security requirements for federal information and information systems in 17 security related areas that represent a broad-based, balanced informati...
FIPS PUB 200Federal Information SystemsSecurity RequirementsNIST
Question #486Compliance Maintenance
The change control board team at Colvine Tech has determined the security impact of proposed changes to an application, what would be the team's next action? Response:
Change ManagementSystem Security Plan (SSP)Security DocumentationContinuous Monitoring
Question #487Security and Privacy Governance, Risk Management, and Compliance Program
Which of the following refers to the ability to ensure that the data is not modified or tampered with? Response:
CIA TriadIntegrityData ProtectionInformation Security Principles
Question #488Scope of the System
Documenting the description of the system in the SSP is the primary responsibility of which RMF role? Response:
RMF RolesSystem Security Plan (SSP)Information System OwnerSystem Description
Question #489Compliance Maintenance
Ongoing authorizations and reporting can be time- and event-driven. Which official has the primary responsibility for ongoing authorizations? Response:
Authorizing OfficialRMF RolesOngoing AuthorizationContinuous Monitoring
Question #490Security and Privacy Governance, Risk Management, and Compliance Program
What does OCTAVE stand for? Response:
OCTAVERisk Management FrameworkAcronymsInformation Security
Question #491Security and Privacy Governance, Risk Management, and Compliance Program
Which organizational official is responsible for the procurement, development, integration, modification, operation, maintenance, and disposal of an information system? Response:
Information System Owner (ISO)Roles and ResponsibilitiesSystem LifecycleAccountability
Question #492Security and Privacy Governance, Risk Management, and Compliance Program
NIST SP 800-64 Rev 2 has been withdrawn but security professionals can still find guidance on system development lifecycle in which Publication? Response:
NIST Special PublicationsSystem Development Lifecycle (SDLC)System Security EngineeringInformation Security Guidance
Question #493Compliance Maintenance
An effective security control monitoring strategy for an information system includes Response:
Security Control MonitoringAuthorizing OfficialsOngoing ManagementContinuous Monitoring
Question #494Selection and Approval of Framework, Security, and Privacy Controls
In which of the following Risk Management Framework (RMF) phases is a risk profile created for threats? Response:
RMF PhasesRisk ProfileThreat ManagementControl Selection
Question #495Scope of the System
In which of the 6 steps of RMF is the System Boundary defined? Response:
NIST RMFRMF StepsSystem BoundaryPrepare Step
Question #496Security and Privacy Governance, Risk Management, and Compliance Program
What RMF role is responsible for assessing impact of changes on systems, process it supports, & data it processes (ISO, AO, ISSO)? Response:
RMF RolesInformation System Owner (ISO)Impact AssessmentChange Management
Question #497Security and Privacy Governance, Risk Management, and Compliance Program
Which of the following refers to an information security document that is used in the United States Department of Defense (DoD) to describe and accredit networks and systems? Respo...
DoD AuthorizationSystem Security Authorization Agreement (SSAA)AccreditationInformation Security Documentation
Question #498Compliance Maintenance
Which reference document describes the contents of a Plan of Action and Milestone (POA&M) updating and replacing OMB M 02-01? Response:
POA&MOMB GuidanceFederal ComplianceRisk Management
Question #499Assessment/Audit of Security and Privacy Controls
The use of automation to conduct security control assessments should be maximized to do the following except one. Response:
Security AutomationControl AssessmentsContinuous MonitoringAssessment Efficiency
Question #500Security and Privacy Governance, Risk Management, and Compliance Program
What are five primary roles associated with the system authorization program? Response:
System Authorization Program RolesCISORisk Management Framework (RMF)Organizational Roles
Question #501Scope of the System
A system of organizations, people, activities, information, and resources, possibly international in scope, that provides products or services to consumers. Response:
Supply ChainSystem DefinitionOrganizational Scope

PreviousPage 10 of 15Next

study smarter, certify faster.

Product

Browse Exams
Pricing
PDF Downloads

Resources

Blog
Glossary
Topics
FAQ
Contact Us

Legal

Terms of Service
Privacy Policy
Cookie Policy
DMCA
Refund Policy

Company

About
Contact

© 2026 NerdExam. All rights reserved.Built for IT professionals

NerdExam is a trading name of WADL Solutions Limited, a company incorporated in Hong Kong (CR# 80143234). Registered office: Unit 2904-05, 29/F, Universal Trade Centre, 3 Arbuthnot Road, Central, Hong Kong.

CompTIA, AWS, Cisco, Microsoft, Google Cloud, Oracle, VMware, and other certification names referenced on this site are trademarks of their respective owners. NerdExam is not affiliated with, endorsed by, or sponsored by any certification vendor.