CGRC Exam Questions
724 real CGRC exam questions with expert-verified answers and explanations. Page 12 of 15.
- Question #552Security and Privacy Governance, Risk Management, and Compliance Program
According to FISMA and OMB policy, external subsystems are required to meet the same security requirements as systems operated internally.................... Response:
FISMAOMB policyGovernment security requirementsExternal systems - Question #553Assessment/Audit of Security and Privacy Controls
Organizations consider which of the following factors when selecting security or privacy control assessors? Response:
Assessor selectionAssessor independenceTechnical expertiseControl assessment - Question #554Assessment/Audit of Security and Privacy Controls
Which RMF role must ensure security assessment plan is constent with or security objectives, reflects the use of tools, techniques, etc..? Response:
RMF RolesInformation System OwnerSecurity Assessment PlanSecurity Objectives - Question #555Security and Privacy Governance, Risk Management, and Compliance Program
Who provides oversight of activities of the system owner, who provides trend analysis to id problems that may impact security posture. From Enterprise perspective reports to AO and...
Roles and ResponsibilitiesInformation Security GovernanceRisk ManagementEnterprise Security - Question #556Security and Privacy Governance, Risk Management, and Compliance Program
What are three examples of data classification found in FIPS PUB 199? Response:
data classificationFIPS PUB 199information categorizationsecurity categorization - Question #557System Compliance
What key information is used by the authorizing official (AO) to assist with the risk determination of an information system (IS)? Response:
Authorizing Official (AO)Security Authorization Package (SAP)Risk DeterminationAuthorization to Operate (ATO) - Question #558Security and Privacy Governance, Risk Management, and Compliance Program
The security controls for an information system that focus on the management of risk and the management of information system security are known as: Response:
Security controlsManagement controlsRisk managementInformation system security - Question #559Security and Privacy Governance, Risk Management, and Compliance Program
What is the objective of the Security Accreditation Decision task? Response:
Security Accreditation DecisionRisk AcceptanceRMFAuthorization to Operate (ATO) - Question #560Compliance Maintenance
Significant changes to the environment of operation may trigger an event-driven authorization action which may not be limited to all of the following except one. Choose the excepti...
Event-Driven AuthorizationSignificant Change ManagementNIST RMFAuthorization Boundary - Question #561Assessment/Audit of Security and Privacy Controls
Hardware, software, and firmware are examples of which of the assessment objects exercised by control assessors? Response:
Assessment ObjectsControl AssessmentNIST SP 800-53AMechanisms - Question #562Assessment/Audit of Security and Privacy Controls
Which of the following is principally used to verify that Information Systems (IS) are meeting their stated security goals and objectives? Response:
System Security PlanSecurity GoalsVerificationSecurity Controls - Question #563Security and Privacy Governance, Risk Management, and Compliance Program
Which of the following roles is responsible for review and risk analysis of all contracts on a regular basis? Response:
Supplier ManagementContract ManagementRisk AnalysisThird-party Risk Management - Question #564Selection and Approval of Framework, Security, and Privacy Controls
A set of security controls resulting from the application of tailoring guidance to the security control baseline. Response:
Security ControlsTailoringSecurity Control BaselineRMF - Question #565Security and Privacy Governance, Risk Management, and Compliance Program
Of the ensuing potential inputs to the Authorization package, one is not a living document. Which one? Response:
Authorization PackageLiving DocumentsRMF DocumentsNIST RMF - Question #566Security and Privacy Governance, Risk Management, and Compliance Program
Which of the following is NOT considered an environmental threat source? Response:
Environmental threatsThreat sourcesRisk identification - Question #567Security and Privacy Governance, Risk Management, and Compliance Program
What kind of approach does BRM provides? Response:
Business Reference ModelData ClassificationStructured ApproachInformation Governance - Question #568Selection and Approval of Framework, Security, and Privacy Controls
What is RMF Step 2? Response:
RMFSecurity ControlsNISTControl Selection - Question #569Security and Privacy Governance, Risk Management, and Compliance Program
Which of the following concepts represent the three fundamental principles of information security? Each correct answer represents a complete solution. Choose three. Response:
Information Security PrinciplesConfidentialityIntegrityAvailability - Question #570Assessment/Audit of Security and Privacy Controls
The test plan should evaluate plans that support the IS; such as Incident Response, Disaster Recovery, and _______________ Plan to ensure they are up to date & meet the protection...
Contingency PlanningDisaster RecoveryIncident ResponseOperational Resilience - Question #571System Compliance
Task five of the Authorize step is authorization reporting. Which of the following best explains why authorization reporting is carried out? Response:
Authorization reportingAuthorize stepNIST RMFSecurity authorization - Question #572Security and Privacy Governance, Risk Management, and Compliance Program
When an ATO is issued, which of the following roles authoritatively accepts residual risk on behalf of the organization? Response:
Authorization to Operate (ATO)Authorizing Official (AO)Residual RiskRisk Acceptance - Question #573Security and Privacy Governance, Risk Management, and Compliance Program
What are the four business areas of BRM? Response:
Business Reference Model (BRM)Government functionsService deliveryEnterprise Architecture - Question #574Scope of the System
The person primarily responsible for RMF Step 1, Categorization. Response:
RMF Step 1CategorizationInformation System OwnerRoles and Responsibilities - Question #575Security and Privacy Governance, Risk Management, and Compliance Program
Which security Objective ensures that data accuracy is maintained? Response:
CIA TriadData IntegritySecurity Objectives - Question #576Implementation of Security and Privacy Controls
A continuous monitoring strategy for a new system is developed during which phase of the system development life cycle? Response:
Continuous Monitoring StrategySDLC PhasesSystem DevelopmentSecurity Control Implementation - Question #577Security and Privacy Governance, Risk Management, and Compliance Program
Certification and Accreditation (C&A or CnA) is a process for implementing information security. It is a systematic procedure for evaluating, describing, testing, and authorizing s...
CertificationAccreditationRisk Management Framework (RMF)Authorization to Operate (ATO) - Question #578Compliance Maintenance
True or False. Impacts of changes should be known in advance so that appropriate actions can be taken before vulnerabilities are experienced. Response:
Change ManagementRisk AssessmentVulnerability PreventionProactive Security - Question #579Assessment/Audit of Security and Privacy Controls
Penetration testing (also called pen testing) is the practice of testing a computer system, network, or Web application to find vulnerabilities that an attacker could exploit. Whic...
Penetration TestingVulnerability ExploitationAttack VectorsSocial Engineering - Question #580Security and Privacy Governance, Risk Management, and Compliance Program
Which of the following is not a risk factor as stated in NIST SP 800-37? Response:
NIST SP 800-37Risk factorsRisk Management FrameworkThreat, Vulnerability, Likelihood - Question #581Scope of the System
When attempting to categorize a system which two RMF starting point inputs should be accounted for and are critical input to Categorization? Response:
RMFSystem CategorizationInputsNIST RMF - Question #582Security and Privacy Governance, Risk Management, and Compliance Program
A security policy is an overall general statement produced by senior management that dictates what role security plays within the organization. Which of the following are required...
Security PolicyPolicy ElementsGovernanceCompliance - Question #583Implementation of Security and Privacy Controls
A security control that is implemented in an information system in part as a common control and in part as a system-specific control. See also Common Control and System-Specific Se...
Security controlsHybrid controlsCommon controlsSystem-specific controls - Question #584Security and Privacy Governance, Risk Management, and Compliance Program
The ability of an information system to continue to: (i) operate under adverse conditions or stress, even if in a degraded or debilated state, while maintaining essential operation...
Information System ResilienceSystem ContinuityOperational ResilienceDisaster Recovery - Question #585Scope of the System
Any telecommunications or information system that is defined as a national security system (FISMA 2002) because it processes any information the loss, misuse, disclosure, or unauth...
System ClassificationMission Critical SystemNational Security SystemFISMA - Question #586Security and Privacy Governance, Risk Management, and Compliance Program
The Risk Management Framwork (RMF) provides an organized approach for organization-wide risk management. What are the tiers of the organization-wide perspective? Response:
Risk Management Framework (RMF)NIST RMF TiersOrganization-wide Risk Management - Question #587Security and Privacy Governance, Risk Management, and Compliance Program
Which of the following administrative policy controls requires individuals or organizations to be engaged in good business practices relative to the organization's industry? Respon...
Due careAdministrative controlsGovernance principlesCompliance concepts - Question #588Compliance Maintenance
What is the system development life cycle phase for step six of the RMF for an existing system? Response:
RMFSDLCMonitoringOperations/Maintenance - Question #589System Compliance
Which of the following is the acronym of RTM? Response:
Requirements Traceability MatrixTraceabilityCompliance Documentation - Question #590Security and Privacy Governance, Risk Management, and Compliance Program
According to NIST SP 800-37 Rev 2 appendix F, there are several types of authorizations including all of the following, except one. Response:
NIST SP 800-37AuthorizationRisk Management FrameworkGovernance - Question #591Compliance Maintenance
After a monthly change control board meeting at which the team determined the security impact of proposed changes to an application, what would be the team's next action? Response:
Change ManagementContinuous MonitoringRMF DocumentationSystem Maintenance - Question #592Implementation of Security and Privacy Controls
Besides the System Owner (SO), what role has the PRIMARY responsibility for implementing the security controls in the security and privacy plans for an Information Systems (IS)? Re...
RMF Roles and ResponsibilitiesCommon Control Provider (CPP)Control ImplementationSystem Owner (SO) - Question #593Implementation of Security and Privacy Controls
The Phase 2 of DITSCAP C&A is known as Verification. The goal of this phase is to obtain a fully integrated system for certification testing and accreditation. What are the process...
DITSCAPCertification & Accreditation (C&A)Verification PhaseSystem Development Lifecycle (SDLC) - Question #594Security and Privacy Governance, Risk Management, and Compliance Program
Risk acceptance when the external subsystem owner or service provider cannot fully meet security expectations should be based on the implementation of........ Response:
Risk AcceptanceCompensating ControlsRisk TreatmentThird-Party Risk - Question #595Security and Privacy Governance, Risk Management, and Compliance Program
The process of determining the security category for information or an information system. Security categorization methodologies are described in CNSS Instruction 1253 for national...
Security CategorizationFIPS 199CNSS 1253Risk Management - Question #596Selection and Approval of Framework, Security, and Privacy Controls
National Institute of Standards and Technology (NIST) guidance classifies security controls as Response:
NIST guidanceSecurity control classificationSystem-specific controlsCommon controls - Question #597Security and Privacy Governance, Risk Management, and Compliance Program
Jeff, a key stakeholder in your project, wants to know how the risk exposure for the risk events is calculated during quantitative risk analysis. He is worried about the risk expos...
Risk ManagementQuantitative Risk AnalysisRisk ExposureRisk Calculation - Question #598Implementation of Security and Privacy Controls
What is the 3rd SDLC phase; which maps to RMF step 5 (Authorize)? Response:
SDLC PhasesRMF StepsSystem AuthorizationControl Implementation - Question #599Security and Privacy Governance, Risk Management, and Compliance Program
Which of the following is a risk that is created by the response to another risk? Response:
Risk ManagementRisk ResponseSecondary Risk - Question #600Selection and Approval of Framework, Security, and Privacy Controls
NIST guidance classifies security controls as Response:
NISTSecurity ControlsControl ClassificationTechnical Operational Management - Question #601Security and Privacy Governance, Risk Management, and Compliance Program
Who initiates system authorization process and has the full responsibility over the life cycle of an information system? Response:
Information System Owner (ISO)System Life CycleAuthorization ProcessRoles and Responsibilities