Browse Exams Pricing

ExamsCGRCQuestions

CGRC Exam Questions

724 real CGRC exam questions with expert-verified answers and explanations. Page 13 of 15.

Question #602Selection and Approval of Framework, Security, and Privacy Controls
An authorization approach where multiple organizational officials either from the same organization or different organizations, have a shared interest in authorizing a system is kn...
Joint authorizationSystem authorizationAuthorization approachesRMF Authorize step
Question #603Security and Privacy Governance, Risk Management, and Compliance Program
Which of the following formulas was developed by FIPS 199 for categorization of an information type? Response:
FIPS 199Security categorizationCIA triadInformation impact
Question #604Security and Privacy Governance, Risk Management, and Compliance Program
Who is the official with the authority to formally assume responsibility for operating an IS at an acceptable level of risk to agency operations (including mission, functions, imag...
Authorizing Official (AO)Risk AcceptanceAuthorization to Operate (ATO)Accreditation Authority
Question #605Assessment/Audit of Security and Privacy Controls
The Information system owner should strive to test every control at least every ___ years & most critical controls continuously. Response:
Control testing frequencyContinuous monitoringControl assessmentSystem owner responsibilities
Question #606Security and Privacy Governance, Risk Management, and Compliance Program
The Chief Information Officer (CIO), or Information Technology (IT) director, is a job title commonly given to the most senior executive in an enterprise. What are the responsibili...
CIO ResponsibilitiesIT GovernanceInformation Security LeadershipContinuous Monitoring
Question #607Security and Privacy Governance, Risk Management, and Compliance Program
The Security Category that guards against the improper modification or destruction of information and includes ensuring information non-repudiation & authenticity. Response:
IntegrityCIA TriadInformation Security PrinciplesNon-repudiation
Question #608Selection and Approval of Framework, Security, and Privacy Controls
An organization's information systems are a mix of Windows and UNIX systems located in a single computer room. Access to the computer room is restricted by the use of door locks th...
Security ControlsControl TypesInherited ControlsPhysical Security
Question #609Implementation of Security and Privacy Controls
Functional description of security control implementation must include which of the following, primarily as related to technical controls employed in the system? Response:
Security Control ImplementationTechnical ControlsControl DocumentationFunctional Description
Question #610Scope of the System
Any telecommunications system or information system used or operated by an agency or by a contractor of an agency, or other organization on behalf of an agency that (1) the functio...
National Security SystemsSystem ClassificationGovernment Information Systems
Question #611Selection and Approval of Framework, Security, and Privacy Controls
Colvine Tech implemented security cameras, door locks, and light bulbs to protect its systems from threats. What is the function of security cameras? Response:
Security ControlsControl TypesDetective ControlsPhysical Security
Question #612Assessment/Audit of Security and Privacy Controls
The security assessment plan is prepared to provide the Authorizing Official and other organizational officials with a plan of how the security assessment will be conducted. Which...
Security Assessment PlanningRoles and ResponsibilitiesAuthorizing Official (AO)Security Control Assessor (SCA)
Question #613Security and Privacy Governance, Risk Management, and Compliance Program
What is the first step in the process of implementing an Information Security Continuous Monitoring (ISCM)? Response:
Information Security Continuous Monitoring (ISCM)ISCM strategyProgram implementationSecurity governance
Question #614Implementation of Security and Privacy Controls
In what phases of the RMF and SDLC, respectively, does documentation of control implementation start? Response:
RMF phasesSDLC phasesControl implementationDocumentation
Question #615System Compliance
The authorization decision may carry restrictions on system operation and caveats that must be followed to maintain the authorization, and other information as determined by the or...
Authorization DecisionNIST RMF AuthorizationSystem OperationAuthorization Conditions
Question #616Security and Privacy Governance, Risk Management, and Compliance Program
A certain security principle provides assurance that data has not been modified, tampered with or corrupted through unauthorized or unintended changes. Data can be a message, a fil...
Security PrinciplesData IntegrityCIA Triad
Question #617Security and Privacy Governance, Risk Management, and Compliance Program
According to NIST SP 800-39, when an organization responds to risk by eliminating the activities or technologies that are the basis for the risk, that organization is Response:
Risk ManagementRisk ResponseNIST SP 800-39Risk Avoidance
Question #618System Compliance
Which of the following processes provides a standard set of activities, general tasks, and a management structure to certify and accredit systems, which maintain the information as...
Certification and AccreditationNIACAPInformation AssuranceSystem Security Posture
Question #619Scope of the System
What are the three primary considerations for defining system boundaries? Response:
System boundariesScope definitionManagement control
Question #620Security and Privacy Governance, Risk Management, and Compliance Program
The tiers of the National Institute of Standards and Technology (NIST) risk management framework are Response:
NIST RMFRisk Management FrameworkRMF TiersNIST SP 800-37
Question #621Security and Privacy Governance, Risk Management, and Compliance Program
Security commensurate with the risk and the magnitude of harm resulting from the loss, misuse, or unauthorized access to or modification of information. Response:
Adequate SecurityRisk ManagementSecurity Definitions
Question #622Compliance Maintenance
Under key roles in Continuous Monitoring; the __________ acts under authority of the system owner to monitor security posture of system & immediately reports discrepancies to syste...
Continuous Monitoring RolesISSO ResponsibilitiesSystem OwnerSecurity Posture
Question #623Security and Privacy Governance, Risk Management, and Compliance Program
Which of the following recovery plans includes specific strategies and actions to deal with specific variances to assumptions resulting in a particular security problem, emergency,...
Contingency planningRecovery plansIncident management
Question #624Selection and Approval of Framework, Security, and Privacy Controls
During which Risk Management Framework (RMF) step is the system security plan initially approved? Response:
RMF StepsSystem Security Plan (SSP)Security Control SelectionSSP Approval
Question #625Assessment/Audit of Security and Privacy Controls
Which one of the following publications provides details of the monitoring security control? Response:
NIST SP 800-137Continuous MonitoringISCMSecurity Control Monitoring
Question #626Compliance Maintenance
At which point in the Risk Management Framework (RMF) process is a system analyzed for changes that impact the security and privacy posture of the system? Response:
RMFMonitoring PhaseContinuous MonitoringChange Impact Analysis
Question #627Selection and Approval of Framework, Security, and Privacy Controls
A full backup captures all files on the disk or within the folder selected for backup. Because all backed-up files are recorded to a single media or media set, locating a particula...
Backup typesFull backupData storageData protection
Question #628Implementation of Security and Privacy Controls
In what phases of the Risk Management Framework (RMF) and system development life cycle (SDLC), respectively, does documentation of control implementation start? Response:
RMF phasesSDLC phasesControl implementationDocumentation
Question #629Compliance Maintenance
The mitigation of violations of security policies and recommended practices. Response:
Incident HandlingSecurity Policy ViolationsRemediation
Question #630Scope of the System
Who has the authority to divide a complex system in order to establish realistic security authorization boundaries? Response:
System authorization boundariesAuthorizing Official (AO) responsibilitiesInformation System Security Officer (ISSO) responsibilitiesSystem scope definition
Question #631Assessment/Audit of Security and Privacy Controls
Which of the following NIST Special Publication documents provides a guideline on network security testing? Response:
NIST Special PublicationsNetwork Security TestingSecurity Guidelines
Question #632Selection and Approval of Framework, Security, and Privacy Controls
Site-specific controls are typically implemented by an organization as what type of controls? Response:
Common controlsControl typesSite-specific controlsControl classification
Question #633Compliance Maintenance
An effective continuous monitoring program can be used to Response:
continuous monitoringFISMAcomplianceregulatory reporting
Question #634Selection and Approval of Framework, Security, and Privacy Controls
A specification of security controls, control enhancements, supplemental guidance, and other supporting information employed during the tailoring process, that is intended to compl...
Security Control OverlaysNIST RMFControl TailoringSecurity Control Baselines
Question #635System Compliance
When an authorizing official (AO) submits the security authorization decision, what responses should the information system owner (ISO) expect to receive? Response:
Authorization to Operate (ATO)Denial Authorization to Operate (DATO)Risk Management Framework (RMF)Authorizing Official (AO)
Question #636Assessment/Audit of Security and Privacy Controls
Which of the following assessment methods involves observing or conducting the operation of physical devices? Response:
Assessment MethodsControl TestingPhysical Security Assessment
Question #637Security and Privacy Governance, Risk Management, and Compliance Program
System authorization programs are marked by frequent failure due to, among other things, poor planning, poor systems inventory, failure to fix responsibility at the system level, a...
Program failure factorsManagement commitmentAuthorization program governanceOrganizational support
Question #638Security and Privacy Governance, Risk Management, and Compliance Program
Tom is the project manager for his organization. In his project he has recently finished the risk response planning. He tells his manager that he will now need to update the cost a...
Risk ManagementProject BaselinesCost ManagementSchedule Management
Question #639Selection and Approval of Framework, Security, and Privacy Controls
Which of the following methods of authentication uses finger prints to identify users? Response:
AuthenticationBiometricsIdentity Verification
Question #640Security and Privacy Governance, Risk Management, and Compliance Program
A predetermined set of instructions or procedures that describe how an organization's mission essential functions will be sustained within 12 hours and for up to 30 days as a resul...
Continuity of Operations PlanOrganizational ResilienceDisaster RecoveryMission Essential Functions
Question #641Security and Privacy Governance, Risk Management, and Compliance Program
Information Security management is a process of defining the security controls in order to protect information assets. What are the security management responsibilities? Each corre...
Security ManagementGovernanceRisk ManagementProgram Planning
Question #642Security and Privacy Governance, Risk Management, and Compliance Program
Who has the primary responsibility to report the authorization decision? Response:
Authorization DecisionRoles and ResponsibilitiesAuthorizing Official (AO)Authorizing Official Designated Representative (AODR)
Question #643Security and Privacy Governance, Risk Management, and Compliance Program
Which of the following roles is not one of those with primary responsibility for ongoing risk response? Response:
Risk Management RolesOngoing Risk ResponseOrganizational Roles and ResponsibilitiesInformation Security Governance
Question #644Security and Privacy Governance, Risk Management, and Compliance Program
Neil works as a project manager for SoftTech Inc. He is working with Tom, the COO of his company, on several risks within the project. Tom understands that through qualitative anal...
Risk PrioritizationRisk AnalysisRisk Management ProgramProject Risk
Question #645Security and Privacy Governance, Risk Management, and Compliance Program
An entity of any size, complexity, or positioning within an organizational structure (e.g., a federal agency, or, as appropriate, any of its operational elements). Response:
Organization definitionGRC fundamentalsEntityGovernance concepts
Question #646Selection and Approval of Framework, Security, and Privacy Controls
The National Institutes of Standards and Technology (NIST) guidance classifies security controls as? Response:
NISTSecurity ControlsControl ClassificationNIST SP 800-53
Question #647Selection and Approval of Framework, Security, and Privacy Controls
The scope of certification normally addresses all NIST SP _________ control families with the purpose of uncovering design, implementation, and operational flows in those controls....
NIST SP 800-53Security ControlsControl FamiliesNIST Frameworks
Question #648Security and Privacy Governance, Risk Management, and Compliance Program
There are seven risks responses that a project manager can choose from. Which risk response is appropriate for both positive and negative risk events? Response:
Risk ManagementRisk Response StrategiesAcceptanceThreats and Opportunities
Question #649Assessment/Audit of Security and Privacy Controls
Which of the following in an assessment plan protects the security control assessment team from liability should the security control assessment result in unforeseen damage? Respon...
Security Control AssessmentAssessment PlanRules of EngagementLiability
Question #650Assessment/Audit of Security and Privacy Controls
A SCAP specification for communicating the characteristics of vulnerabilities and measuring their relative severity. Response:
CVSSVulnerability ManagementRisk AssessmentSCAP
Question #651Security and Privacy Governance, Risk Management, and Compliance Program
What should the system owner use to prioritize mitigation actions when developing the plan of action and milestones (POA&M)? Response:
POA&MRisk PrioritizationMitigation ActionsRisk Assessment

PreviousPage 13 of 15Next

study smarter, certify faster.

Product

Browse Exams
Pricing
PDF Downloads

Resources

Blog
Glossary
Topics
FAQ
Contact Us

Legal

Terms of Service
Privacy Policy
Cookie Policy
DMCA
Refund Policy

Company

About
Contact

© 2026 NerdExam. All rights reserved.Built for IT professionals

NerdExam is a trading name of WADL Solutions Limited, a company incorporated in Hong Kong (CR# 80143234). Registered office: Unit 2904-05, 29/F, Universal Trade Centre, 3 Arbuthnot Road, Central, Hong Kong.

CompTIA, AWS, Cisco, Microsoft, Google Cloud, Oracle, VMware, and other certification names referenced on this site are trademarks of their respective owners. NerdExam is not affiliated with, endorsed by, or sponsored by any certification vendor.