Browse Exams Pricing

ExamsCGRCQuestions

CGRC Exam Questions

724 real CGRC exam questions with expert-verified answers and explanations. Page 14 of 15.

Question #652Security and Privacy Governance, Risk Management, and Compliance Program
Organization official that's responsible for procurement, development, integration, modification, operation, maintenance, and disposal of an Information System. Response:
Information System OwnerRoles and ResponsibilitiesSystem Lifecycle ManagementIT Governance
Question #653Assessment/Audit of Security and Privacy Controls
According to NIST SP 800-37 Rev 2, step 5 of the risk management framework can be described as: Response:
NIST RMFRMF Assess StepSystem AuthorizationCertification
Question #654Security and Privacy Governance, Risk Management, and Compliance Program
Which of the following are the tasks performed by the owner in the information classification schemes? Each correct answer represents a part of the solution. Choose three. Response...
Information ClassificationData Owner ResponsibilitiesRoles and ResponsibilitiesInformation Governance
Question #655Assessment/Audit of Security and Privacy Controls
Assessment methods have a set of associated attributes which help define the level of effort for the assessment. Which of the following is the right pair of attributes? Response:
Assessment methodsAssessment attributesDepthCoverage
Question #656Scope of the System
Which of the following best defines a general support system? Response:
General Support SystemInformation SystemSystem Definition
Question #657Implementation of Security and Privacy Controls
Which of the following statements about Discretionary Access Control List (DACL) is true? Response:
Access Control ListsDiscretionary Access ControlPermissions Management
Question #658Security and Privacy Governance, Risk Management, and Compliance Program
Which of the following statements is true about residual risks? Response:
Residual riskRisk managementSecurity controlsRisk mitigation
Question #659Scope of the System
What are the three tools necessary for managing the inventory program? Response:
Asset inventoryGRC toolsInformation managementSystem scope
Question #660Security and Privacy Governance, Risk Management, and Compliance Program
A SCAP specification that provides unique, common names for publicly known information system vulnerabilities. Response:
CVEVulnerability identificationSCAPSecurity standards
Question #661Security and Privacy Governance, Risk Management, and Compliance Program
An analysis of an information system's requirements, functions, and interdependencies used to characterize system contingency requirements and priorities in the event of a signific...
Business Impact Analysis (BIA)Contingency PlanningRisk ManagementBusiness Continuity
Question #662System Compliance
Which of the following is a temporary approval to operate based on an assessment of the implementation status of the assigned IA Controls? Response:
IATOAuthorization to OperateRMF AuthorizationTemporary Approval
Question #663Scope of the System
Why are subsystems within complex systems not treated as independent entities whereas the subsystems may exist as complete systems? Response:
System InterdependenceSubsystem ManagementComplex SystemsSystem Scoping
Question #664Scope of the System
What is the process of determining the security category for information or an information system per methodologies described in CNSS instruction 1253 for national security systems...
Security CategorizationFIPS 199CNSS 1253NIST RMF
Question #665Selection and Approval of Framework, Security, and Privacy Controls
Actions, devices, procedures, techniques, or other measures that reduce the vulnerability of an information system. Synonymous with security controls and safeguards. Response:
Security ControlsCountermeasuresVulnerability ReductionSafeguards
Question #666Security and Privacy Governance, Risk Management, and Compliance Program
Your project uses a piece of equipment that if the temperature of the machine goes above 450 degree Fahrenheit the machine will overheat and have to be shut down for 48 hours. Shou...
Risk managementRisk triggerRisk response planning
Question #667Security and Privacy Governance, Risk Management, and Compliance Program
You are the project manager of the GHG project. You are preparing for the quantitative risk analysis process. You are using organizational process assets to help you complete the q...
Organizational Process Assets (OPAs)Quantitative Risk AnalysisRisk ManagementProject Management Inputs
Question #668Security and Privacy Governance, Risk Management, and Compliance Program
Where can a project manager find risk-rating rules? Response:
Risk ManagementOrganizational Process AssetsRisk RatingProgram Management
Question #669Compliance Maintenance
Which of the following statements is true about the continuous monitoring process? Response:
Continuous MonitoringRisk Management Framework (RMF)System AccreditationAuthorization to Operate (ATO)
Question #670Security and Privacy Governance, Risk Management, and Compliance Program
The phase 3 of the Risk Management Framework (RMF) process is known as mitigation planning. Which of the following processes take place in phase 3? Each correct answer represents a...
Risk Management Framework (RMF)Risk Mitigation PlanningControl ImplementationRisk Assessment and Evaluation
Question #671Security and Privacy Governance, Risk Management, and Compliance Program
Which of the following professionals is responsible for starting the Certification & Accreditation (C&A) process? Response:
Certification & Accreditation (C&A)Risk Management Framework (RMF)Information System OwnerRoles and Responsibilities
Question #672Security and Privacy Governance, Risk Management, and Compliance Program
Eric is the project manager of the MTC project for his company. In this project a vendor has offered Eric a sizeable discount on all hardware if his order total for the project is...
Risk ManagementPositive Risk ResponseOpportunity SharingProject Management
Question #673Implementation of Security and Privacy Controls
Who is responsible for securing an information system, managing all security aspects of the system, and assembling the security accreditation package while serving as the point of...
ISSO ResponsibilitiesRMF RolesAccreditation PackageSecurity Management
Question #674Security and Privacy Governance, Risk Management, and Compliance Program
Management policy and procedures designed to maintain or restore business operations, including computer operations, possibly at an alternate location, in the event of emergencies,...
Contingency PlanningBusiness ContinuityDisaster RecoveryRisk Management
Question #675Security and Privacy Governance, Risk Management, and Compliance Program
Which of the following RMF phases is known as risk analysis? Response:
RMF phasesRisk analysisNIST SP 800-37Control selection
Question #676Security and Privacy Governance, Risk Management, and Compliance Program
Concerning residual risk which of the following statements is true? Response:
Residual RiskRisk ManagementRisk Definition
Question #677Assessment/Audit of Security and Privacy Controls
Which if the following is an example of the test assessment method? Response:
Control assessment methodsTesting controlsVulnerability scanningSecurity control assessment
Question #678Security and Privacy Governance, Risk Management, and Compliance Program
You and your project team are identifying the risks that may exist within your project. Some of the risks are small risks that won't affect your project much if they happen. What s...
Risk ManagementRisk IdentificationRisk ResponseRisk Monitoring
Question #679Security and Privacy Governance, Risk Management, and Compliance Program
What is the position Senior Information Security Officer, or Chief Information Security Officer, known as at the the agency level? Response:
Information Security RolesAgency RolesCISOSAISO
Question #680Security and Privacy Governance, Risk Management, and Compliance Program
According to NIST SP 800-60v2r1, intellectual property protection information type may be categorized as low but trade secrets are categorized as: Response:
NIST SP 800-60Information ClassificationConfidentiality ImpactTrade Secrets
Question #681Assessment/Audit of Security and Privacy Controls
FITSAF stands for Federal Information Technology Security Assessment Framework. It is a methodology for assessing the security of information systems. Which of the following FITSAF...
FITSAFSecurity Assessment FrameworkControl TestingSecurity Review
Question #682Selection and Approval of Framework, Security, and Privacy Controls
A large organization has a documented information security policy that has been reviewed and approved by senior officials and readily available to all organizational staff. This in...
NIST SP 800-53Hybrid ControlsCommon ControlsSystem Security Plan
Question #683Security and Privacy Governance, Risk Management, and Compliance Program
What publication provides an approach for performing system-level risk assessments? Response:
NIST Special PublicationsRisk AssessmentSystem-level RiskInformation Security Guidance
Question #684Security and Privacy Governance, Risk Management, and Compliance Program
Which of the following relations correctly describes residual risk? Response:
Residual RiskRisk Management FormulaThreats and VulnerabilitiesControl Gap
Question #685Security and Privacy Governance, Risk Management, and Compliance Program
Which of the following approaches can be used to build a security program? Each correct answer represents a complete solution. Choose all that apply. Response:
Security program developmentProgram management approachesTop-down securityBottom-up security
Question #686Scope of the System
When attempting to categorize a system, which two RMF starting point inputs should be accounted for? Response:
RMFSystem CategorizationInputsNIST SP 800-37
Question #687Scope of the System
Testing must include an assessment of the _____________ as described in the system security plan, as recorded in the risk assessment, and reflected in the accreditation boundary; a...
System BoundaryRMFSystem Security PlanAccreditation Boundary
Question #689Assessment/Audit of Security and Privacy Controls
Which of the following assessment methods is used to review, inspect, and analyze assessment objects? Response:
Assessment methodsControl examinationCompliance assessment
Question #690Security and Privacy Governance, Risk Management, and Compliance Program
Which of the following organizational officials have the primary responsibility for putting together the authorization package? Response:
Authorization PackageRMF RolesISOSAOP
Question #691Assessment/Audit of Security and Privacy Controls
Prior to completion of the security assessment report (SAR), what type of analysis is performed when agile, iterative development is used? Response:
Agile securityIncremental assessmentSecurity Assessment Report (SAR)RMF Assessment
Question #692Selection and Approval of Framework, Security, and Privacy Controls
Which NIST SP provides a provides a security control catalog for systems at each level, Security and Privacy Controls for Federal Information Systems and Organizations. Response:
NIST SP 800-53Security ControlsPrivacy ControlsControl Catalog
Question #693System Compliance
Which of the following is used to indicate that the software has met a defined quality level and is ready for mass distribution either by electronic means or by physical media? Res...
RTMSoftware ReleaseProduct ReadinessQuality Level
Question #694Security and Privacy Governance, Risk Management, and Compliance Program
Which law was superseded by FISMA? The law required that systems processing federal data be authorized to process by a management official, and failure to do so will constitutes a...
FISMAClinger-Cohen ActFederal Cybersecurity LegislationGovernance Evolution
Question #695Security and Privacy Governance, Risk Management, and Compliance Program
An updated risk assessment in response to the security control assessment along with inputs from the risk executive helps to determine and prioritize... Response:
Risk AssessmentRemediation PrioritizationControl Assessment ResponseRisk Executive Input
Question #696Compliance Maintenance
Based on the results of the continuous monitoring process, all excluding one of the following key documents are updated. Response:
Continuous MonitoringDocument ManagementNIST RMFCompliance Maintenance
Question #697Scope of the System
The term __________ relates to the system as a whole where as Sensitivity relates to the data that the system processes. Response:
System CriticalityData SensitivityInformation CategorizationRisk Management Fundamentals
Question #698Security and Privacy Governance, Risk Management, and Compliance Program
A security policy is an overall general statement produced by senior management that dictates what role security plays within the organization. What are the different types of poli...
Security PoliciesPolicy TypesGovernanceSecurity Directives
Question #699Selection and Approval of Framework, Security, and Privacy Controls
Security controls that can support multiple information systems efficiently and effectively as a common capability. Their implementation results in a security capability that is in...
Common ControlsSecurity ControlsInheritanceControl Categorization
Question #700Security and Privacy Governance, Risk Management, and Compliance Program
Which of the following specifies security requirements for federal information and information systems in 17 security-related areas that represent a broad-based, balanced informati...
FIPS 200Security RequirementsFederal Information SystemsNIST Standards
Question #701Security and Privacy Governance, Risk Management, and Compliance Program
Which of the following roles is also known as the accreditor? Response:
Roles and ResponsibilitiesAccreditationDesignated Approving Authority (DAA)Authorization Process
Question #702Security and Privacy Governance, Risk Management, and Compliance Program
Which of the following acts promote a risk-based policy for cost effective security? Each correct answer represents a part of the solution. Choose all that apply. Response:
US Federal ActsIT GovernanceRisk-based securityCost-effective security

PreviousPage 14 of 15Next

study smarter, certify faster.

Product

Browse Exams
Pricing
PDF Downloads

Resources

Blog
Glossary
Topics
FAQ
Contact Us

Legal

Terms of Service
Privacy Policy
Cookie Policy
DMCA
Refund Policy

Company

About
Contact

© 2026 NerdExam. All rights reserved.Built for IT professionals

NerdExam is a trading name of WADL Solutions Limited, a company incorporated in Hong Kong (CR# 80143234). Registered office: Unit 2904-05, 29/F, Universal Trade Centre, 3 Arbuthnot Road, Central, Hong Kong.

CompTIA, AWS, Cisco, Microsoft, Google Cloud, Oracle, VMware, and other certification names referenced on this site are trademarks of their respective owners. NerdExam is not affiliated with, endorsed by, or sponsored by any certification vendor.