Browse Exams Pricing

ExamsCGRCQuestions

CGRC Exam Questions

724 real CGRC exam questions with expert-verified answers and explanations. Page 2 of 15.

Question #51Assessment/Audit of Security and Privacy Controls
A security assessment plan comprises of all of the following except one Response:
Security Assessment PlanAssessment PlanningAudit Planning
Question #52Implementation of Security and Privacy Controls
Which NIST special configuration provides guidance on security-focused configuration management? Response:
NIST Special PublicationsConfiguration ManagementSecurity ConfigurationNIST SP 800-128
Question #53Scope of the System
The authorization boundary of a system undergoing assessment comprises of: Response:
Authorization BoundaryInformation SystemNIST RMFSystem Scope
Question #54Assessment/Audit of Security and Privacy Controls
Which of the following BEST describes the objective of a Security Assessment Plan? Response:
Security Assessment PlanSecurity AssessmentAssessment Planning
Question #55Security and Privacy Governance, Risk Management, and Compliance Program
You are the project manager for a construction project. The project includes a work that involves very high financial risks. You decide to insure processes so that any ill happenin...
Risk Management StrategiesRisk TransferInsurance
Question #56Security and Privacy Governance, Risk Management, and Compliance Program
Security categorization of an National Security System must consider the security categories of all information types resident on it. Response:
Security CategorizationNational Security SystemInformation TypesRisk Management Framework
Question #57Security and Privacy Governance, Risk Management, and Compliance Program
The Security Category that primarily deals with preserving authorized restrictions on information access and disclosure. Response:
ConfidentialityCIA TriadInformation Security PrinciplesData Protection
Question #58Security and Privacy Governance, Risk Management, and Compliance Program
As indicated in NIST SP 800-37, and NIST SP 800-53 the RMF provides architectural description inputs to the risk management strategy, including mission/business processes, FEA refe...
NIST RMFArchitectural DescriptionRisk Management Strategy InputsNIST SP 800-37
Question #59Scope of the System
An interconnected set of information resources under the same direct management control that shares common functionality. It normally includes hardware, software, information, data...
General Support SystemSystem definitionInformation resources
Question #60Security and Privacy Governance, Risk Management, and Compliance Program
Who has the responsibility to review and ensure that only substantive items are incorporated in the plan of action and milestones? Response:
Authorizing OfficialPOAMRoles and ResponsibilitiesRisk Management
Question #61Scope of the System
An application that requires special attention to security due to the risk and magnitude of harm resulting from the loss, misuse, or unauthorized access to or modification of the i...
Major ApplicationInformation System CategorizationFederal Information SystemsRisk Assessment
Question #62Security and Privacy Governance, Risk Management, and Compliance Program
Which of the following governance bodies directs and coordinates implementations of the information security program? Response:
CISO responsibilitiesInformation Security ProgramSecurity GovernanceOrganizational Roles
Question #63Security and Privacy Governance, Risk Management, and Compliance Program
Not all deficiencies in controls or lack of security protections are vulnerabilities. Vulnerabilities in control can be defined as: Response:
Vulnerability definitionControl deficienciesRisk management concepts
Question #64Assessment/Audit of Security and Privacy Controls
Which of the following is a standard that sets basic requirements for assessing the effectiveness of computer security controls built into a computer system? Response:
TCSECSecurity Control AssessmentComputer System EvaluationHistorical Security Standards
Question #65Scope of the System
The scope of activities associated with a system, encompassing the system's initiation, development and acquisition, implementation and maintenance, and ultimately its disposal tha...
System Development Life CycleSDLC phasesSystem life cycle
Question #66Implementation of Security and Privacy Controls
A fundamental of Risk Management per NIST SP 800-37 is the integration of information security requirements into an organization's what? Response:
NIST SP 800-37Risk ManagementInformation Security IntegrationSDLC
Question #67Selection and Approval of Framework, Security, and Privacy Controls
Which of the following access control models uses a predefined set of access privileges for an object of a system? Response:
Access Control ModelsMandatory Access ControlInformation Security PrinciplesSecurity Controls
Question #68Security and Privacy Governance, Risk Management, and Compliance Program
Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management is the title of what requirement? Response:
OMB M-11-33FISMA reportingPrivacy managementFederal directives
Question #69Security and Privacy Governance, Risk Management, and Compliance Program
According to U.S. Department of Defense (DoD) Instruction 8500.2, there are eight Information Assurance (IA) areas, and the controls are referred to as IA controls. Which of the fo...
DoD InstructionInformation AssuranceIA AreasCompliance
Question #70Security and Privacy Governance, Risk Management, and Compliance Program
Interrelationships of system authorization processes. Response:
System AuthorizationProject PlanningRisk Management Framework (RMF)Compliance Process
Question #71Scope of the System
NIST SP 800-37 provides guidance for applying RMF to all of which type of information systems for design, development, implementation, operation, maintenance and development? Respo...
NIST SP 800-37RMFFederal Information SystemsSystem Applicability
Question #72Security and Privacy Governance, Risk Management, and Compliance Program
The official primarily responsibility for security of an Info System; who establishes sensitivity level and types of controls required to protect the IS and initiates system author...
System OwnerRoles and ResponsibilitiesInformation Security GovernanceSystem Authorization
Question #73Assessment/Audit of Security and Privacy Controls
Is it a good or bad idea for the inspecting team to work with host staff to correct weaknesses on the spot when possible? Response:
Audit best practicesInspection methodologyCorrective actionsCollaborative auditing
Question #74Assessment/Audit of Security and Privacy Controls
Which NIST Special publication provides guidance on security assessment reports? Response:
NIST SP 800-53ASecurity Assessment ReportsNIST Special PublicationsAssessment Guidance
Question #75Assessment/Audit of Security and Privacy Controls
When carrying out ongoing risk response, the effectiveness of new, modified, enhanced, or added controls must be... Response:
Risk responseControl effectivenessOngoing monitoringControl lifecycle
Question #76Scope of the System
In what step of the RMF process would you create the SSP? Response:
RMF ProcessSSP CreationCategorization StepSystem Documentation
Question #77Security and Privacy Governance, Risk Management, and Compliance Program
Which organization is responsible for procurement, development, integration, modification, operation, maintenance, and disposal of an Information System? Response:
Information System OwnerSystem LifecycleRoles and ResponsibilitiesAccountability
Question #78Assessment/Audit of Security and Privacy Controls
An assessment procedure consists of a set of which things, each with an associated set of potential assessment methods and assessment objects? Response:
Assessment proceduresAssessment objectivesControl assessmentNIST SP 800-53A
Question #79Security and Privacy Governance, Risk Management, and Compliance Program
The authorization decision document conveys the final security authorization decision from the authorizing official to the information system owner. The authorization decision docu...
Authorization Decision DocumentRisk Management Framework (RMF)System AuthorizationAuthorizing Official (AO)
Question #80Assessment/Audit of Security and Privacy Controls
During the security impact analysis vulnerabilities were uncovered in the information system. Which of the following documents should address the outstanding items? Response:
Plan of Action and Milestones (POAM)Vulnerability ManagementRisk Management Framework (RMF) DocumentationSecurity Assessment Outcomes
Question #81Security and Privacy Governance, Risk Management, and Compliance Program
Failure to authorize an operational system to process demonstrates that management has not exercised due care in protecting the system in the event of a security incident. Which of...
FISMASystem AuthorizationDue CareFederal Compliance
Question #82Security and Privacy Governance, Risk Management, and Compliance Program
Guarding against improper information modification or destruction, and includes ensuring information non- repudiation and authenticity. Response:
IntegrityInformation Security PrinciplesNon-repudiationAuthenticity
Question #83Selection and Approval of Framework, Security, and Privacy Controls
When a Information System Owner applies a risk based approach to his selection of specific controls; this adjustment is called __________. The revised/tailored control baseline is...
TailoringControl SelectionRisk-based ControlsControl Baseline
Question #84Security and Privacy Governance, Risk Management, and Compliance Program
Office of Management and Budget (OMB) works directly for? Response:
Office of Management and Budget (OMB)Federal Government StructureExecutive BranchGovernance Authority
Question #85Security and Privacy Governance, Risk Management, and Compliance Program
Which of the following individuals is responsible for ensuring the security posture of the organization's information system? Response:
Authorizing Official (AO)Roles and ResponsibilitiesInformation Security PostureRisk Management Framework (RMF)
Question #86Selection and Approval of Framework, Security, and Privacy Controls
Protective measures prescribed to meet the security requirements (i.e., confidentiality, integrity, and availability) specified for an information system. Safeguards may include se...
Security ControlsSafeguardsCIA TriadInformation Security Terminology
Question #87Assessment/Audit of Security and Privacy Controls
What is the purpose of the assess step? Response:
Control AssessmentSecurity ControlsPrivacy ControlsAssessment Process
Question #88Assessment/Audit of Security and Privacy Controls
Which of the following BEST defines the purpose of security assessment? Response:
Security AssessmentControl AssessmentSecurity ControlsPurpose
Question #89Security and Privacy Governance, Risk Management, and Compliance Program
The point in time to which data must be recovered after an outage. Response:
Recovery Point Objective (RPO)Disaster RecoveryBusiness ContinuityRisk Management
Question #90Compliance Maintenance
In which of the RMF phases (task 3) is the conduct remediation actions based on the results of ongoing monitoring activities, assessment of risk and outstanding items in the POA&M...
RMF PhasesMonitor PhaseRemediation ActionsPOA&M
Question #91Assessment/Audit of Security and Privacy Controls
Why is the early selection of assessors important to organizations implementing a systems security engineering approach? Response:
Assessor involvementVerification and ValidationSecurity engineeringContinuous assessment
Question #92Assessment/Audit of Security and Privacy Controls
Which of the following DITSCAP phases validates that the preceding work has produced an IS that operates in a specified computing environment? Response:
DITSCAPCertification and Accreditation (C&A)System ValidationSecurity Assessment
Question #93Security and Privacy Governance, Risk Management, and Compliance Program
Sam is the project manager of a construction project in south Florid
Risk ManagementRisk Response StrategiesAvoidance
Question #94Scope of the System
The registration of the system directly follows which Risk Management Framework (RMF) task? Response:
RMFNIST RMFSystem RegistrationSystem Description
Question #95Security and Privacy Governance, Risk Management, and Compliance Program
Which of the following is an official authorization decision that is focused on specific controls implemented in a defined environment of operation to support one or more systems r...
Authorization decisionsFacility authorizationRisk Management Framework (RMF)Common controls
Question #96Implementation of Security and Privacy Controls
The initial security plan for a new application has been approved. What is the next activity in the Risk Management Framework? Response:
Risk Management FrameworkNIST RMF StepsSecurity Control ImplementationSystem Security Plan
Question #97Security and Privacy Governance, Risk Management, and Compliance Program
What are the phases of the System Development Life Cycle? Response:
System Development Life CycleSDLC phasesInformation System SecurityNIST Risk Management Framework
Question #98Security and Privacy Governance, Risk Management, and Compliance Program
NIST SP 800-37 defines this role as an organizational official responsible for the development, implementation, assessment, and monitoring of common controls (i.e., security contro...
NIST SP 800-37Common ControlsRoles and Responsibilities
Question #99Implementation of Security and Privacy Controls
The security controls for an information system that are primarily implemented and executed by the information system through mechanisms contained in the hardware, software, and fi...
Security controlsTechnical controlsControl typesInformation system security
Question #100Assessment/Audit of Security and Privacy Controls
Test Results should be shown as "meeting standards" or "not meeting standards"; or in short ________, _______. Response:
Test resultsAssessment reportingCompliance standardsTerminology

PreviousPage 2 of 15Next

study smarter, certify faster.

Product

Browse Exams
Pricing
PDF Downloads

Resources

Blog
Glossary
Topics
FAQ
Contact Us

Legal

Terms of Service
Privacy Policy
Cookie Policy
DMCA
Refund Policy

Company

About
Contact

© 2026 NerdExam. All rights reserved.Built for IT professionals

NerdExam is a trading name of WADL Solutions Limited, a company incorporated in Hong Kong (CR# 80143234). Registered office: Unit 2904-05, 29/F, Universal Trade Centre, 3 Arbuthnot Road, Central, Hong Kong.

CompTIA, AWS, Cisco, Microsoft, Google Cloud, Oracle, VMware, and other certification names referenced on this site are trademarks of their respective owners. NerdExam is not affiliated with, endorsed by, or sponsored by any certification vendor.