CGRC Exam Questions
724 real CGRC exam questions with expert-verified answers and explanations. Page 3 of 15.
- Question #101Selection and Approval of Framework, Security, and Privacy Controls
An authorization approach where a single organizational official in a senior leadership position is responsible and accountable for a system or common controls is referred to as: R...
Authorization ModelsAuthorizing Official (AO)NIST RMFTraditional Authorization - Question #102Implementation of Security and Privacy Controls
Which of the following statements about System Access Control List (SACL) is true? Response:
SACLAuditingAccess Control - Question #103Security and Privacy Governance, Risk Management, and Compliance Program
You are the Risk Analyst for Colvine Tech consulting. A new system user just asked you when risk assessments should be conducted in the system development life cycle. What will be...
Risk assessmentSystem Development Life Cycle (SDLC)Continuous risk managementRisk management process - Question #104Security and Privacy Governance, Risk Management, and Compliance Program
An analysis of how information is handled: 1) to ensure handling conforms to applicable legal, regulatory, and policy requirements regarding privacy; 2) to determine the risks and...
Privacy Impact Assessment (PIA)Privacy Risk ManagementInformation HandlingCompliance - Question #105Security and Privacy Governance, Risk Management, and Compliance Program
During an annual assessment, numerous high-risk findings are discovered on a critical organizational system. The system's Federal Information Processing Standard (FIPS) 199 rating...
Risk Management Framework (RMF)Authorizing Official (AO)Deny AuthorizationOrganizational Risk Tolerance - Question #106Security and Privacy Governance, Risk Management, and Compliance Program
Which of the following created FISMA requirements, requiring System Authorization? Response:
FISMALegislationSystem Authorization - Question #107Compliance Maintenance
POAM update frequency is at discretion of System Owner but should be frequent enough to provide an accurate status of progress in remediation. Response:
POAMRemediation TrackingCompliance MaintenanceSystem Owner Responsibilities - Question #108Scope of the System
Thomas is a key stakeholder in your project. Thomas has requested several changes to the project scope for the project you are managing. Upon review of the proposed changes, you ha...
Change ManagementIntegrated Change ControlProject ManagementScope Control - Question #109Compliance Maintenance
At very least security status reporting should include a summary of key changes to security plans, security assessment reports & POAMs. Response:
Security ReportingCompliance MonitoringPOAMsSecurity Assessment Reports - Question #110Selection and Approval of Framework, Security, and Privacy Controls
Overlays can be implemented as part of control tailoring after the completion of what process? Response:
RMFControl TailoringSecurity CategorizationOverlays - Question #111Compliance Maintenance
Common activities within organizations can cause changes to systems or the environments of operation and can have significant impact on the security posture of systems. Which of th...
System Change ManagementConfiguration ManagementChange ControlCompliance Maintenance - Question #112Security and Privacy Governance, Risk Management, and Compliance Program
The loss of confidentiality, integrity, or availability could be expected to have a serious adverse effect on organizational operations, organizational assests, or individuals. Thu...
Impact levelsRisk assessmentCIA triadNIST RMF - Question #113Security and Privacy Governance, Risk Management, and Compliance Program
The phase 0 of Risk Management Framework (RMF) is known as strategic risk assessment planning. Which of the following processes take place in phase 0? Each correct answer represent...
RMF Prepare PhaseStrategic Risk AssessmentAsset ClassificationEvaluation Criteria - Question #114Compliance Maintenance
The objective of status reporting & documentation is to ensure the Information System Owner updates the ____________ __________ and the POAM and that the security status is reporte...
Security Plan ManagementStatus ReportingPOAMSystem Owner Responsibilities - Question #115Compliance Maintenance
In which of the following DIACAP phases is residual risk analyzed? Response:
DIACAPResidual RiskRisk AnalysisCompliance Maintenance - Question #116Compliance Maintenance
An effective continuous monitoring program can be used to meet the ___________ publication's requirements for security risk assessment Response:
Continuous MonitoringSecurity Risk AssessmentFIPS PublicationsCompliance Requirements - Question #117Security and Privacy Governance, Risk Management, and Compliance Program
Which of the following are phases of the NIST RMF? Response:
NIST RMFRisk Management FrameworkRMF phasesSecurity Frameworks - Question #118Assessment/Audit of Security and Privacy Controls
All of the following except one are assessment objects. Response:
Control assessmentAssessment objectsAssessment methods - Question #119Assessment/Audit of Security and Privacy Controls
A level of collaboration may be required between security and privacy control assessors with respect to controls that implemented to achieve both security and privacy objectives. A...
assessor findingscontrol effectivenessvulnerability reportingobjective reporting - Question #120Security and Privacy Governance, Risk Management, and Compliance Program
A System Owner (SO) is implementing a new system with their existing organization Information Technology (IT) environment. What objectives are considered when determining possible...
Risk ImpactCIA TriadInformation Security ObjectivesSystem Owner - Question #121Implementation of Security and Privacy Controls
Who has primary responsibility for the implementation of security controls? Response:
Roles and ResponsibilitiesInformation System Owner (ISO)Security Control Implementation - Question #122Compliance Maintenance
Common activities within organizations can cause changes to systems or the environments of operation and can have significant impact on the security posture of systems. Which of th...
Change ManagementEnvironment of OperationPhysical SecurityCompliance Maintenance - Question #123Selection and Approval of Framework, Security, and Privacy Controls
Which of the following control families belongs to the management class of security controls? Response:
NIST SP 800-53Control FamiliesManagement ControlsControl Classes - Question #124Implementation of Security and Privacy Controls
Which of the following refers to a process that is used for implementing information security? Response:
Certification and Accreditation (C&A)Information Security ProcessesRisk Management Framework (RMF)System Authorization - Question #125Scope of the System
When attempting to categorize a system, which two Risk Management Framework (RMF) starting point inputs should be accounted for? Response:
RMFSystem CategorizationNIST RMFInputs - Question #126Selection and Approval of Framework, Security, and Privacy Controls
To help review or design security controls, they can be classified by several criteri
Control classificationSecurity control typesAdaptive controls - Question #127Compliance Maintenance
According to RMF which role has a primary responsibility to report the security status of the information system to the AO & other appropriate organizational officials on an ongoin...
RMF RolesCommon Control Provider (CCP)Security MonitoringCompliance Reporting - Question #128Security and Privacy Governance, Risk Management, and Compliance Program
BS 7799 is an internationally recognized ISM standard that provides high level, conceptual recommendations on enterprise security. BS 7799 is basically divided into three parts. Wh...
BS 7799ISO/IEC 27001Information Security StandardsStandard History - Question #129Security and Privacy Governance, Risk Management, and Compliance Program
An agreement that allows two organizations to back up each other. Response:
Reciprocal AgreementBusiness ContinuityDisaster RecoveryRisk Mitigation - Question #130Security and Privacy Governance, Risk Management, and Compliance Program
Which one of the following is the only output for the qualitative risk analysis process? Response:
Risk ManagementQualitative Risk AnalysisRisk RegisterProcess Outputs - Question #131Security and Privacy Governance, Risk Management, and Compliance Program
There are five inputs to the quantitative risk analysis process. Which one of the following is NOT an input to the perform quantitative risk analysis process? Response:
Quantitative Risk AnalysisRisk Management ProcessProcess InputsEnterprise Environmental Factors - Question #132Security and Privacy Governance, Risk Management, and Compliance Program
Which of the following NIST documents defines impact? Response:
NIST SP 800-30Impact DefinitionRisk ManagementNIST Special Publications - Question #133Security and Privacy Governance, Risk Management, and Compliance Program
The assessed potential impact resulting from a compromise of the confidentiality, integrity, or availability of an information type, expressed as a value of low, moderate, or high....
Risk AssessmentImpact AnalysisCIA TriadNIST Terminology - Question #134Security and Privacy Governance, Risk Management, and Compliance Program
The potential impact is low if-The loss of confidentiality, integrity, or availability could be expected to have a............... Response:
Risk AssessmentImpact AnalysisCIA Triad - Question #135Scope of the System
Establishing an overall sensitivity level for an Information System based on the aggregated sensitivity level of all data by CIA; is referred to as the ______________. Response:
Information System SensitivityData ClassificationHigh-Water Mark PrincipleSystem Scope - Question #136Selection and Approval of Framework, Security, and Privacy Controls
Applying the first three steps in the RMF to legacy systems can be viewed in what way to determine if the necessary and sufficient security controls have been appropriately selecte...
RMFLegacy SystemsGap AnalysisSecurity Controls Selection - Question #137Selection and Approval of Framework, Security, and Privacy Controls
A backup facility that has the necessary electrical and physical components of a computer facility, but does not have the computer equipment in place. The site is ready to receive...
Disaster RecoveryBusiness ContinuityCold SiteContingency Planning - Question #138Assessment/Audit of Security and Privacy Controls
Which of the following details best define an independent assessor? Response:
Independent AssessorAssessmentImpartialityConflict of Interest - Question #139Security and Privacy Governance, Risk Management, and Compliance Program
You and your project team are just starting the risk identification activities for a project that is scheduled to last for 18 months. Your project team has already identified a lon...
Risk IdentificationRisk Management ProcessIterative Process - Question #140Security and Privacy Governance, Risk Management, and Compliance Program
What will provide a mechanism for evaluating the functions the subsystems perform, interfaces with other subsystems and connections with other information systems, and how they hav...
Security Impact AnalysisRisk ManagementSystem EvaluationSecurity Plan Updates - Question #141Selection and Approval of Framework, Security, and Privacy Controls
What are the three classifications for security controls for information systems? Response:
Security ControlsControl ClassificationSystem-Specific ControlsNIST SP 800-53 - Question #142Compliance Maintenance
According to the Risk Management Framework (RMF), which role has a primary responsibility to report the security status of the information system to the authorizing official (AO) a...
RMF rolesISSOSecurity status reportingOngoing monitoring - Question #143Assessment/Audit of Security and Privacy Controls
Which of the following is an example of the test assessment Method according to NIST SP 800- 37 Rev 2? Response:
NIST SP 800-37Assessment MethodsVulnerability ScanningRisk Management Framework - Question #144Security and Privacy Governance, Risk Management, and Compliance Program
According to NIST SP 800-64 Rev 2 (withdrawn) the system development life cycle is broken down into five phases. Which of the following is not one of the five phases? Response:
NIST SP 800-64 Rev 2System Development Life Cycle (SDLC)SDLC phasesNIST standards - Question #145Compliance Maintenance
In which of the following phases does the SSAA maintenance take place? Response:
RMF phasesContinuous MonitoringSystem AuthorizationCompliance Maintenance - Question #146Scope of the System
The RMF Step and task where a Continuous Monitoring strategy that monitors the effectiveness of the selected security controls is created. Response:
RMF StepsContinuous Monitoring StrategySystem CategorizationSecurity Controls - Question #147Security and Privacy Governance, Risk Management, and Compliance Program
The degree to which an organization is threatened by the potential adverse effects on organizational operations and assets, individuals, other organizations, or the Nation best def...
Risk ManagementRisk TerminologyRisk Exposure - Question #148Security and Privacy Governance, Risk Management, and Compliance Program
You are preparing to start the qualitative risk analysis process for your project. You will be relying on some organizational process assets to influence the process. Which one of...
Qualitative Risk AnalysisOrganizational Process Assets (OPAs)Risk Management ProcessesProject Inputs - Question #149Security and Privacy Governance, Risk Management, and Compliance Program
The authorization decision is the explicit responsibility of which organizational Official? Response:
Authorization Official (AO)Risk Management Framework (RMF)Roles and ResponsibilitiesSystem Authorization - Question #150Selection and Approval of Framework, Security, and Privacy Controls
A security control that is inherited by one or more organizational informational systems is known as a... Response:
Common ControlInherited ControlsSecurity Control TypesNIST RMF Terminology