Browse Exams Pricing

ExamsCGRCQuestions

CGRC Exam Questions

724 real CGRC exam questions with expert-verified answers and explanations. Page 4 of 15.

Question #151Security and Privacy Governance, Risk Management, and Compliance Program
The tiers of the NIST RMF are Response:
NIST RMFRMF tiersOrganizational structureRisk Management Framework
Question #152Compliance Maintenance
The objective of Configuration Manager and control is "not to" document all proposed or actual changes to an IS & to assess the impact of changes on security of system. Response:
Configuration ManagementChange ManagementSystem SecurityControl Objective
Question #153Selection and Approval of Framework, Security, and Privacy Controls
Normally the requirements documented in the __________ ________ document will formulate the scope of SCA testing. Response:
Security PlanSCA Testing ScopeRisk Management FrameworkNIST Documents
Question #154Security and Privacy Governance, Risk Management, and Compliance Program
Which of the following individuals is responsible for preparing and submitting security status reports to the organizations? Response:
Common Control ProviderRoles and ResponsibilitiesSecurity ReportingNIST RMF
Question #155Security and Privacy Governance, Risk Management, and Compliance Program
The overall length of time an information system's components can be in the recovery phase before negatively impacting the organization's mission or mission/business functions. Res...
Recovery Time Objective (RTO)Business ContinuityDisaster RecoveryRisk Management
Question #156Assessment/Audit of Security and Privacy Controls
Security testing that involves direct interaction with a target, such as sending packets to a target. Response:
Security TestingActive TestingVulnerability AssessmentPenetration Testing
Question #157Security and Privacy Governance, Risk Management, and Compliance Program
Which of the following are included in Administrative Controls? Each correct answer represents a complete solution. Choose all that apply. Response:
Administrative ControlsSecurity ControlsInformation GovernancePersonnel Security
Question #158Security and Privacy Governance, Risk Management, and Compliance Program
Which of the following statements about the availability concept of Information security management is true? Response:
AvailabilityInformation Security ConceptsCIA Triad
Question #159Assessment/Audit of Security and Privacy Controls
A discussion-based exercise where personnel with roles and responsibilities in a particular IT plan meet in a classroom setting or in breakout groups to validate the content of the...
Tabletop ExerciseContingency PlanningIncident Response ExercisesDRP/BCP Exercises
Question #160Security and Privacy Governance, Risk Management, and Compliance Program
Who makes decision to require an IS to under re-accreditation based on security status reporting & documentation & recommendation of Designated Rep & IT security staff? Response:
Authorizing Official (AO)System AuthorizationRe-accreditationRisk Management Framework (RMF) roles
Question #161Selection and Approval of Framework, Security, and Privacy Controls
Which of the following are included in Technical Controls? correct answer represents a complete solution. Choose all that apply. Response:
Technical ControlsSecurity ControlsControl TypesAccess Control
Question #162Scope of the System
Information developed from Federal Information Processing Standard (FIPS) 199 may be used as an input to which authorization package document? Response:
FIPS 199System Security Plan (SSP)Security CategorizationRisk Management Framework (RMF)
Question #163Security and Privacy Governance, Risk Management, and Compliance Program
Fill in the blank with an appropriate word. ________ ensures that the information is not disclosed to unauthorized persons or processes. Solution: Confidentiality Determine whether...
ConfidentialityInformation Security PrinciplesCIA TriadSecurity Governance
Question #164Security and Privacy Governance, Risk Management, and Compliance Program
Which NIST publication is the Guide to applying RMF in Federal Info Systems a Security Life cycle approach & moved process from four phase certification & accreditation approach to...
NIST RMFSP 800-37Authorization processSecurity Life Cycle
Question #165Compliance Maintenance
Which SDLC phase can use the System Authorization package to assist with decommissioning tasks for an IS? Response:
SDLCDisposition PhaseDecommissioningSystem Authorization
Question #166Implementation of Security and Privacy Controls
The use of automation to manage changes to the information system or its environment of operation facilitates Response:
AutomationChange ManagementRemediationControl Implementation
Question #167Scope of the System
A major subdivision or component of an information system consisting of information, information technology, and personnel that perform one or more specific functions. Response:
SubsystemInformation System ComponentsSystem Definition
Question #168Security and Privacy Governance, Risk Management, and Compliance Program
What is the publication that has the Minimum Security Requirements for Federal Information and Information Systems. Response:
FIPS PUB 200Minimum Security RequirementsFederal Information SystemsNIST Publications
Question #169Security and Privacy Governance, Risk Management, and Compliance Program
Which of the following recovery plans includes a monitoring process and triggers for initiating planned actions? Response:
Contingency planningRecovery plansPlan activationMonitoring
Question #170Security and Privacy Governance, Risk Management, and Compliance Program
When an authorization to operate (ATO) is issued, which of the following roles authoritatively accepts residual risk on behalf of the organization? Response:
Authorization to Operate (ATO)Authorizing Official (AO)Risk AcceptanceRisk Management Framework (RMF)
Question #171Assessment/Audit of Security and Privacy Controls
Which Certification Level of Effort is indicated by exercise-based and independent assessments? Response:
Assessment methodologiesIndependent assessmentsExercise-based assessmentsCertification effort
Question #172Assessment/Audit of Security and Privacy Controls
What type of testing is a Physical review or examination of control such as review of the security setting or software version number? Response:
Control AssessmentInspectionSecurity ControlsAssessment Techniques
Question #173Security and Privacy Governance, Risk Management, and Compliance Program
Your project has several risks that may cause serious financial impact should they happen. You have studied the risk events and made some potential risk responses for the risk even...
Risk ManagementQuantitative Risk AnalysisFinancial ImpactContingency Planning
Question #174Selection and Approval of Framework, Security, and Privacy Controls
The process by which a security control baseline is modified based on: (i) the application of scoping guidance; (ii) the specification of compensating security controls, if needed;...
Security Control TailoringNIST RMFSecurity Control BaselinesCompensating Controls
Question #175Security and Privacy Governance, Risk Management, and Compliance Program
System Authorization is the risk management process. System Authorization Plan (SAP) is a comprehensive and uniform approach to the System Authorization Process. What are the diffe...
System Authorization Plan (SAP)Authorization process phasesRisk management processCertification
Question #176Assessment/Audit of Security and Privacy Controls
The purpose of security controls testing is to evaluate the _________________ of the security controls protecting an information system. Response:
Security ControlsControls TestingEffectivenessAssessment
Question #177Compliance Maintenance
Step 7 of the risk management framework can be described as: Response:
Risk Management Framework (RMF)RMF Step 7Post-authorizationSystem authorization
Question #178Security and Privacy Governance, Risk Management, and Compliance Program
An organization's decision on acceptable degrees of residual risks should be based on; choose one. Response:
Risk ManagementResidual RiskRisk ToleranceRisk Acceptance
Question #179Selection and Approval of Framework, Security, and Privacy Controls
A General principle is that the scope of certification testing should include all controls defined in what document; SAR, SP, POAM? Response:
Security PlanCertification TestingControl DefinitionSystem Authorization
Question #180Assessment/Audit of Security and Privacy Controls
For which of the following reporting requirements are continuous monitoring documentation reports used? Response:
Continuous MonitoringFISMAReporting RequirementsCompliance
Question #181Security and Privacy Governance, Risk Management, and Compliance Program
Which of the following is a subset discipline of Corporate Governance focused on information security systems and their performance and risk management? Response:
Information Security GovernanceCorporate GovernanceRisk ManagementPerformance Management
Question #182Security and Privacy Governance, Risk Management, and Compliance Program
An organization monitors the hard disks of its employees' computers from time to time. Which policy does this pertain to? Response:
Privacy policyEmployee monitoringData privacyOrganizational policies
Question #183Scope of the System
The RMF Step and task where the Categorization of the information and IS is done and results documented in the Security Plan (SP) Response:
RMF StepsSystem CategorizationNIST SP 800-37Security Plan
Question #184Compliance Maintenance
Change management is initiated under which phase? Response:
Change ManagementNIST RMFMonitor PhaseContinuous Monitoring
Question #185Security and Privacy Governance, Risk Management, and Compliance Program
The National Information Assurance Certification and Accreditation Process (NIACAP) is the minimum standard process for the certification and accreditation of computer and telecomm...
NIACAPAccreditation typesCertification and Accreditation (C&A)Compliance Frameworks
Question #186Implementation of Security and Privacy Controls
Process of controlling modifications to hardware, firmware, software, and documentation to protect the information system against improper modification prior to, during, and after...
Configuration ControlChange ManagementSystem IntegrityInformation System Security
Question #187Security and Privacy Governance, Risk Management, and Compliance Program
You are the project manager of the NHH project for your company. You have completed the first round of risk management planning and have created four outputs of the risk response p...
Risk Management ProcessRisk Response PlanningProject Management Outputs
Question #188Assessment/Audit of Security and Privacy Controls
What is the 1st task in Security Controls Assessment; where the assessment plan is developed, reviewed, and approved to assess the controls? Response:
Control AssessmentAssessment PlanningNIST RMFSecurity Controls
Question #189Compliance Maintenance
Which role has the supporting responsibility to coordinate changes to the system, assess the security impact and update the system security plan? Response:
ISSO responsibilitiesSystem Security Plan (SSP)Change managementSecurity impact assessment
Question #190Selection and Approval of Framework, Security, and Privacy Controls
A security control for an information system that has not been designated as a common security control or the portion of a hybrid control that is to be implemented within an inform...
Security ControlsNIST RMFSystem-Specific ControlsControl Types
Question #191Security and Privacy Governance, Risk Management, and Compliance Program
The potential impact is moderate if-The loss of confidentiality, integrity, or availability could be expected to have a.......................... Response:
Risk assessmentImpact levelsModerate impactCIA triad
Question #192Security and Privacy Governance, Risk Management, and Compliance Program
According to NIST SP 800-37 Rev 2 appendix F, there exists several types of authorization decisions including all of the following except one. Response:
NIST SP 800-37 Rev 2Authorization decisionsRisk Management FrameworkCommon controls
Question #193Assessment/Audit of Security and Privacy Controls
Which of the following persons is responsible for testing and verifying whether the security policy is properly implemented, and the derived security solutions are adequate or not?...
Auditor roleSecurity policy verificationControl assessmentCompliance checking
Question #194Compliance Maintenance
Updating the security plan, security assessment report, and POAM based on results of the continuous monitoring process is what task in RMF Step 6, Monitor. Response:
NIST RMF Step 6Continuous MonitoringSecurity Plan UpdatesPOAM
Question #195Selection and Approval of Framework, Security, and Privacy Controls
NIST 800-53 identifies continuous monitoring as which of the following security control? Response:
NIST 800-53Continuous MonitoringSecurity ControlsControl Identification
Question #196Assessment/Audit of Security and Privacy Controls
A passive technique that monitors network communication, decodes protocols, and examines headers and payloads for information of interest. It is both a review technique and a targe...
Network securityMonitoring techniquesPassive reconnaissanceData collection
Question #197System Compliance
A Web-based credit card company had collected financial and personal details of Mark before issuing him a credit card. The company has now provided Mark's financial and personal de...
Data PrivacyPersonal Data SharingPrivacy Law ViolationLegal Compliance
Question #198Security and Privacy Governance, Risk Management, and Compliance Program
What course of action can be taken by a party if the current negotiations fail and an agreement cannot be reached? Response:
NegotiationBATNAStrategic Decision-MakingRisk Management
Question #199Security and Privacy Governance, Risk Management, and Compliance Program
The documentation of a predetermined set of instructions or procedures that describe how an organization's mission/business functions will be sustained during and after a significa...
Business Continuity PlanDisaster RecoveryOrganizational Resilience
Question #200Security and Privacy Governance, Risk Management, and Compliance Program
"The authorization for the system or the common control is approved or denied" is an an outcome of which of the ensuing tasks? Response:
Authorization DecisionRisk Management Framework (RMF)Authority to Operate (ATO)System Approval

PreviousPage 4 of 15Next

study smarter, certify faster.

Product

Browse Exams
Pricing
PDF Downloads

Resources

Blog
Glossary
Topics
FAQ
Contact Us

Legal

Terms of Service
Privacy Policy
Cookie Policy
DMCA
Refund Policy

Company

About
Contact

© 2026 NerdExam. All rights reserved.Built for IT professionals

NerdExam is a trading name of WADL Solutions Limited, a company incorporated in Hong Kong (CR# 80143234). Registered office: Unit 2904-05, 29/F, Universal Trade Centre, 3 Arbuthnot Road, Central, Hong Kong.

CompTIA, AWS, Cisco, Microsoft, Google Cloud, Oracle, VMware, and other certification names referenced on this site are trademarks of their respective owners. NerdExam is not affiliated with, endorsed by, or sponsored by any certification vendor.