Browse Exams Pricing

ExamsCGRCQuestions

CGRC Exam Questions

724 real CGRC exam questions with expert-verified answers and explanations. Page 5 of 15.

Question #201Security and Privacy Governance, Risk Management, and Compliance Program
NIST SP 800-37 comports under OMB Circular A-130; but it was developed by NIST under what authority; which is PL 107-347? Response:
FISMANIST SP 800-37Federal Information SecurityOMB Circular A-130
Question #202Scope of the System
Elements of organizations describing mission areas, common/shared business services, and organization-wide services. Mission/business segments can be identified with one or more in...
Organizational structureMission areasBusiness segmentsInformation systems mapping
Question #203Security and Privacy Governance, Risk Management, and Compliance Program
Fred is the project manager of the PKL project. He is working with his project team to complete the quantitative risk analysis process as a part of risk management planning. Fred u...
Quantitative Risk AnalysisRisk Management ProcessProject Risk ManagementRisk Monitoring and Control
Question #204Scope of the System
Which NIST publication document is concerned with security categorization of federal information and information systems? Response:
NIST FIPSSecurity CategorizationFederal Information SystemsFIPS 199
Question #205Security and Privacy Governance, Risk Management, and Compliance Program
Once the System Owner selects the controls he wants to Continuously Monitor, he should coordinate with AO, AODR, and ___________. Response:
Continuous MonitoringRoles and ResponsibilitiesSystem OwnerCISO
Question #206Security and Privacy Governance, Risk Management, and Compliance Program
The documentation of a predetermined set of instructions or procedures that describe how business processes will be restored after a significant disruption has occurred. Response:
Business Continuity PlanningDisaster RecoveryOrganizational Resilience
Question #207Security and Privacy Governance, Risk Management, and Compliance Program
The system authorization program often fails due to failure to separate and assign duties at the system level, poor planning, poor systems inventory and many other reasons includin...
Management supportProgram effectivenessAuthorization programGovernance issues
Question #208Selection and Approval of Framework, Security, and Privacy Controls
One of the following is a formal document that provides an overview of the security requirements for the information system, describes the system and the security controls in place...
Security Plan (SP)System Security Plan (SSP)NIST RMFDocumentation
Question #209Selection and Approval of Framework, Security, and Privacy Controls
Which of the following is an example of a "something you are" authentication? Response:
Authentication factorsBiometricsAccess controlIdentity management
Question #210Assessment/Audit of Security and Privacy Controls
What is RMF Step 4? Response:
RMFNISTControl AssessmentRMF Steps
Question #211Security and Privacy Governance, Risk Management, and Compliance Program
Which NIST SP details how RMF can be integrated into the System Development Life-Cycle (SDLC)? Response:
NIST RMFNIST SP 800-37SDLC integrationSystem Authorization
Question #212Scope of the System
The registration of the system directly follows which RMF task? Response:
NIST RMFPrepare StepSystem RegistrationRMF Tasks
Question #213Security and Privacy Governance, Risk Management, and Compliance Program
According to NIST SP 800-39, Managing Information System Risk, when an organization responds to risk by eliminating the activity or technology that are the basis for the risk, that...
NIST SP 800-39Risk ManagementRisk ResponseRisk Avoidance
Question #214Security and Privacy Governance, Risk Management, and Compliance Program
Which of the following statements are true about security risks? correct answer represents a complete solution. Choose three. Response:
Security Risk ConceptsRisk AnalysisRisk MitigationThreat and Vulnerability
Question #215Scope of the System
The publication that has the Standards for Security Categorization of Federal Information and Information Systems. Response:
NIST FIPSSecurity CategorizationFederal Information SystemsRMF Step 1
Question #216Compliance Maintenance
According to NIST SP 800-37 Rev 2, which role has a primary responsibility to report the security status of the information system to the authorizing official (OA) and other approp...
NIST RMF RolesCommon Control Provider (CCP)Ongoing MonitoringAuthorizing Official (AO)
Question #217Security and Privacy Governance, Risk Management, and Compliance Program
The amount of risk that an organization is willing to accept can be referred to as: Response:
risk tolerancerisk managementrisk acceptance
Question #218Security and Privacy Governance, Risk Management, and Compliance Program
A fully operational offsite data processing facility equipped with hardware and software, to be used in the event of an information system disruption Response:
Disaster RecoveryBusiness ContinuityHot SiteRecovery Sites
Question #219Security and Privacy Governance, Risk Management, and Compliance Program
What are the responsibilities of a system owner? Each correct answer represents a complete solution. Choose all that apply. Response:
System OwnerRoles and ResponsibilitiesSecurity ControlsVulnerability Management
Question #220Implementation of Security and Privacy Controls
Which of the following fields of management focuses on establishing and maintaining consistency of a system's or product's performance and its functional and physical attributes wi...
configuration managementsystem consistencylifecycle managementoperational security
Question #221Security and Privacy Governance, Risk Management, and Compliance Program
Information risk management (IRM) is the process of identifying and assessing risk, reducing it to an acceptable level, and implementing the right mechanisms to maintain that level...
Information Risk ManagementRisk CategoriesTypes of RiskRisk Identification
Question #222Implementation of Security and Privacy Controls
An incremental backup captures files that were created or changed since the last backup, regardless of backup type. Incremental backups afford more efficient use of storage media,...
Incremental backupData backupData recoveryStorage efficiency
Question #223Security and Privacy Governance, Risk Management, and Compliance Program
The amount of time mission/business processes can be disrupted without causing significant harm to the organization's mission. Response:
Maximum Tolerable Downtime (MTD)Business Continuity Planning (BCP)Disaster Recovery (DR)Risk Management
Question #224Implementation of Security and Privacy Controls
Who is primarily responsible for the development of the system-specific procedures (ISO, ISSO, IS Architect, Sys Admin)? Response:
ISSO responsibilitiesSystem-specific proceduresRoles and responsibilitiesControl implementation documentation
Question #225Scope of the System
An organization conducts one of the following analyses to determine if their system processes personally identifiable information Response:
Privacy Threshold Analysis (PTA)Personally Identifiable Information (PII)Privacy AssessmentsSystem Scoping
Question #226Compliance Maintenance
Which NIST SP series document is concerned with continuous monitoring for federal information systems and organizations? Response:
NIST SP 800-137Continuous MonitoringFederal Information SystemsCompliance
Question #227Security and Privacy Governance, Risk Management, and Compliance Program
An occurrence that actually or potentially jeopardizes the confidentiality, integrity, or availability of an information system or the information the system processes, stores, or...
Incident managementSecurity definitionsCIA triadPolicy violations
Question #228Assessment/Audit of Security and Privacy Controls
Which role has the primary responsibility to conduct ongoing assessments after an initial system authorization? Response:
Security Control AssessorOngoing AssessmentsRMF RolesContinuous Monitoring
Question #229Assessment/Audit of Security and Privacy Controls
In which of the following phases of the DITSCAP process does Security Test and Evaluation (ST&E) occur? Response:
DITSCAPSecurity Test and EvaluationCertification and AccreditationSystem Assessment
Question #230Scope of the System
When should the information system owner document the information system and authorization boundary description in the security plan? Response:
Security PlanAuthorization BoundarySecurity CategorizationInformation System Owner
Question #231Security and Privacy Governance, Risk Management, and Compliance Program
NIST SP 800-37, Revision 1, was developed by NIST under the authority of Response:
FISMANIST Special PublicationsRegulatory AuthorityRisk Management Framework (RMF)
Question #232Security and Privacy Governance, Risk Management, and Compliance Program
Disclosure of information to unauthorized persons, or a violation of the security policy of a system in which an unauthorized intentional or unintentional disclosure, modification,...
CompromiseSecurity IncidentInformation DisclosureRisk Management Terminology
Question #233Scope of the System
All components of an information system to be authorized for operation by an authorizing official and excludes separately authorized systems, to which the information system is con...
Authorization BoundarySystem AuthorizationInformation System Scope
Question #234Assessment/Audit of Security and Privacy Controls
If a "war-stopper" is found; testing should be immediately halted until the issue is resolved; what is a war-stopper? Response:
War-stopperCriminal activitySecurity assessmentTesting procedures
Question #235Security and Privacy Governance, Risk Management, and Compliance Program
You are responsible for network and information security at a metropolitan police station. The most important concern is that unauthorized parties are not able to access dat
ConfidentialityInformation Security PrinciplesData Protection
Question #236Security and Privacy Governance, Risk Management, and Compliance Program
The process of managing risks to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Natio...
Risk ManagementRisk AssessmentRisk MitigationContinuous Monitoring
Question #237Security and Privacy Governance, Risk Management, and Compliance Program
Wendy is about to perform qualitative risk analysis on the identified risks within her project. Which one of the following will NOT help Wendy to perform this project management ac...
Qualitative Risk AnalysisProject Risk ManagementRisk Management InputsGRC Program Management
Question #238Compliance Maintenance
During information system continuous monitoring you have to monitor changes in the machine elements of the system such as computer elements and data stored in hardware - typically...
FirmwareSystem ComponentsContinuous Monitoring
Question #239Security and Privacy Governance, Risk Management, and Compliance Program
Which of the following DoD directives is referred to as the Defense Automation Resources Management Manual? Response:
DoD DirectivesGovernment PublicationsAutomation Resources ManagementCompliance Standards
Question #240Assessment/Audit of Security and Privacy Controls
A chronological record of system activities, including records of system accesses and operations performed in a given period best defines: Response:
Audit logsSecurity loggingSystem activitiesMonitoring
Question #241Security and Privacy Governance, Risk Management, and Compliance Program
___________________ information is defined as any information that the loss, misuse or unauthorized access would adversely affect the national interest or the conduct of federal pr...
Information ClassificationSensitive InformationData ProtectionPrivacy
Question #242Assessment/Audit of Security and Privacy Controls
The security control assessor shall not be held liable to the System Owner for any and all liabilities, claims, or damages arising out of or relating to the security vulnerability...
Rules of EngagementVulnerability TestingAssessor LiabilitySecurity Assessment Planning
Question #243Selection and Approval of Framework, Security, and Privacy Controls
Physical and Environmental controls and personnel security controls are examples of what type of controls with respect to their provision? Response:
Common controlsControl typesPhysical securityPersonnel security
Question #244Compliance Maintenance
What is the 2nd SDLC phase; which maps to the RMF steps 3 & 4 (Implement, Assess)? Response:
SDLC phasesRMF stepsControl ImplementationControl Assessment
Question #245Selection and Approval of Framework, Security, and Privacy Controls
For inherited controls, the type of authorization that the system owner would expect from the authorizing official is: Response:
Inherited ControlsCommon ControlsAuthorization OfficialRisk Management Framework
Question #246Implementation of Security and Privacy Controls
The documentation of a predetermined set of instructions or procedures to detect, respond to, and limit consequences of a malicious cyber attacks against an organization's informat...
Incident Response PlanCyber Attack ResponseSecurity Controls
Question #247Security and Privacy Governance, Risk Management, and Compliance Program
Which of the following statements best describes the difference between the role of a data owner and the role of a data custodian? Response:
Data OwnerData CustodianInformation ClassificationRoles and Responsibilities
Question #248Security and Privacy Governance, Risk Management, and Compliance Program
What is verifying the identity of a user, process, or device, often as a prerequisite to allowing access to resources in an information system. Response:
AuthenticationIdentity VerificationAccess ControlSecurity Controls
Question #249Compliance Maintenance
In which of the following phases do the system security plan update and the Plan of Action and Milestones (POAM) update take place? Response:
Continuous MonitoringSystem Security Plan (SSP)Plan of Action and Milestones (POAM)NIST RMF
Question #250Security and Privacy Governance, Risk Management, and Compliance Program
What are the FIPS Publication 199 defined 3 levels of potential impact on organizations or individuals should there be a breach of security (i.e., a loss of confidentiality, integr...
FIPS 199Impact LevelsRisk ManagementCIA Triad

PreviousPage 5 of 15Next

study smarter, certify faster.

Product

Browse Exams
Pricing
PDF Downloads

Resources

Blog
Glossary
Topics
FAQ
Contact Us

Legal

Terms of Service
Privacy Policy
Cookie Policy
DMCA
Refund Policy

Company

About
Contact

© 2026 NerdExam. All rights reserved.Built for IT professionals

NerdExam is a trading name of WADL Solutions Limited, a company incorporated in Hong Kong (CR# 80143234). Registered office: Unit 2904-05, 29/F, Universal Trade Centre, 3 Arbuthnot Road, Central, Hong Kong.

CompTIA, AWS, Cisco, Microsoft, Google Cloud, Oracle, VMware, and other certification names referenced on this site are trademarks of their respective owners. NerdExam is not affiliated with, endorsed by, or sponsored by any certification vendor.