Browse Exams Pricing

ExamsCGRCQuestions

CGRC Exam Questions

724 real CGRC exam questions with expert-verified answers and explanations. Page 6 of 15.

Question #251Security and Privacy Governance, Risk Management, and Compliance Program
Which of the following system security policies is used to address specific issues of concern to the organization? Response:
Security PoliciesPolicy TypesIssue-specific Policy
Question #252Security and Privacy Governance, Risk Management, and Compliance Program
The intent and method targeted at the intentional exploitation of a vulnerability or a situation and method that may accidentally trigger a vulnerability. Synonymous with Threat Ag...
Threat SourceRisk Management TerminologyNIST RMF
Question #253Compliance Maintenance
Although system authorization is important; obtaining ATO is not the end; continuous monitoring provides ______________ that an information system remains secure following accredit...
Continuous monitoringATOAccreditationCompliance maintenance
Question #254Scope of the System
Ensuring timely and reliable access to and use of information. SP 800-53; SP 800-53A; CNSSI- 4009; SP 800-27; SP 800-60; SP 800-37; FIPS 200; FIPS 199; 44 U.S.C., Sec. Response:
AvailabilityCIA TriadNIST SP 800-53FIPS 199
Question #255Scope of the System
What is RMF Step 1? Response:
RMFNIST SP 800-37System CategorizationRMF Steps
Question #256Security and Privacy Governance, Risk Management, and Compliance Program
A collaborative group of users who exchange information in pursuit of their shared goals, interests, missions, or business processes, and who therefore must have a shared vocabular...
Community of InterestInformation SharingCollaborationShared Vocabulary
Question #257Scope of the System
In accordance with NIST SP 800-59 a National Security System is a system that its function, operation, or use must fulfil some of the following criteria. CHOOSE ALL THAT APPLY. Res...
NIST SP 800-59National Security SystemSystem ScopeSystem Categorization
Question #258Implementation of Security and Privacy Controls
Management wants you to create a visual diagram of what resources will be utilized in the project deliverables. What type of a chart is management asking you to create? Response:
Project ManagementResource ManagementResource Breakdown Structure (RBS)Project Planning
Question #259Selection and Approval of Framework, Security, and Privacy Controls
FIPS 200 provides how many minimum security requirements for federal information and information systems? The requirements represent a broad based, balanced information security pr...
FIPS 200Minimum Security RequirementsNISTControl Families
Question #260Compliance Maintenance
What is Step 6? Response:
NIST RMF StepsMonitoringContinuous MonitoringNIST SP 800-37 Rev 1
Question #261Selection and Approval of Framework, Security, and Privacy Controls
Tailored control baselines may also be referred to as Response:
Control tailoringControl baselinesOverlaysNIST RMF
Question #262Security and Privacy Governance, Risk Management, and Compliance Program
What publication implements the Computer Security act and defines sensitivity? Response:
OMB Circular A-130Computer Security ActFederal Information SecurityInformation Sensitivity
Question #263Security and Privacy Governance, Risk Management, and Compliance Program
Adrian is the project manager of the NHP Project. In her project there are several work packages that deal with electrical wiring. Rather than to manage the risk internally she has...
Risk ManagementRisk Response StrategiesRisk TransferenceOutsourcing
Question #264Security and Privacy Governance, Risk Management, and Compliance Program
Which of the following BEST describes a government-wide standard for security Assessment and Authorization (A&A) and continuous monitoring for cloud products, which is mandatory fo...
FedRAMPCloud SecurityAssessment and Authorization (A&A)Government Compliance
Question #265Selection and Approval of Framework, Security, and Privacy Controls
Which of the following are included in Physical Controls? Each correct answer represents a complete solution. Choose all that apply. Response:
Physical ControlsSecurity ControlsAccess ControlEnvironmental Security
Question #266Selection and Approval of Framework, Security, and Privacy Controls
Which of the three-tiered approaches to risk management address risk at the IS security control level & their allocation? Response:
Three-tiered risk managementNIST RMF tiersInformation System tierSecurity control allocation
Question #267Security and Privacy Governance, Risk Management, and Compliance Program
Which of the following is NOT a responsibility of a data owner? Response:
Data OwnerRoles and ResponsibilitiesData GovernanceInformation Security Roles
Question #268Selection and Approval of Framework, Security, and Privacy Controls
During which RMF step is the system security plan initially approved? Response:
RMF StepsSystem Security Plan (SSP)Control SelectionAuthorization Process
Question #269Scope of the System
What is the purpose for scoping guidance? Response:
ScopingSecurity ControlsControl Baseline
Question #270Security and Privacy Governance, Risk Management, and Compliance Program
The level of assessor independence is determined based on applicable laws, executive orders, directives, regulations, policies, or standards. Who determines the level of assessor i...
Assessor IndependenceAuthorizing Official (AO)NIST RMF RolesRisk Acceptance
Question #271Security and Privacy Governance, Risk Management, and Compliance Program
Which of the following RMF phases identifies key threats and vulnerabilities that could compromise the confidentiality, integrity, and availability of the institutional critical as...
RMF Categorize PhaseThreat IdentificationVulnerability IdentificationNIST RMF
Question #272Security and Privacy Governance, Risk Management, and Compliance Program
Which of the following is not part of the contents of a plan of action and milestones? Response:
Plan of Action and Milestones (POA&M)RemediationRisk Management
Question #273Compliance Maintenance
Information System and Environment Changes, determine the security impact of proposed or actual changes to the information system and its environment of operation; is Task _____ in...
RMF Step 6Monitoring ControlsChange ManagementSecurity Impact Analysis
Question #274Security and Privacy Governance, Risk Management, and Compliance Program
Which of the following parts of BS 7799 covers risk analysis and management? Response:
BS 7799Risk ManagementRisk AnalysisInformation Security Standards
Question #275Implementation of Security and Privacy Controls
A set of specifications for a system, or Configuration Item (CI) within a system, that has been formally reviewed and agreed on at a given point in time, and which can be changed o...
Baseline ConfigurationConfiguration ManagementChange ControlConfiguration Item
Question #276Security and Privacy Governance, Risk Management, and Compliance Program
Which of the following is used in the practice of Information Assurance (IA) to define assurance requirements? Response:
Information AssuranceAssurance requirementsInformation security modelsCIA Triad
Question #277Security and Privacy Governance, Risk Management, and Compliance Program
Which of the following is an Information Assurance (IA) model that protects and defends information and information systems by ensuring their availability, integrity, authenticatio...
Information AssuranceSecurity ModelsSecurity Principles
Question #278Scope of the System
What does SC stand for regarding Information Types? Response:
Security CategorizationNIST RMFInformation ClassificationRMF Step 1
Question #279Security and Privacy Governance, Risk Management, and Compliance Program
What role is an agency official responsible for providing advice & other assistance to the head of the executive agency and other senior management personnel of the agency to ensur...
CIO responsibilitiesIT governanceInformation resource managementAgency roles
Question #280Scope of the System
Can a value of not applicable be assigned to any security objective in the context of establishing a security category for an information system. Response:
Security CategorizationSecurity ObjectivesInformation System Classification
Question #281Security and Privacy Governance, Risk Management, and Compliance Program
What are the three parts of Risk Management? Response:
Risk Management ProcessRisk AssessmentRisk Management Components
Question #282Assessment/Audit of Security and Privacy Controls
A type of assessment method that is characterized by the process of conducting discussions with individuals or groups within an organization to facilitate understanding, achieve cl...
Assessment methodsInterviewingControl effectivenessEvidence collection
Question #283Security and Privacy Governance, Risk Management, and Compliance Program
Which of the following relations correctly describes total risk? Response:
Risk ManagementRisk CalculationThreatsVulnerabilities
Question #284Implementation of Security and Privacy Controls
A copy of files and programs made to facilitate recovery if necessary. Response:
BackupData RecoveryData Protection
Question #285Security and Privacy Governance, Risk Management, and Compliance Program
Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source. Response:
Vulnerability DefinitionInformation Security ConceptsRisk Management FundamentalsThreats and Vulnerabilities
Question #286Security and Privacy Governance, Risk Management, and Compliance Program
How many steps are in the Risk Management Framework (RMF)? Response:
Risk Management Framework (RMF)RMF stepsNIST RMF
Question #287Assessment/Audit of Security and Privacy Controls
Any deviations from the Security Assessment plan should be________? Response:
Security Assessment ProcessDeviation HandlingReporting ProceduresCompliance Documentation
Question #288Compliance Maintenance
What is the System Development Life Cycle phase of the Disposal task of step 7 of the RMF? Response:
SDLCRMFDisposalSystem Lifecycle
Question #289Security and Privacy Governance, Risk Management, and Compliance Program
What essential documentation should be included in the system authorization package? Response:
System Authorization PackageRMF AuthorizationAuthorization DocumentationSystem Security Plan
Question #290Assessment/Audit of Security and Privacy Controls
The final Security Assessment Report (SAR) should contain findings from the security control assessment and which of the ensuing? Response:
Security Assessment Report (SAR)Control RemediationAssessment FindingsRisk Management Framework (RMF)
Question #291Security and Privacy Governance, Risk Management, and Compliance Program
The implementation of the Assessment and the authorization process is an example of what type of risk response? Response:
Risk ManagementRisk ResponseAssessmentAuthorization Process
Question #292System Compliance
An official public notice of an organization's system(s) of records, as required by the Privacy Act of 1974, that identifies: (i) the purpose for the system of records; (ii) the in...
Privacy Act of 1974System of Records Notice (SORN)Privacy compliance
Question #293Security and Privacy Governance, Risk Management, and Compliance Program
Anything that can exploit a vulnerability, intentionally or accidentally, and obtain, damage, or destroy an asset best describes Response:
ThreatVulnerabilityRisk ManagementSecurity Concepts
Question #294Compliance Maintenance
Which of the following professionals plays the role of a monitor and takes part in the organization's configuration management process? Response:
Roles and ResponsibilitiesConfiguration ManagementCommon ControlsMonitoring
Question #295Security and Privacy Governance, Risk Management, and Compliance Program
Which of the following is a goal of Public Law? Response:
Public LawAuthorizing Officials (AO)Information QualityGovernance
Question #296Implementation of Security and Privacy Controls
From a system authorization perspective, why are potential system software patches tested prior to deployment? Response:
Patch managementSecurity testingVulnerability managementImpact assessment
Question #297Selection and Approval of Framework, Security, and Privacy Controls
What's another term that is synonymous with a common control? Response:
common controlinherited controlsecurity controlscontrol categorization
Question #298Security and Privacy Governance, Risk Management, and Compliance Program
Process of formally evaluating the degree of threat to an information system or enterprise and describing the nature of the threat. Response:
Threat AssessmentRisk ManagementThreat EvaluationInformation Security
Question #299Implementation of Security and Privacy Controls
Which of the following processes is a structured approach to transitioning individuals, teams, and organizations from a current state to a desired future state? Response:
Change ManagementOrganizational TransitionProcess ManagementImplementation Strategy
Question #300Security and Privacy Governance, Risk Management, and Compliance Program
Who plays the Central role in that he is responsible for system operation, implementation of security controls, and continuous monitoring. Response:
System OwnerRoles and ResponsibilitiesAccountabilityRisk Management Framework (RMF)

PreviousPage 6 of 15Next

study smarter, certify faster.

Product

Browse Exams
Pricing
PDF Downloads

Resources

Blog
Glossary
Topics
FAQ
Contact Us

Legal

Terms of Service
Privacy Policy
Cookie Policy
DMCA
Refund Policy

Company

About
Contact

© 2026 NerdExam. All rights reserved.Built for IT professionals

NerdExam is a trading name of WADL Solutions Limited, a company incorporated in Hong Kong (CR# 80143234). Registered office: Unit 2904-05, 29/F, Universal Trade Centre, 3 Arbuthnot Road, Central, Hong Kong.

CompTIA, AWS, Cisco, Microsoft, Google Cloud, Oracle, VMware, and other certification names referenced on this site are trademarks of their respective owners. NerdExam is not affiliated with, endorsed by, or sponsored by any certification vendor.