Browse Exams Pricing

ExamsCGRCQuestions

CGRC Exam Questions

724 real CGRC exam questions with expert-verified answers and explanations. Page 7 of 15.

Question #301Assessment/Audit of Security and Privacy Controls
The primary responsibility to select control assessors rests on which roles? Response:
Roles and ResponsibilitiesControl AssessorsAuthorizing Official (AO)AODR
Question #302Assessment/Audit of Security and Privacy Controls
Which plan documents objectives for the security control assessment & details how to conduct such an assessment and records assessment procedures (Security Plan, Assessment Plan, P...
Security Control AssessmentAssessment PlanNIST RMFDocumentation
Question #303Compliance Maintenance
What component of the change management system is responsible for evaluating, testing, and documenting changes created to the project scope? Response:
Configuration ManagementChange ManagementSystem ScopeBaseline Control
Question #304Selection and Approval of Framework, Security, and Privacy Controls
According to NIST SP 800-53 Rev 5, security controls are broken down into how many control families Response:
NIST SP 800-53 Rev 5Security ControlsControl FamiliesFramework Structure
Question #305Security and Privacy Governance, Risk Management, and Compliance Program
Which of the following statements reflect the 'Code of Ethics Canons' in the '(ISC)2 Code of Ethics'? Each correct answer represents a complete solution. Choose all that apply. Res...
(ISC)2 Code of EthicsEthical CanonsProfessional EthicsGovernance
Question #306Security and Privacy Governance, Risk Management, and Compliance Program
A measure of the degree to which an organization depends on the information or information system for the success of a mission or of a business function best defines which of the f...
CriticalityRisk Management ConceptsInformation System ImportanceImpact Assessment
Question #307Security and Privacy Governance, Risk Management, and Compliance Program
Which RMF role establishes risk management roles and responsibilities and provides advice and relevant information to authorizing officials concerning the risk management strategy...
RMF RolesRisk ExecutiveRisk Management StrategyAuthorization Decisions
Question #308Scope of the System
Which NIST SP describes various sensitivity rankings for federal systems; Guide for Developing Security Plans for Federal Info Systems? Response:
NIST SP 800-18Security PlanningSystem CategorizationFederal Systems
Question #309Security and Privacy Governance, Risk Management, and Compliance Program
What roles and responsibilities can only be occupied by a government employee? Response:
Government RolesRisk ExecutiveNIST RMFOrganizational Structure
Question #310Security and Privacy Governance, Risk Management, and Compliance Program
As indicated in NIST SP 800-37, and NIST SP 800-53 the RMF provides inputs to the risk management strategy, including: laws, directives, and policy guidance; strategic goals and ob...
NIST RMF inputsRisk Management StrategyNIST SP 800-37Priorities and Resources
Question #311Compliance Maintenance
Significant changes to a system may trigger an event-driven authorization action which may include by are not limited to all of the following except one. Choose the exception. Resp...
Event-driven authorizationSystem change managementContinuous monitoringAuthorization triggers
Question #312Security and Privacy Governance, Risk Management, and Compliance Program
An instance of an information type. Response:
Information DefinitionBasic ConceptsTerminology
Question #313Compliance Maintenance
When does monitoring security controls take place? Response:
Continuous MonitoringSystem AuthorizationSecurity Control LifecycleRisk Management Framework
Question #314Security and Privacy Governance, Risk Management, and Compliance Program
The authorization approach that is employed when multiple organizational officials either from the same organization or different organizations, have a shared interest in authorizi...
Joint authorizationSystem authorizationGovernance approach
Question #315Security and Privacy Governance, Risk Management, and Compliance Program
Information that has been determined pursuant to Executive Order 12958 as amended by Executive Order 13292, or any predecessor order, or by the Atomic Energy Act of 1954, as amende...
National Security InformationClassified InformationExecutive OrdersInformation Classification
Question #316System Compliance
If an organization shares financial and personal details of a client to other companies without prior consent of the individuals that organization is violating what following Inter...
Data PrivacyConsentLegal ComplianceInformation Sharing
Question #317Scope of the System
An information system's boundary definition resides with who? Response:
Information System OwnerSystem BoundaryScope DefinitionResponsibility
Question #318Security and Privacy Governance, Risk Management, and Compliance Program
Which of the following governance bodies provides management, operational and technical controls to satisfy security requirements? Response:
Security GovernanceOrganizational RolesSenior Management ResponsibilityControl Oversight
Question #319Security and Privacy Governance, Risk Management, and Compliance Program
FIPS 199, Standards for Security Categorization of Federal Systems defines which 3 Security Categories? Response:
FIPS 199Security CategorizationCIA TriadRisk Management
Question #320Assessment/Audit of Security and Privacy Controls
One of the primary goals in conducting analysis of the test results from a scan during Security Control Assessment (SCA) is to Response:
Security Control AssessmentVulnerability AnalysisScan Results
Question #321Assessment/Audit of Security and Privacy Controls
Who determines the required level of independence for security control assessors? Response:
Authorizing Official (AO)Assessor IndependenceRMF RolesSecurity Control Assessment
Question #322Security and Privacy Governance, Risk Management, and Compliance Program
Which of the following statements correctly describes DIACAP residual risk? Response:
Residual RiskRisk ManagementDIACAPInformation System Risk
Question #323Assessment/Audit of Security and Privacy Controls
According to NIST SP 800-37 Rev 2, What is step five of the Risk Management Framework (RMF) process? Response:
NIST RMFSP 800-37 Rev 2RMF StepsControl Assessment
Question #324Security and Privacy Governance, Risk Management, and Compliance Program
What is included in a POA&M that is presented to the Approving Authority as part of the initial authorization package? Response:
POA&MRMF AuthorizationDeficienciesRisk Acceptance
Question #325Implementation of Security and Privacy Controls
FITSAF stands for Federal Information Technology Security Assessment Framework. It is a methodology for assessing the security of information systems. Which of the following FITSAF...
FITSAFSecurity Assessment FrameworksControl ImplementationCompliance Levels
Question #326Assessment/Audit of Security and Privacy Controls
Which of the following is not an example of automation activity? Response:
AutomationSecurity ControlsCompliance AssessmentAssessment Methods
Question #327Security and Privacy Governance, Risk Management, and Compliance Program
Who is primarily responsible for the development of system-specific procedures? Response:
System OwnerRoles and ResponsibilitiesSystem ProceduresGovernance
Question #328Assessment/Audit of Security and Privacy Controls
NIST SP 800-39 requires that the Security Control Assessor's findings should be: Response:
NIST SP 800-39Security Control AssessorAssessment findingsObjectivity
Question #329Scope of the System
The physical surroundings in which an information system processes, stores, transmits, or disseminates information is referred to as Response:
System EnvironmentOperational ContextSystem Scope
Question #330Scope of the System
What is FIPS 199? Response:
FIPS 199Security CategorizationNISTRisk Management Framework
Question #331Selection and Approval of Framework, Security, and Privacy Controls
Which NIST guide authorizes an organization to tailor system authorization activities to the level of effort and rigor that is suitable for the IS being tested? Response:
NIST SP 800-37Risk Management Framework (RMF)System AuthorizationTailoring
Question #332Security and Privacy Governance, Risk Management, and Compliance Program
The threats to an information system and its environment of operation have been classified as human, natural, and machine threats. Which of the following threats is refferred to as...
Threat classificationHuman threatsCybersecurity fundamentalsRisk identification
Question #333Assessment/Audit of Security and Privacy Controls
What RMF role is primarily responsible for Tasks 1, 2, and 3 in Assessing Security Controls? Response:
RMF RolesSecurity Control AssessorAssessing Security ControlsNIST RMF
Question #334Implementation of Security and Privacy Controls
An environmentally conditioned workspace that is partially equipped with information systems and telecommunications equipment to support relocated operations in the event of a sign...
Warm SiteDisaster RecoveryBusiness ContinuityRecovery Sites
Question #335Security and Privacy Governance, Risk Management, and Compliance Program
Which of the following guidance documents is useful in determining the impact level of a particular threat on agency systems? Response:
NIST RMFImpact Level DeterminationSystem CategorizationNIST SP 800-37
Question #336Security and Privacy Governance, Risk Management, and Compliance Program
According to FIPS Publication 199, what are the three levels of potential impact on organizations in the event of a compromise on confidentiality, integrity, and availability? Resp...
FIPS 199Impact LevelsCIA TriadRisk Assessment
Question #337Assessment/Audit of Security and Privacy Controls
One of the main objectives of testing is to avoid ______________ of normal operations. Response:
Testing objectivesOperational impactSecurity testingControl assessment
Question #338Security and Privacy Governance, Risk Management, and Compliance Program
In which of the following Risk Management Framework (RMF) phases is strategic risk assessment planning performed? Response:
NIST RMFRMF Prepare PhaseStrategic Risk AssessmentRMF Phases
Question #339Security and Privacy Governance, Risk Management, and Compliance Program
What are the subordinate tasks of the Initiate and Plan IA C&A phase of the DIACAP process? Each correct answer represents a complete solution. Choose all that apply. Response:
DIACAPCertification and Accreditation (C&A)Initiate and Plan PhaseInformation Assurance (IA)
Question #340Security and Privacy Governance, Risk Management, and Compliance Program
Which of the following groups represents the most likely source of an asset loss through the inappropriate use of computers? Response:
Insider ThreatRisk ManagementAsset LossHuman Factors
Question #341Security and Privacy Governance, Risk Management, and Compliance Program
What are the six steps of the RMF? Response:
RMFNIST RMFCategorizeRisk Management Framework Steps
Question #342Security and Privacy Governance, Risk Management, and Compliance Program
Any circumstance or event with the potential to adversely impact organizational operations, assets, personnel, etc..? Response:
Threat definitionRisk management terminologySecurity definitions
Question #343Selection and Approval of Framework, Security, and Privacy Controls
Which of the following are the types of access controls? Each correct answer represents a complete solution. Choose three. Response:
Access ControlsAdministrative ControlsTechnical ControlsPhysical Controls
Question #344Security and Privacy Governance, Risk Management, and Compliance Program
Gary is the project manager for his project. He and the project team have completed the qualitative risk analysis process and are about to enter the quantitative risk analysis proc...
Quantitative Risk AnalysisRisk Management ProcessRisk Event Analysis
Question #345Implementation of Security and Privacy Controls
Which of the following is an entry in an object's discretionary access control list (DACL) that grants permissions to a user or group? Response:
Access Control Entry (ACE)Discretionary Access Control (DAC)Access Control List (ACL)Permissions
Question #346Security and Privacy Governance, Risk Management, and Compliance Program
A group of any records under the control of any agency from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying...
Privacy ActSystem of RecordsDefinitionsCompliance Basics
Question #347Scope of the System
The characterization of information or an information system based on an assessment of the potential impact that a loss of confidentiality, integrity, or availability of such infor...
Security CategorizationImpact AssessmentCIA TriadInformation Classification
Question #348Compliance Maintenance
Why is security control volatility an important consideration in the development of a security control monitoring strategy? Response:
Security Control MonitoringControl VolatilityCompensating ControlsRisk Management
Question #349Selection and Approval of Framework, Security, and Privacy Controls
What role ensures the selection of security controls is consistent with the enterprise architecture, including reference models and segment and solution architectures Response:
Information Security ArchitectSecurity Control SelectionEnterprise ArchitectureRMF Roles
Question #350Security and Privacy Governance, Risk Management, and Compliance Program
An occurrence that actually jeopardizes the CIA of an information system or the information system processes that stores or transmits information or that constitutes a violation or...
Security IncidentIncident ResponseCybersecurity DefinitionsCIA Triad

PreviousPage 7 of 15Next

study smarter, certify faster.

Product

Browse Exams
Pricing
PDF Downloads

Resources

Blog
Glossary
Topics
FAQ
Contact Us

Legal

Terms of Service
Privacy Policy
Cookie Policy
DMCA
Refund Policy

Company

About
Contact

© 2026 NerdExam. All rights reserved.Built for IT professionals

NerdExam is a trading name of WADL Solutions Limited, a company incorporated in Hong Kong (CR# 80143234). Registered office: Unit 2904-05, 29/F, Universal Trade Centre, 3 Arbuthnot Road, Central, Hong Kong.

CompTIA, AWS, Cisco, Microsoft, Google Cloud, Oracle, VMware, and other certification names referenced on this site are trademarks of their respective owners. NerdExam is not affiliated with, endorsed by, or sponsored by any certification vendor.