Browse Exams Pricing

ExamsCGRCQuestions

CGRC Exam Questions

724 real CGRC exam questions with expert-verified answers and explanations. Page 8 of 15.

Question #351Selection and Approval of Framework, Security, and Privacy Controls
A situation in which an information system or application receives protection from security controls (or portions of security controls) that are developed, implemented, assessed, a...
Security Control InheritanceControl SelectionShared ResponsibilityRisk Management Framework
Question #352Implementation of Security and Privacy Controls
The security controls (i.e., safeguards or countermeasures) for an information system that primarily are implemented and executed by people (as opposed to systems). Response:
Security ControlsOperational ControlsControl TypesNIST Controls
Question #353Security and Privacy Governance, Risk Management, and Compliance Program
What may Colvine Tech do if they determine that the root cause of an unauthorized change is an adversarial attack? Response:
Incident ResponseRisk MitigationSecurity ControlsThreat Management
Question #354Assessment/Audit of Security and Privacy Controls
Security control assessors can reuse past assessment results to satisfy the annual FISMA security assessment requirement provided the assessment results are: CHOOSE ALL THAT APPLY...
FISMASecurity AssessmentAssessment ReuseControl Effectiveness
Question #355Selection and Approval of Framework, Security, and Privacy Controls
The management, operational, and technical controls (i.e., safeguards or countermeasures) employed by an organization in lieu of the recommended controls in the baselines described...
Compensating ControlsSecurity ControlsNIST SP 800-53Control Baselines
Question #356Security and Privacy Governance, Risk Management, and Compliance Program
Aggregate of directives, regulations, rules, and practices that prescribes how an organization manages, protects, and distributes information. Response:
Information Security PolicyPolicyGovernanceDirectives
Question #357Security and Privacy Governance, Risk Management, and Compliance Program
An organizational official with statutory or operational authority for specified information and responsibility for establishing the controls for its generation, collection, proces...
Information OwnerRoles and ResponsibilitiesInformation GovernanceData Stewardship
Question #358Security and Privacy Governance, Risk Management, and Compliance Program
Any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual's identity, such as name, social s...
Personally Identifiable Information (PII)Data privacyDefinitionsInformation types
Question #359Security and Privacy Governance, Risk Management, and Compliance Program
Which of the following provides instructions for annual FISMA reporting and emphasizes monitoring the security state of information systems on an ongoing bases with a frequency suf...
FISMA ReportingOngoing MonitoringOMB MemorandaRisk-Based Decisions
Question #360Security and Privacy Governance, Risk Management, and Compliance Program
The System Owner (SO) of Colvine Tech is implementing a new system in the organization's Information Technology (IT) environment. What objectives are considered when determining po...
CIA TriadRisk AssessmentImpact AnalysisInformation Security Objectives
Question #361Selection and Approval of Framework, Security, and Privacy Controls
Statements of security capability to: (i) build in additional, but related, functionality to a security control; and/or (ii) increase the strength of the control. Response:
Security ControlsControl EnhancementsNIST SP 800-53Control Tailoring
Question #362Assessment/Audit of Security and Privacy Controls
Which of the following NIST publications is the guide for security and privacy control assessments in federal information systems and organizations? Response:
NIST SP 800-53AControl AssessmentNIST Publications
Question #363Security and Privacy Governance, Risk Management, and Compliance Program
Which of the following emphasizes the importance of continuous monitoring by requiring agencies to conduct control assessments at a frequency appropriate to risk but no less than a...
FISMAContinuous MonitoringControl AssessmentsFederal Regulations
Question #364Security and Privacy Governance, Risk Management, and Compliance Program
Which of the following are "not" a phase of the NIST Risk Management Framework? Response:
NIST RMF phasesRisk Management FrameworkNIST SP 800-37
Question #365Security and Privacy Governance, Risk Management, and Compliance Program
Which organizational official is responsible for identifying assessment methodologies and metrics to ensure that privacy controls are meeting the organization's privacy requirement...
Organizational RolesPrivacy GovernancePrivacy Control AssessmentSenior Agency Official for Privacy
Question #366Security and Privacy Governance, Risk Management, and Compliance Program
Who is the organizational official responsible for the development, implementation, assessment, and monitoring of security controls in an information system? Response:
Organizational RolesSystem OwnerSecurity ControlsNIST RMF
Question #367Selection and Approval of Framework, Security, and Privacy Controls
Which of the following publications serves as a guide for the selection of security controls? Response:
NIST SP 800-53FIPS 200Security Control SelectionNIST RMF
Question #368Security and Privacy Governance, Risk Management, and Compliance Program
Step 6 of the risk management framework can be described as: Response:
Risk Management FrameworkNIST RMFRMF Step 6System Authorization
Question #369Security and Privacy Governance, Risk Management, and Compliance Program
The RMF Step and task where the Information System is registered with the appropriate organization and PMO. Response:
RMFPrepare StepSystem RegistrationNIST SP 800-37
Question #370Security and Privacy Governance, Risk Management, and Compliance Program
Why would the authorization decision issue a determination of Not Authorized? Response:
Authorization DecisionRisk ManagementResidual RiskNot Authorized Determination
Question #371Selection and Approval of Framework, Security, and Privacy Controls
Which of the following documents can be best aid in selecting controls to be monitored? Response:
FIPS 199Control SelectionSystem CategorizationNIST Standards
Question #372Security and Privacy Governance, Risk Management, and Compliance Program
What does avoidance mean with respect to risk response? Response:
Risk ManagementRisk ResponseRisk Avoidance
Question #373Selection and Approval of Framework, Security, and Privacy Controls
With respect to legacy systems, What RMF Steps can be applied to validate the security categorization to ensure appropriate security controls have been selected and implemented. Re...
RMF StepsLegacy SystemsSecurity CategorizationControl SelectionGap Analysis
Question #374Security and Privacy Governance, Risk Management, and Compliance Program
Who is primarily responsible for categorizing the Information System? Response:
Information System OwnerRoles and ResponsibilitiesSystem CategorizationCGRC Fundamentals
Question #375Security and Privacy Governance, Risk Management, and Compliance Program
Shoulder surfing is a type of in-person attack in which the attacker gathers information about the premises of an organization. This attack is often performed by looking surreptiti...
Shoulder SurfingConfidentialityInformation Security PrinciplesPhysical Security Attacks
Question #376Security and Privacy Governance, Risk Management, and Compliance Program
When was Title III of E-Government Act 44 USC sec.351 (Public Law 107-347) passed and signed into law? Response:
E-Government ActTitle IIIUS LawsCompliance History
Question #377Implementation of Security and Privacy Controls
Common control providers have the responsibility for development, implementation, assessment, and monitoring of common controls. In which document do common control providers docum...
Common ControlsSystem Security PlanNIST RMF DocumentationControl Implementation
Question #378System Compliance
A structured set of arguments and a body of evidence showing that an information system satisfies specific claims with respect to a given quality attribute. Response:
Assurance CaseEvidenceSystem ComplianceQuality Attributes
Question #379Scope of the System
Where can you find guidance for registering information systems in the organization system inventory? Response:
NIST SP 800-37Risk Management Framework (RMF)System InventorySystem Registration
Question #380
You are the project manager for the NHH project. You are working with your project team to examine the project from four different defined perspectives to increase the breadth of i...
Question #381Assessment/Audit of Security and Privacy Controls
Focused testing is a test methodology that assumes some knowledge of the internal structure and implementation detail of the assessment object. This type of testing is also known a...
Testing methodologiesGray box testingSecurity assessment
Question #382Security and Privacy Governance, Risk Management, and Compliance Program
Which NIST publication provides guidance on the three tiers in the risk management hierarchy including Tier 1, Tier 2, and Tier 3? Response:
NIST SP 800-39Risk Management TiersRisk Management Hierarchy
Question #383Compliance Maintenance
_________________________ management offers a structured approach to managing, approving, and documenting changes affecting an IS; critical to continuous assessment of security pos...
Configuration ManagementChange ManagementIS SecurityContinuous Monitoring
Question #384Security and Privacy Governance, Risk Management, and Compliance Program
Any executive department, military department, government corporation, government -controlled corporation, or other establishment in the executive branch of the government (includi...
Government agency definitionFISMA scopeRegulatory applicabilityUS federal cybersecurity
Question #385Security and Privacy Governance, Risk Management, and Compliance Program
Which of the following acts is used to recognize the importance of information security to the economic and national security interests of the United States? Response:
FISMAInformation Security LegislationUS Federal Compliance
Question #386Security and Privacy Governance, Risk Management, and Compliance Program
The Information System Security Officer (ISSO) and Information System Security Engineer (ISSE) play the role of a supporter and advisor, respectively. Which of the following statem...
ISSO rolesISSE rolesSecurity roles and responsibilitiesSystem authorization
Question #387Security and Privacy Governance, Risk Management, and Compliance Program
Which RMF role needs to be aware of id of new threats, evolving risks, changes in data sensitivity/criticality and changes in operating environment; to make conscious decision on w...
RMF RolesAuthorizing Official (AO)Re-certificationRisk Management
Question #388Selection and Approval of Framework, Security, and Privacy Controls
Numerous information security standards promote good security practices and define frameworks or systems to structure the analysis and design for managing information security cont...
NIST SP 800-53Federal Information Security StandardsSecurity Control FamiliesCompliance Frameworks
Question #389Assessment/Audit of Security and Privacy Controls
The use of automation to support ongoing assessments facilitates all but one of the following. Response:
Automated assessmentsAssessment capabilitiesControl verificationGRC automation
Question #390Security and Privacy Governance, Risk Management, and Compliance Program
Which of the following is not a part of Identify Risks process? Response:
Risk IdentificationRisk Management ToolsDiagramming Techniques
Question #391Security and Privacy Governance, Risk Management, and Compliance Program
During the assessment of a new system, the ISO mentioned that if unauthorized modification or destruction of medical information in the system occurred, it could result in potentia...
Information ClassificationCIA TriadRisk AssessmentProtected Health Information (PHI)
Question #392Scope of the System
A system or system element that is outside of the authorization boundary established by the organization and for which the organization typically has no direct control over the app...
External systemAuthorization boundarySystem scopeControl effectiveness
Question #393Security and Privacy Governance, Risk Management, and Compliance Program
NIST SP 800-37 defines a 3-tiered approach to the RMF, which are? Response:
NIST SP 800-37Risk Management Framework (RMF)RMF Tiers
Question #394Security and Privacy Governance, Risk Management, and Compliance Program
What publication provides a structured process (RMF) to fully integrate information security and risk management activities into the SDLC in a disciplined fashion? Response:
RMFNIST SP 800-37SDLC IntegrationInformation Security
Question #395Security and Privacy Governance, Risk Management, and Compliance Program
A part of a project deals with the hardware work. As a project manager, you have decided to hire a company to deal with all hardware work on the project. Which type of risk respons...
Risk managementRisk response strategiesRisk transferenceOutsourcing
Question #396Security and Privacy Governance, Risk Management, and Compliance Program
Which RMF role can be appointed at the discretion of the Approving/Authorization Authority? Response:
RMF RolesAuthorization AuthorityDesignated RepresentativeNIST SP 800-37
Question #397Compliance Maintenance
This process is used to determine if the security controls in the information system continue to be effective over time in light of the inevitable changes that occur in the system...
Continuous MonitoringSecurity Control EffectivenessRisk Management FrameworkSystem Authorization
Question #398Compliance Maintenance
Which National Institute of Standards and Technology Special Publication (NIST SP) 800 series document is concerned with continuous monitoring for federal information systems and o...
NIST SP 800-137Continuous MonitoringFederal Information SystemsInformation Security Governance
Question #399Assessment/Audit of Security and Privacy Controls
You have newly joined the assessment team that will be carrying out an independent, focused level of coverage, control assessment at Colvine Tech. What is a focused level of assess...
Focused assessmentAssessment methodologyControl assessmentSampling
Question #400Security and Privacy Governance, Risk Management, and Compliance Program
Publication that specifies security requirements for federal information and Info Systems in 17 security related areas that represent a broad-based, balanced information security p...
FIPS 200Federal Security RequirementsNIST StandardsInformation System Security

PreviousPage 8 of 15Next

study smarter, certify faster.

Product

Browse Exams
Pricing
PDF Downloads

Resources

Blog
Glossary
Topics
FAQ
Contact Us

Legal

Terms of Service
Privacy Policy
Cookie Policy
DMCA
Refund Policy

Company

About
Contact

© 2026 NerdExam. All rights reserved.Built for IT professionals

NerdExam is a trading name of WADL Solutions Limited, a company incorporated in Hong Kong (CR# 80143234). Registered office: Unit 2904-05, 29/F, Universal Trade Centre, 3 Arbuthnot Road, Central, Hong Kong.

CompTIA, AWS, Cisco, Microsoft, Google Cloud, Oracle, VMware, and other certification names referenced on this site are trademarks of their respective owners. NerdExam is not affiliated with, endorsed by, or sponsored by any certification vendor.