CGRC Exam Questions
724 real CGRC exam questions with expert-verified answers and explanations. Page 9 of 15.
- Question #401Security and Privacy Governance, Risk Management, and Compliance Program
Amy is the project manager for her company. In her current project the organization has a very low tolerance for risk events that will affect the project schedule. Management has a...
Risk ManagementProject ScheduleRisk AssessmentOrganizational Tolerance - Question #402Scope of the System
The first item listed in the system security plan is the system name and identifier. As required in OMB Circular A 11, each system should be assigned a name and unique identifier....
System IdentificationSystem Security PlanSecurity MetricsRegulatory Compliance - Question #403Security and Privacy Governance, Risk Management, and Compliance Program
In which step of the NIST SP 800-30 Risk Assessment process are vulnerabilities paired with threats? Response:
NIST SP 800-30Risk Assessment ProcessImpact AnalysisThreat-Vulnerability Pairing - Question #404Assessment/Audit of Security and Privacy Controls
When should the assessment team provide the briefing following the conclusion of testing to provide system management/operations personnel an opportunity to know the security postu...
Post-assessment briefingSecurity posture communicationRemediation urgency - Question #405System Compliance
Which of the following is used throughout the entire C&A process? Response:
C&A ProcessSystem Security Accreditation Agreement (SSAA)AccreditationCompliance Artifacts - Question #406Assessment/Audit of Security and Privacy Controls
Which of the following NIST Special Publication documents provides a guideline on questionnaires and checklists through which systems can be evaluated for compliance against specif...
NIST Special PublicationsControl AssessmentCompliance EvaluationNIST SP 800-53A - Question #407Security and Privacy Governance, Risk Management, and Compliance Program
Gary is the project manager of his organization. He is managing a project that is similar to a project his organization completed recently. Gary has decided that he will use the in...
Risk IdentificationChecklist AnalysisRisk Management TechniquesLimitations of Risk Tools - Question #408Assessment/Audit of Security and Privacy Controls
Which Certification Level of Effort is indicated by checklist-based, independent security review that includes; interviews, policy/procedure reviews, operations observation? Respon...
Security review effortChecklist-based assessmentCompliance certificationAudit methodology - Question #409Security and Privacy Governance, Risk Management, and Compliance Program
A set of discrete threat events, associated with a specific threat source or multiple threat sources, partially ordered in time. Response:
Threat ScenarioRisk TerminologyThreat EventsRisk Management - Question #410Assessment/Audit of Security and Privacy Controls
Testing officials should use which NIST publication as guide for developing test procedures? Response:
NIST SP 800-53AControl AssessmentTest Procedures - Question #411Security and Privacy Governance, Risk Management, and Compliance Program
You work as a project manager for SoftTech Inc. You are working with the project stakeholders to begin the qualitative risk analysis process. You will need all of the following as...
Project ManagementRisk ManagementQualitative Risk AnalysisProcess Inputs - Question #412Security and Privacy Governance, Risk Management, and Compliance Program
Which of the following processes is used to protect the data based on its secrecy, sensitivity, or confidentiality? Response:
Data ClassificationData ProtectionConfidentialityData Sensitivity - Question #413Assessment/Audit of Security and Privacy Controls
Penetration tests are sometimes called white hat attacks because in a pen test, the good guys are attempting to break in. What are the different categories of penetration testing?...
Penetration testingSecurity assessmentBlack-box testingWhite-box testing - Question #414Assessment/Audit of Security and Privacy Controls
Basic testing is a test methodology that assumes no knowledge of the internal structure and implementation detail of the assessment objet. This type of testing is also known as: Re...
Black box testingTesting methodologiesSecurity testing - Question #415Implementation of Security and Privacy Controls
James work as an IT systems personnel in SoftTech Inc. He performs the following tasks: - Runs regular backups and routine tests of the validity of the backup data. - Performs data...
Information Security RolesData CustodianBackup and RecoveryInformation Classification Policy - Question #416Scope of the System
What are information system? Response:
information system definitionsystem componentsinformation resources - Question #417Security and Privacy Governance, Risk Management, and Compliance Program
Which of the following individuals informs all C&A participants about life cycle actions, security requirements, and documented user needs? Response:
IS Program ManagerRMF Roles and ResponsibilitiesC&A ProcessCommunication - Question #418Security and Privacy Governance, Risk Management, and Compliance Program
The risk transference is referred to the transfer of risks to a third party, usually for a fee, it creates a contractual-relationship for the third party to manage the risk on beha...
Risk ManagementRisk Response StrategiesRisk Transference - Question #419Compliance Maintenance
Which RMF role is responsibility for securing the system and managing all security aspects of the system. Closely monitors the day-to-day security of the system and monitors effect...
RMF RolesISSO ResponsibilitiesSystem Security OperationsControl Monitoring - Question #420Security and Privacy Governance, Risk Management, and Compliance Program
The security authorization package contains multiple key documents enabling the authorization officials to make risk based authorization decisions. Which of the following documents...
Authorization PackageRisk Management FrameworkAuthorization to Operate (ATO)Security Documentation - Question #421Assessment/Audit of Security and Privacy Controls
Controls reported by system owner as not in place should not be tested but needs to be recorded as (passing, failing, of N/A) since report is basis for remediation plan. Response:
Control AssessmentDeficiency ReportingRemediation PlanningControl Status - Question #422Selection and Approval of Framework, Security, and Privacy Controls
Which three classifications of security controls have been identified by NIST based on the responsibility for their provision? Response:
NISTControl ClassificationCommon ControlsSystem-Specific Controls - Question #423Security and Privacy Governance, Risk Management, and Compliance Program
One of the inputs to the risk determination task is the employment of risk assessments to provide information that may influence the risk analysis and risk determination. What publ...
NIST SP 800-30Risk AssessmentRisk ManagementNIST Publications - Question #424Compliance Maintenance
An Authorizing Official plays the role of an approver. What are the responsibilities of an Authorizing Official? Each correct answer represents a complete solution. Choose all that...
Authorizing Official (AO)Risk Management Framework (RMF) rolesAuthorization to Operate (ATO)System Reauthorization - Question #425Selection and Approval of Framework, Security, and Privacy Controls
When determining the applicability of a specific security control, the security professional should utilize which type of guidance? Response:
Security ControlsControl SelectionScoping GuidanceNIST RMF - Question #426System Compliance
When an AO submits the security authorization decision, what responses should the ISO expect to receive? Response:
RMF Authorization DecisionATO/DATOAuthorizing Official (AO)Authorization Conditions - Question #427Assessment/Audit of Security and Privacy Controls
__________ of Effort will drive size of testing team, rigor of testing, & amount of documentation required. Response:
Level of EffortTesting scopeDocumentation requirementsResource planning - Question #428Selection and Approval of Framework, Security, and Privacy Controls
An information system is currently in the initiation phase of the system development life cycle (SDLC) and has been categorized high impact. The information system owner wants to i...
Control InheritanceImpact LevelSecurity Control TailoringSystem Development Life Cycle - Question #429Selection and Approval of Framework, Security, and Privacy Controls
A countermeasure or safeguard that is implemented in an informational system in part as a common control and in part as a system-specific control Response:
Hybrid ControlsControl ClassificationNIST RMF Controls - Question #430Security and Privacy Governance, Risk Management, and Compliance Program
Which of the following individuals is responsible for the final accreditation decision? Response:
Roles and ResponsibilitiesAccreditation DecisionInformation System OwnerAuthorization Official - Question #431Selection and Approval of Framework, Security, and Privacy Controls
Overlays can be implemented as part of control tailoring. In which step of the assessment and authorization process is control tailoring done? Response:
Control tailoringOverlaysRMF Select stepAssessment and Authorization process - Question #432Security and Privacy Governance, Risk Management, and Compliance Program
A key part of the risk-based decision process is the recognition that regardless of the risk response, There remains some risks known as: Response:
Residual riskRisk managementRisk responseRisk terminology - Question #433Assessment/Audit of Security and Privacy Controls
Governing document that provides a comprehensive, rigorous method for specifying security function and assurance requirements for products and systems. Response:
Common CriteriaProduct EvaluationSecurity AssuranceGoverning Documents - Question #434Assessment/Audit of Security and Privacy Controls
Security Test and Evaluation (ST&E) is a component of risk assessment. It is useful in discovering system vulnerabilities. For what purposes is ST&E used? Each correct answer repre...
Security Test and EvaluationVulnerability AssessmentSecurity Controls Assessment - Question #435Compliance Maintenance
Which NIST special publication is the guide on continuous monitoring? Response:
NIST SP 800-137Continuous MonitoringRisk Management FrameworkNIST Publications - Question #436Security and Privacy Governance, Risk Management, and Compliance Program
Which role in the security authorization process is responsible for organizational information systems? Response:
Security authorization processRoles and responsibilitiesAuthorizing Official (AO)Information system accountability - Question #437Selection and Approval of Framework, Security, and Privacy Controls
The management, operational, and technical controls (i.e., safeguards or countermeasures) prescribed for an information system to protect the confidentiality, integrity, and availa...
Security ControlsCIA TriadControl TypesInformation Security - Question #438Assessment/Audit of Security and Privacy Controls
This is a standard that sets essential requirements for assessing the effectiveness of computer security controls built into a computer system? Response:
TCSECSecurity StandardsSystem EvaluationControl Assessment - Question #439System Compliance
When an authorization to operate is issued, which of the following roles authoritatively accepts residual risk on behalf of the organization? Response:
Authorization to Operate (ATO)Residual RiskAuthorizing Official (AO)Risk Acceptance - Question #440Assessment/Audit of Security and Privacy Controls
Which of the following evidences are the collection of facts that, when considered together, can be used to infer a conclusion about the malicious activity/person? Response:
Evidence typesCircumstantial evidenceInvestigations - Question #441Selection and Approval of Framework, Security, and Privacy Controls
What does RTM stand for? Response:
AcronymsRequirements TraceabilityCompliance ToolsControl Selection - Question #442Security and Privacy Governance, Risk Management, and Compliance Program
What is the three-tiered approach to risk management described in NIST SP 800-37, Revision 1? Response:
NIST SP 800-37Risk Management Framework (RMF)Three-tiered approachOrganizational risk management - Question #443Selection and Approval of Framework, Security, and Privacy Controls
Numerous information security standards promote good security practices and define frameworks or systems to structure the analysis and design for managing information security cont...
ISO 27002International StandardsInformation Security ControlsStandard Frameworks - Question #444Selection and Approval of Framework, Security, and Privacy Controls
A security control for an information system that has not been designated as a common control or the portion of a hybrid control that is to be implemented within an informational s...
System Specific ControlControl CategorizationNIST RMFSecurity Controls - Question #445Security and Privacy Governance, Risk Management, and Compliance Program
In performing ongoing risk determination and acceptance; the AO consults with the CISO and Risk _______________ to determine whether current system risk is acceptable, provides app...
Risk ManagementOrganizational RolesRisk AcceptanceAuthorizing Official (AO) - Question #446Assessment/Audit of Security and Privacy Controls
Which of the following assessment methodologies defines a six-step technical security evaluation? Response:
FIPS 102Security Evaluation MethodsAssessment FrameworksTechnical Assessments - Question #447Selection and Approval of Framework, Security, and Privacy Controls
What publication provides a wide range of security controls as a basis for mitigation measures? Response:
NIST SP 800-53Security ControlsMitigation MeasuresInformation Security Standards - Question #448Scope of the System
Documenting the description of the system in the system security plan is the primary responsibility of which Risk Management Framework (RMF) role? Response:
RMF RolesInformation System OwnerSystem Security PlanSystem Definition - Question #449Security and Privacy Governance, Risk Management, and Compliance Program
What is the potential impact if the loss of confidentiality, integrity, or availability could be expected to have a severe or catastrophic adverse effect on organizational operatio...
Impact AssessmentRisk ManagementCIA TriadImpact Classification - Question #450Security and Privacy Governance, Risk Management, and Compliance Program
Which of the following is a 1996 United States federal law, designed to improve the way the federal government acquires, uses, and disposes information technology? Response:
US Federal LawClinger-Cohen ActIT GovernanceFederal IT Acquisition