FREE CGRC Compliance and Policy Questions and Answers

Question 1

The determination of whether a system should be deemed a national security system is required by FISMA and supported by which NIST publication?

Accepted Answer

NIST SP 800-59

Answer

Explanation:
NIST Special Publication (SP) 800-59 provides guidance on the determination of whether a system should be deemed a national security system, as required by the Federal Information Security Modernization Act (FISMA). This publication assists organizations in identifying systems that require special consideration due to their significance for national security purposes.

Question 2

There are many prospective risks, categories of risk, and manners in which risk is evaluated. Federal law requires the consideration of mission, assets, other organizations and:

Accepted Answer

Individuals

Answer

Explanation:
Federal law requires the consideration of mission, assets, other organizations, and individuals when evaluating risks. This emphasizes the importance of assessing risks not only in terms of organizational objectives and assets but also in terms of potential impacts on individuals who may be affected by the risks.

Question 3

The security objectives are:

Accepted Answer

Confidentiality, integrity, and availability

Answer

Explanation:
The security objectives, as commonly recognized in information security, are confidentiality, integrity, and availability (CIA). These objectives guide organizations in implementing measures to protect sensitive information, ensure data accuracy and reliability, and maintain access to resources when needed.

Question 4

According to the Risk Management Framework (RMF), which role has a primary responsibility to report the security status of the information system to the authorizing official (AO) and other appropriate organizational officials on an ongoing basis in accordance with the monitoring strategy?

Accepted Answer

Common control provider

Answer

Explanation:
According to the Risk Management Framework (RMF), the Common Control Provider has the primary responsibility to report the security status of the information system to the authorizing official (AO) and other appropriate organizational officials on an ongoing basis in accordance with the monitoring strategy. The Common Control Provider ensures that common controls are effectively implemented and maintained across the organization's information systems.

Question 5

Which authorization approach considers time elapsed since the authorization results were produced, the environment of operation, the criticality/sensitivity of the information, and the risk tolerance of the other organization?

Accepted Answer

Leveraged

Answer

Explanation:
The leveraged authorization approach considers factors such as time elapsed since the authorization results were produced, the environment of operation, the criticality/sensitivity of the information, and the risk tolerance of the other organization. This approach leverages existing authorization results and documentation to streamline the authorization process for similar systems or environments, reducing duplication of effort and ensuring consistency in security posture.

CGRC - Certified Governance Risk and Compliance Practice Test

CGRC - Certified Governance Risk and Compliance Practice Test

FREE CGRC Compliance and Policy Questions and Answers