CyberVista Governance, Risk, and Compliance Questions and Answers

Question 1

An organization is conducting a risk assessment and uses descriptive ratings such as 'High,' 'Medium,' and 'Low' to evaluate the likelihood and impact of identified risks based on expert judgment and experience. What type of risk assessment is being performed?

Accepted Answer

Qualitative

Answer

A qualitative risk assessment uses descriptive or categorical ratings (e.g., high, medium, low) to evaluate risks based on subjective judgment, experience, and context. This method is less precise than a quantitative assessment but is often quicker and easier to perform when numerical data is not available.

Question 2

Which of the following BEST describes the primary purpose of a Business Impact Analysis (BIA) within a GRC framework?

Accepted Answer

To identify critical business functions and determine the potential effects of a disruption to those functions.

Answer

A Business Impact Analysis (BIA) is a systematic process to identify critical business functions and evaluate the potential effects of a disruption on them. The BIA helps determine recovery priorities, recovery time objectives (RTOs), and the resources required to maintain operational resilience, forming the foundation for business continuity planning.

Question 3

A global company is looking to implement a comprehensive framework that is primarily focused on IT governance and aligning IT processes with business goals to deliver value. Which of the following frameworks would be the MOST appropriate choice?

Accepted Answer

COBIT (Control Objectives for Information and Related Technologies)

Answer

COBIT is a framework developed by ISACA specifically for the governance and management of enterprise IT. Its primary focus is on aligning IT with business objectives, ensuring that IT investments deliver real value, and managing IT-related risks. While other frameworks focus more on security controls (NIST, CIS) or establishing an ISMS (ISO 27001), COBIT is distinct in its business-driven governance approach.

Question 4

Within a cybersecurity governance structure, what is the hierarchical relationship between policies, standards, and procedures?

Accepted Answer

Standards and policies are interchangeable, while procedures describe the technology used.

Answer

The correct hierarchy is that Policies are high-level statements of management's intent. Standards provide mandatory, specific requirements to support the policies. Procedures are detailed, step-by-step instructions that document how to implement the standards and, by extension, the policies.

Question 5

A U.S.-based e-commerce company processes data for customers in California and the European Union. A key difference in their compliance obligations between CCPA and GDPR relates to the basis for processing personal data. Which statement accurately describes this difference?

Accepted Answer

GDPR requires a specific legal basis (like consent) for processing, while CCPA operates on an 'opt-out' model.

Answer

A primary difference between the two regulations is their approach to consent. GDPR requires organizations to have one of six specific legal bases (e.g., explicit consent, contractual necessity) to process personal data, which is an 'opt-in' model. CCPA, on the other hand, allows for the collection and processing of data by default but requires giving consumers a clear option to 'opt-out' of the sale or sharing of their personal information.

CyberVista Test Practice Test

CyberVista Test Practice Test

CyberVista Governance, Risk, and Compliance Questions and Answers