ISC Certified in Governance Risk and Compliance

QUESTION NO: 1
A security assessment plan comprises of all of the following except one Response:

A. Methodology B. Recommendations for remediation C. Scope D. Rules of engagement

Correct Answer: B

QUESTION NO: 2
Where can a project manager find risk-rating rules?
Response:

A. Risk probability and impact matrix B. Risk management plan C. Enterprise environmental factors D. Organizational process assets

Correct Answer: D

QUESTION NO: 3
The purpose of security controls testing is to evaluate the _________________ of the security controls protecting an information system.
Response:

A. Effectiveness B. Potent C. Powerlessness D. Inefficacious

Correct Answer: A

QUESTION NO: 4
The loss of confidentiality, integrity, or availability could be expected to have a serious adverse effect on organizational operations, organizational assests, or individuals. Thus the potential impact is..
Response:

A. Severe B. High C. Low D. Moderate

Correct Answer: D

QUESTION NO: 5
NIST 800-53 identifies continuous monitoring as which of the following security control?
Response:

A. SA-12 B. RA-3 C. CA-7 D. CA-2

Correct Answer: C

QUESTION NO: 6
What are the 2 activities involved in certification testing? Response:

A. Assessment of controls, Documentation of Results B. Assessment of controls C. Security Controls Assessment D. Security Controls Assessment, Documentation of Results

Correct Answer: A

QUESTION NO: 7
Who is the organizational official responsible for the development, implementation, assessment, and monitoring of security controls in an information system? Response:

A. Information System Security Officer (ISSO) B. Information System Owner (ISO) C. Information System Security Engineer (ISSE) D. Common Control Provider (CCP)

Correct Answer: B

QUESTION NO: 8
An information system is currently in the initiation phase of the system development life cycle (SDLC) and has been categorized high impact. The information system owner wants to inherit common controls provided by another organizational information system that is categorized moderate impact. How does the information system owner ensure that the common controls will provide adequate protection for the information system?
Response:

A. Consult with the information system security engineer and the information security architect. B. Perform rigorous testing of the common controls to determine if they provide adequate protection. C. Supplement the common controls with system-specific or hybrid controls to achieve the required protection for the system. D. Ask the common control provider for the system security plan for the common controls.

Correct Answer: C

QUESTION NO: 9
FIPS Publication 199 defines three levels of potential impact on organizations or individuals should there be a breach of security (i.e., a loss of confidentiality, integrity, or availability).
Response:

A. Low (limited adverse effect)
Moderate (serious adverse effect)
High (severe or catastrophic adverse effect) B. Moderate (limited adverse effect)
Low (serious adverse effect)
High (severe or catastrophic adverse effect) C. High (limited adverse effect)
Low (serious adverse effect)
Moderate (severe or catastrophic adverse effect) D. High (limited adverse effect)
Moderate (serious adverse effect)
High (severe or catastrophic adverse effect)

Correct Answer: A

QUESTION NO: 10
What publication provides a wide range of security controls as a basis for mitigation measures?
Response:

A. NIST SP 800-60 B. NIST SP 800-39 C. NIST SP 800-53 D. NIST SP 800-37

Correct Answer: C

ISC Certified in Governance Risk and Compliance - CGRC Exam Questions