CGRC Practice Questions (125) well answered already passed

CGRC Practice Questions (125) well
answered already passed

C - Pass, fail - correct answer ✔✔Test Results should be shown as "meeting standards" or "not
meeting standards"; or in short ________, _______.



A - Good, bad

B - Yes, no

C - Pass, fail

D - True, false



C - Host - correct answer ✔✔The Assessment Test plan once developed is submitted to
__________ for approval.

Choose one:

A - Team Lead

B - Guest

C - Host

D - System Owner



A - Technical - correct answer ✔✔In which type of access control do user ID and password
system come under?

Choose one:

A - Technical

B - Power

C - Physical

D - Administrative

,B-Residual risk - correct answer ✔✔A key part of the risk-based decision process is the
recognition that regardless of the risk response, There remains some risks known as:

Choose one:

A - Risk mitigation

B - Residual risk

C - Risk analysis

D - Risk tolerance level



D-The remediated controls are reassessed - correct answer ✔✔What is the MOST appropriate
action to take after weaknesses or deficiencies in controls are corrected?

Choose one:

A - The system is given an Authority to Operate (ATO)

B - The original assessment results are changed

C - The assessment report is generated

D - The remediated controls are reassessed



C-CONFIDENTIALITY, INTEGRITY and AVAILABILITY - correct answer ✔✔The FISMA defines three
security objectives for information and information systems:

Choose one:

A - AVAILABILITY, AUTHENTICITY and CONFIDENTIALITY

B - INTEGRITY, AVAILABILITY and AUTHENTICITY

C - CONFIDENTIALITY, INTEGRITY and AVAILABILITY

D - AUTHENTICITY, CONFIDENTIALITY and INTEGRITY



C - TASK 1 - correct answer ✔✔Information System and Environment Changes, determine the
security impact of proposed or actual changes to the information system and its environment of
operation; is Task _____ in RMF Step 7, monitoring of controls.

,Choose one:

A - Task 3

B - Task 2

C - Task 1

D - Task 4



C-EXAMINE - correct answer ✔✔All of the following except one are assessment objects.

Choose one:

A - Mechanisms

B - Activities and individuals

C - Examine

D - Specifications



D-NIST SP 800-37 - correct answer ✔✔Which publication primarily targets activities in Tier 3 of
Risk Management approach/pyramid?

Choose one:

A - NIST SP 800-53

B - NIST SP 800-38

C - NIST SP 800-53A

D - NIST SP 800-37



A-Common Control Provider (CCP) - correct answer ✔✔An organizational official responsible for
the development, implementation, assessment, and monitoring of security controls inherited by
information systems is called...

Choose one:

A-Common Control Provider (CCP)

B-Information System Owner (ISO)

, C-Information System Security Engineer (ISSE)

D-Chief Information Officer (CIO)



1 - System Characterization

2 - Threat identification

3 - Vulnerability Identification

4 - Control Analysis

5 - Likelihood Determination

6 - Impact Analysis

7 - Risk Determination

8 - Control Recommendation

9 - Results Documentation - correct answer ✔✔What are the nine steps of Risk Assessment
Methodology?



B-Implementation phase - correct answer ✔✔Authorization to process should occur during
what phase of the SDLC?

Choose one:

A-Threat Identification

B-Implementation phase

C-Vulnerability Identification

D-Risk Determination



B-Recommendations for control remediations - correct answer ✔✔The final Security
Assessment Report (SAR) should contain findings from the security control assessment and
which of the ensuing?

Choose one:

A-Security control assessment plan