Question 1

Which of the following is the best example of a common control?

Options :

A : A security policy that is tailored to a specific information system

B : A system administrator who is responsible for the security of a specific information system

C : A firewall that is used to protect multiple information systems

D : A security assessment that is conducted for a specific information system

Answer: C

Question 2

Security controls are assessed for a number of reasons. Which of the following are reasons for assessing security controls? Select all that apply.

Options :

A : To ensure that the security and privacy controls for managing risk are in place and producing the desired outcomes

B : To satisfy legal and regulatory requirements and avoid paying a fine.

C : To provide a good source of KPIs to senior management.

D : To provide the authorizing official with the information needed to make an authorization decision

E : To maintain ongoing situational awareness about the security and privacy posture of the system and organization to support risk management decisions

Answer: A,D

Question 3

Ratio Corp is in the process of selecting security controls for a new information system. Which of the following is NOT a valid control selection method according to NIST guidelines?

Options :

A : Using a risk-based approach to determine the appropriate controls

B : Selecting controls based solely on cost-effectiveness

C : Implementing controls that are required by law, regulation, or policy

D : Adopting controls that are consistent with industry standards and best practices

Answer: B

Question 4

DEF Corporation is considering the implementation of a new software application. What is the role of security requirements in the SDLC?

Options :

A : To ensure that the software application is reliable and performs as intended

B : To identify and mitigate security risks associated with the software application

C : To design the software application and its features

D : To test the software application for defects and errors

Answer: B

Question 5

What are the objectives of the Prepare step in the NIST RMF framework?

Options :

A : Facilitating better communication between senior leaders and executives at the organization and mission and business process levels and system owners

B : Facilitating organization-wide identification of common controls and the development of organizationally tailored control baselines, reducing the workload on individual system owners and the cost of system development and asset protection

C : Reducing the complexity of the information technology and operations technology infrastructure using enterprise architecture concepts and models to consolidate, optimize, and standardize organizational systems, applications, and services

D : Ensuring that the implemented security controls continue to provide the intended level of protection for the information system and its data throughout the system-s lifecycle.

E : Identifying, prioritizing, and focusing resources on the organizationâ€™s high-value assets and high impact systems that require increased levels of protection and taking steps commensurate with the risk to such assets.

Answer: A,B,C,E

Smartly Prepare Exam with Free Online CGRC Practice Test

Buying Options: