ISC2 CGRC℠Free Governance, Risk and Compliance Certification practice test

Correct answer: C. Risk deterrence

Risk deterrence refers to mechanisms — such as laws, penalties, or policies — designed to discourage exploitation of a vulnerability even when it is technically feasible. A law imposing fines for unauthorized data access is a classic deterrence measure. Technical controls rely on technology (e.g., encryption, firewalls) to enforce confidentiality, integrity, or availability. Risk avoidance involves withdrawing from activities that carry a given risk. Physical controls restrict or observe physical access, such as locks, guards, and surveillance cameras.

Correct answer: C. Physically destroy the drive

NIST SP 800-88 R1 defines three media sanitization categories: Clear, Purge, and Destroy. Overwriting falls under the Clear category. When Clear or Purge techniques cannot be verified as successful, NIST 800-88 R1 states that destructive techniques may be the only viable option. Attempting another Clear technique is unlikely to succeed if prior verification failed. An aged drive is unlikely to be under warranty, and recovering then re-sanitizing is not supported by the guidance.

Correct answer: C. Control family

NIST SP 800-53 R5 organizes its controls into 20 control families, each grouping related security and privacy controls. AC, RA, and SR are all names of control families. Within each family, individual base controls address specific security requirements, while control enhancements add further specificity or capability to those base controls. 'Control domain' is not a defined term in NIST SP 800-53.

Correct answer: D. Authorizing official

In NIST SP 800-37 R2, the authorization boundary is established during Task P-11 of the Prepare step. The authorizing official is identified as the role primarily responsible for that task. The other roles listed — enterprise architect, system owner, and chief information officer — may provide input or support but are not primarily responsible for defining the authorization boundary.

Correct answer: B. Frame, assess, respond, and monitor

NIST SP 800-39 defines four risk management components: Frame, Assess, Respond, and Monitor. The Frame component establishes the context and strategy for risk decisions. The Assess component identifies threats, vulnerabilities, and the potential harm they pose. The Respond component determines appropriate actions based on assessed risk. The Monitor component provides ongoing observation of risk over time. Terms such as 'reduce,' 'repeat,' 'governance,' 'strategy,' 'tactics,' and 'procedures' are not the four components defined in NIST 800-39.

Correct answer: A. External system

NIST SP 800-37 R2 defines an external system as a system outside of an authorization boundary over which the organization has no direct control over the implementation or assessment of security controls. Because the agency does not control the third-party system, it fits the definition of an external system. An Industrial Control System (ICS) is a term covering systems like PLCs and SCADA used in industrial settings. 'Hybrid system' and 'dependency' are not complete or precise descriptors for this scenario in the context of NIST 800-37 R2.

Correct answer: B. Physical

Physical controls restrict or monitor physical access and operations. Examples include CCTV cameras, locks, barriers, mantraps, guards, fencing, and lighting. Technical controls apply technology to enforce confidentiality, integrity, or availability (e.g., encryption, firewalls). Operational controls focus on people-based processes and practices, such as training programs, hiring procedures, and continuity planning. Note that the boundaries between management and operational controls can overlap depending on the framework being used.

Correct answer: A. Operational

Operational controls are people-centered and process-driven, covering practices such as hiring and termination procedures, security awareness training, and business continuity planning. Physical controls manage or observe physical access (locks, guards, fences). Technical controls apply technology solutions to enforce security objectives (encryption, access control systems). 'Interpersonal' is not a recognized security control category. Note that the terms 'operational' and 'management' controls can overlap in definition depending on the framework.

Correct answer: B. Technical

Technical controls use technology to enforce confidentiality, integrity, or availability objectives. Encryption in transit is a classic technical control. Physical controls protect against unauthorized physical access or observation (locks, guards, fencing). Operational controls address processes and human practices (training, procedures, continuity plans). Management controls typically have a risk management orientation. The terms 'operational' and 'management' can overlap depending on the framework context.

Correct answer: C. Enough detail that compliance criteria are clearly understood

Information security program documentation should provide sufficient detail that compliance criteria are unambiguous and actionable. Program-level controls are not intended to replace system-specific controls, so they should not descend to configuration-level specifics. Documentation that is vague enough for each department to define its own compliance interpretation is too ambiguous and creates inconsistency. Additionally, many factors — audits, emerging threats, regulatory changes, and incidents — will drive future updates, making the 'no future revisions' option unrealistic.