Practice CAS-004 Governance, Risk, and Compliance questions with full explanations on every answer.
Start practicing
Governance, Risk, and Compliance — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
A security analyst is calculating the annualized loss expectancy (ALE) for a server. The single loss expectancy (SLE) is $5,000 and the annualized rate of occurrence (ARO) is 0.2. What is the ALE?
2A company wants to ensure that its data handling practices align with the principle of 'privacy by design'. Which of the following actions best supports this principle?
3A financial institution is required to comply with SOX. Which of the following is a primary focus of this regulation?
4An organization has identified a vulnerability in a legacy system that cannot be patched. The system is critical for operations, and the cost of mitigating the vulnerability exceeds the potential loss. Which risk treatment option is most appropriate?
5A security manager is evaluating two risk quantification approaches: Factor Analysis of Information Risk (FAIR) and a qualitative heat map. Which of the following is a key advantage of using FAIR over the qualitative heat map?
6During a vendor risk assessment, a company receives a SOC 2 Type II report from a cloud service provider. What does this report primarily attest to?
7An organization is implementing continuous compliance monitoring. Which of the following metrics would best indicate whether the organization is maintaining compliance with PCI DSS Requirement 10 (log management)?
8Which of the following is the correct order of the security policy hierarchy from highest to lowest?
9A security architect is designing a data classification scheme. Which of the following is the highest level of sensitivity that would typically require the most stringent controls?
10An organization is reviewing its third-party risk management process. Which of the following clauses should be included in contracts with critical vendors to ensure ongoing visibility into their security posture?
11A company is considering adopting the NIST Risk Management Framework (RMF). Which of the following steps is unique to NIST RMF compared to ISO 27005?
12A security team is measuring the effectiveness of its incident response process. Which of the following metrics would best indicate how quickly the team can contain an incident after it is detected?
13A small business is implementing a privacy impact assessment (PIA) for a new application that processes personal data of EU citizens. Which TWO of the following are required under GDPR?
14A security manager is selecting key risk indicators (KRIs) for the organization's risk management program. Which THREE of the following are examples of KRIs that can provide early warning of increasing risk?
15An organization is reviewing its supply chain risk management. Which TWO of the following are effective strategies to manage fourth-party risk?
16A financial institution is evaluating a cloud service provider for hosting customer data. During the due diligence process, which report would best help the institution assess the provider's control environment and compliance with SOC 2?
17An organization is implementing a data classification scheme. Which data type should be given the highest protection and is typically restricted to a very small number of individuals?
18A security analyst calculates the annualized loss expectancy (ALE) for a server. The single loss expectancy (SLE) is $50,000, and the annualized rate of occurrence (ARO) is 0.2. What is the ALE?
19Which risk treatment option involves reducing the likelihood or impact of a risk through controls?
20A healthcare organization must comply with HIPAA. Which of the following is a key requirement for protecting electronic protected health information (ePHI)?
21Which key performance indicator (KPI) is most useful for measuring the effectiveness of an incident response process?
22When conducting a vendor risk assessment, which contractual clause is most important for ensuring ongoing visibility into the vendor's security posture?
23An organization is implementing a privacy program based on privacy by design. Which principle requires that privacy controls be integrated into the system's default settings?
24A company is required to comply with PCI DSS. What is the primary purpose of conducting quarterly network vulnerability scans?
25Which document in a security policy hierarchy provides specific step-by-step instructions for performing a task?
26An organization discovers that a third-party vendor has a subcontractor that processes its data. The organization did not have a contract with the subcontractor. This is an example of which type of risk?
27Using the FAIR model, which of the following best describes the factor that represents the probable frequency of a threat acting on a vulnerability?
28A security manager is selecting metrics to present to the board. Which two of the following are key risk indicators (KRIs) that would be most relevant for executive oversight? (Choose two.)
29An organization is developing a policy exception management process. Which three of the following are essential components of an effective exception process? (Choose three.)
30A security analyst is prioritizing remediation of vulnerabilities. Which three of the following factors should be considered when determining the risk level of a vulnerability? (Choose three.)
31A security analyst is performing a quantitative risk assessment for a server that processes payment card data. The server has an asset value of $50,000. Based on historical data, the exposure factor (EF) for a ransomware attack is 80%, and the annualized rate of occurrence (ARO) is 0.5. What is the annualized loss expectancy (ALE)?
32A multinational corporation that processes personal data of EU residents is required to appoint a Data Protection Officer (DPO) and implement data protection impact assessments. Which regulation primarily drives these requirements?
33An organization is adopting the NIST Risk Management Framework (RMF). During which step would the security team select and implement security controls, and how does this map to the organization's governance structure?
34A company's security policy requires all sensitive data to be encrypted at rest. However, a business unit requests an exception to store certain data unencrypted due to performance constraints. Which document should govern the exception process?
35During a vendor risk assessment, a security analyst reviews a SOC 2 Type II report from a cloud provider. What is the primary value of this report?
36A financial institution is implementing a privacy program based on GDPR principles. Which of the following best describes the concept of 'privacy by design'?
37Which security metric measures the average time it takes to detect a security incident after it has occurred?
38A security manager is reviewing a set of documents: an organizational security policy, a standard for encryption, a guideline for remote access, and a procedure for incident response. Which document is at the highest level in the policy hierarchy?
39An organization has implemented a risk treatment plan that includes purchasing cyber insurance for potential data breach costs. Which risk treatment option does this represent?
40Under the GDPR, which of the following is a data subject right?
41A security team is evaluating the effectiveness of their patching program. Which metric would best indicate how quickly the organization applies critical patches?
42A company is conducting a third-party risk assessment for a SaaS provider. The provider has provided a SOC 2 Type II report, penetration test results, and a completed security questionnaire. Which of these provides the most independent and comprehensive view of the provider's control environment over time?
43A security architect is designing a data lifecycle management program. Which TWO of the following are phases of the data lifecycle? (Select TWO.)
44A security manager is developing key risk indicators (KRIs) for the organization's cybersecurity program. Which THREE of the following are examples of KRIs? (Select THREE.)
45A company is implementing continuous compliance monitoring for PCI DSS. Which TWO activities are most appropriate for this approach? (Select TWO.)
46A security analyst is calculating the annualized loss expectancy (ALE) for a server that has an asset value of $100,000, an exposure factor (EF) of 0.5, and an annualized rate of occurrence (ARO) of 2. What is the ALE?
47A company processes personal data of EU citizens and wants to implement privacy by design. Which of the following is the BEST first step in this process?
48An organization is evaluating a third-party vendor that will have access to its customer database. The vendor provides a SOC 2 Type II report dated six months ago. Which of the following is the BEST next step?
49An organization's security policy defines that all sensitive data must be encrypted. However, a business unit has a legacy application that cannot support encryption without a major rewrite. The risk owner decides to accept the risk. This is an example of which risk treatment strategy?
50Which of the following is a key difference between a security guideline and a security procedure?
51A security manager is reviewing Key Risk Indicators (KRIs) and Key Performance Indicators (KPIs) for the security program. Which of the following is an example of a KRI?
52An organization is required to comply with PCI DSS. Which of the following is a mandatory requirement for protecting cardholder data?
53A company wants to implement continuous compliance monitoring. Which of the following approaches BEST supports this goal?
54Which risk management framework is specifically designed for U.S. federal agencies and includes a six-step process: Categorize, Select, Implement, Assess, Authorize, and Monitor?
55A healthcare organization subject to HIPAA must ensure that patients can access their medical records. This requirement is an example of which data subject right under privacy regulations?
56An organization is using the FAIR framework to quantify risk. The analyst estimates the probable loss event frequency (LEF) as 4 per year and the probable loss magnitude (LM) as $25,000 per event. What is the annualized loss expectancy (ALE) under FAIR?
57During a policy gap analysis, it is discovered that the organization has a policy stating that sensitive data must be encrypted, but there are no procedures for implementing encryption on mobile devices. This is an example of a gap between:
58A security architect is designing a data classification scheme. Which TWO of the following are commonly used classification levels? (Select TWO.)
59An organization is implementing a vendor risk management program and is reviewing a contract that includes a right-to-audit clause. Which THREE of the following are common elements that should be verified during such an audit? (Select THREE.)
60A compliance officer is preparing for an audit and needs to collect evidence. Which TWO of the following are considered acceptable forms of audit evidence? (Select TWO.)
61A security analyst is calculating the annualized loss expectancy (ALE) for a server that has an asset value of $50,000 and an exposure factor (EF) of 0.2. The annualized rate of occurrence (ARO) is estimated at 4. What is the ALE?
62A company is evaluating a new cloud service provider. The provider offers a SOC 2 Type II report, a third-party penetration test summary, and a completed security questionnaire. However, the company's procurement team discovers that the provider uses a subcontractor for data storage. Which of the following is the BEST next step for the security team?
63An organization is implementing a privacy program to comply with GDPR. Which of the following BEST describes the concept of 'privacy by design' as it applies to a new customer relationship management (CRM) system?
64A security manager is reviewing the company's security policy hierarchy. Which of the following correctly orders these documents from highest to lowest authority?
65A financial institution must comply with the Sarbanes-Oxley Act (SOX). Which of the following is a primary focus of SOX compliance?
66A security team is selecting key risk indicators (KRIs) for the organization's cybersecurity program. Which of the following is an example of a KRI that provides a leading indicator of risk?
67After a risk assessment, a company identifies that the residual risk for a critical application is higher than the risk appetite. The risk owner proposes implementing additional controls to reduce the risk further. Which risk treatment option does this represent?
68A healthcare organization is required to comply with HIPAA. During an audit, the auditor requests evidence of access controls for electronic protected health information (ePHI). Which of the following would be the BEST evidence to provide?
69An organization wants to implement continuous compliance monitoring for PCI DSS. Which of the following tools would be MOST effective for this purpose?
70A company is adopting the NIST Risk Management Framework (RMF). Which step in the RMF involves selecting security controls based on the risk assessment?
71A multinational corporation is implementing a data classification scheme. Which of the following data types should be classified as 'restricted'?
72During a vendor risk assessment, a third-party vendor refuses to provide a SOC 2 report but offers a completed security questionnaire. The vendor handles sensitive customer data. Which of the following is the BEST course of action?
73A security manager is implementing a policy exception management process. Which TWO of the following are essential components of an effective exception management process?
74A compliance officer is preparing for a GDPR audit. Which THREE of the following are key data subject rights under GDPR that the organization must be able to demonstrate?
75A security analyst is evaluating security metrics for the security program. Which TWO of the following are considered key performance indicators (KPIs) for measuring the effectiveness of a security program?
76A security analyst is calculating the annualized loss expectancy (ALE) for a server that processes credit card data. The server has a $100,000 asset value, and the exposure factor for a security breach is 0.4. Historical data shows that such breaches occur twice per year. What is the ALE?
77An organization is implementing a risk management framework and wants to align with a standard that emphasizes a continuous, iterative process for identifying, assessing, and responding to risk. Which framework is most appropriate?
78A company is conducting a vendor risk assessment and receives a SOC 2 Type II report from a cloud service provider. The report covers a 12-month period and includes an opinion on the effectiveness of controls. Which of the following is the primary benefit of using this report?
79Which of the following risk treatment options involves transferring the financial impact of a risk to a third party, such as through insurance?
80A security manager is reviewing the organization's security policy hierarchy. Which of the following correctly orders these documents from highest to lowest level of authority?
81An organization is implementing a privacy by design approach for a new customer-facing application. Which of the following actions best exemplifies this principle?
82Under GDPR, which of the following is a data subject right that allows an individual to request that their personal data be erased?
83A security analyst is reviewing metrics for the security program. Which metric best measures the effectiveness of incident response processes?
84Which of the following is a key difference between compliance and security?
85A company wants to ensure that a third-party vendor allows them to perform an audit of the vendor's security controls. Which clause should be included in the contract?
86A security architect is designing a data classification scheme. Which classification level should be used for data that, if disclosed, could cause serious damage to the organization's reputation or financial standing?
87An organization is using the FAIR model to quantify risk. Which of the following is a primary component of the FAIR taxonomy?
88A security officer is reviewing continuous compliance monitoring tools. Which TWO of the following are primary benefits of implementing such tools? (Select TWO.)
89A healthcare organization is implementing a vendor risk management program. Which THREE of the following should be included in the vendor risk assessment process? (Select THREE.)
90A security analyst is defining key risk indicators (KRIs) for the security program. Which TWO of the following are examples of KRIs? (Select TWO.)
91A security analyst calculates the annual loss expectancy (ALE) for a critical asset. The single loss expectancy (SLE) is $50,000, and the annualized rate of occurrence (ARO) is 0.2. What is the annual loss expectancy?
92An organization is implementing a privacy program in accordance with GDPR. Which TWO of the following are data subject rights under GDPR? (Select TWO.)
93A company is conducting a third-party risk assessment of a cloud service provider. Which TWO of the following are appropriate sources of evidence for evaluating the provider's security controls? (Select TWO.)
94A security architect is designing a data classification scheme aligned with a new privacy regulation. Which THREE of the following are common data classification levels used in enterprise environments? (Select THREE.)
95An organization's security team is reviewing security metrics to present to the board. Which THREE of the following are commonly used Key Performance Indicators (KPIs) for a security program? (Select THREE.)
96During a compliance audit for PCI DSS, the auditor identifies that cardholder data is stored beyond the required retention period. The organization wants to implement proper data lifecycle management. Which THREE of the following should the organization include in its data retention policy? (Select THREE.)
97An organization is developing a security policy hierarchy. Which TWO of the following correctly represent the typical order from highest to lowest level in a policy framework? (Select TWO.)
98A risk manager is applying the FAIR model to quantify a risk. Which TWO of the following are primary components used in FAIR analysis? (Select TWO.)
The Governance, Risk, and Compliance domain covers the key concepts tested in this area of the CAS-004 exam blueprint published by CompTIA. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all CAS-004 domains — no account required.
The Courseiva CAS-004 question bank contains 98 questions in the Governance, Risk, and Compliance domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Governance, Risk, and Compliance domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included