Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Free Resources

Difficulty IndexLearn — Free ChaptersIT GlossaryFree Tools & LabsStudy GuidesCareer RoadmapsBrowse by VendorCisco Command ReferenceCCNA Scenarios

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsCAS-004DomainsGovernance, Risk, and Compliance
CAS-004Free — No Signup

Governance, Risk, and Compliance

Practice CAS-004 Governance, Risk, and Compliance questions with full explanations on every answer.

98questions

Start practicing

Governance, Risk, and Compliance — choose a session length

10 questions~10 min20 questions~20 min30 questions~30 min50 questions~50 min

Free · No account required

CAS-004 Domains

Scripting, Containers and AutomationApplication Environment, Configuration and SecuritySecurity ArchitectureSecurity Engineering and CryptographySecurity OperationsGovernance, Risk, and ComplianceGovernance, Risk and ComplianceSecurity Engineering

Practice Governance, Risk, and Compliance questions

10Q20Q30Q50Q

All CAS-004 Governance, Risk, and Compliance questions (98)

Start session

Click any question to see the full explanation and answer options, or start a focused practice session above.

1

A security analyst is calculating the annualized loss expectancy (ALE) for a server. The single loss expectancy (SLE) is $5,000 and the annualized rate of occurrence (ARO) is 0.2. What is the ALE?

2

A company wants to ensure that its data handling practices align with the principle of 'privacy by design'. Which of the following actions best supports this principle?

3

A financial institution is required to comply with SOX. Which of the following is a primary focus of this regulation?

4

An organization has identified a vulnerability in a legacy system that cannot be patched. The system is critical for operations, and the cost of mitigating the vulnerability exceeds the potential loss. Which risk treatment option is most appropriate?

5

A security manager is evaluating two risk quantification approaches: Factor Analysis of Information Risk (FAIR) and a qualitative heat map. Which of the following is a key advantage of using FAIR over the qualitative heat map?

6

During a vendor risk assessment, a company receives a SOC 2 Type II report from a cloud service provider. What does this report primarily attest to?

7

An organization is implementing continuous compliance monitoring. Which of the following metrics would best indicate whether the organization is maintaining compliance with PCI DSS Requirement 10 (log management)?

8

Which of the following is the correct order of the security policy hierarchy from highest to lowest?

9

A security architect is designing a data classification scheme. Which of the following is the highest level of sensitivity that would typically require the most stringent controls?

10

An organization is reviewing its third-party risk management process. Which of the following clauses should be included in contracts with critical vendors to ensure ongoing visibility into their security posture?

11

A company is considering adopting the NIST Risk Management Framework (RMF). Which of the following steps is unique to NIST RMF compared to ISO 27005?

12

A security team is measuring the effectiveness of its incident response process. Which of the following metrics would best indicate how quickly the team can contain an incident after it is detected?

13

A small business is implementing a privacy impact assessment (PIA) for a new application that processes personal data of EU citizens. Which TWO of the following are required under GDPR?

14

A security manager is selecting key risk indicators (KRIs) for the organization's risk management program. Which THREE of the following are examples of KRIs that can provide early warning of increasing risk?

15

An organization is reviewing its supply chain risk management. Which TWO of the following are effective strategies to manage fourth-party risk?

16

A financial institution is evaluating a cloud service provider for hosting customer data. During the due diligence process, which report would best help the institution assess the provider's control environment and compliance with SOC 2?

17

An organization is implementing a data classification scheme. Which data type should be given the highest protection and is typically restricted to a very small number of individuals?

18

A security analyst calculates the annualized loss expectancy (ALE) for a server. The single loss expectancy (SLE) is $50,000, and the annualized rate of occurrence (ARO) is 0.2. What is the ALE?

19

Which risk treatment option involves reducing the likelihood or impact of a risk through controls?

20

A healthcare organization must comply with HIPAA. Which of the following is a key requirement for protecting electronic protected health information (ePHI)?

21

Which key performance indicator (KPI) is most useful for measuring the effectiveness of an incident response process?

22

When conducting a vendor risk assessment, which contractual clause is most important for ensuring ongoing visibility into the vendor's security posture?

23

An organization is implementing a privacy program based on privacy by design. Which principle requires that privacy controls be integrated into the system's default settings?

24

A company is required to comply with PCI DSS. What is the primary purpose of conducting quarterly network vulnerability scans?

25

Which document in a security policy hierarchy provides specific step-by-step instructions for performing a task?

26

An organization discovers that a third-party vendor has a subcontractor that processes its data. The organization did not have a contract with the subcontractor. This is an example of which type of risk?

27

Using the FAIR model, which of the following best describes the factor that represents the probable frequency of a threat acting on a vulnerability?

28

A security manager is selecting metrics to present to the board. Which two of the following are key risk indicators (KRIs) that would be most relevant for executive oversight? (Choose two.)

29

An organization is developing a policy exception management process. Which three of the following are essential components of an effective exception process? (Choose three.)

30

A security analyst is prioritizing remediation of vulnerabilities. Which three of the following factors should be considered when determining the risk level of a vulnerability? (Choose three.)

31

A security analyst is performing a quantitative risk assessment for a server that processes payment card data. The server has an asset value of $50,000. Based on historical data, the exposure factor (EF) for a ransomware attack is 80%, and the annualized rate of occurrence (ARO) is 0.5. What is the annualized loss expectancy (ALE)?

32

A multinational corporation that processes personal data of EU residents is required to appoint a Data Protection Officer (DPO) and implement data protection impact assessments. Which regulation primarily drives these requirements?

33

An organization is adopting the NIST Risk Management Framework (RMF). During which step would the security team select and implement security controls, and how does this map to the organization's governance structure?

34

A company's security policy requires all sensitive data to be encrypted at rest. However, a business unit requests an exception to store certain data unencrypted due to performance constraints. Which document should govern the exception process?

35

During a vendor risk assessment, a security analyst reviews a SOC 2 Type II report from a cloud provider. What is the primary value of this report?

36

A financial institution is implementing a privacy program based on GDPR principles. Which of the following best describes the concept of 'privacy by design'?

37

Which security metric measures the average time it takes to detect a security incident after it has occurred?

38

A security manager is reviewing a set of documents: an organizational security policy, a standard for encryption, a guideline for remote access, and a procedure for incident response. Which document is at the highest level in the policy hierarchy?

39

An organization has implemented a risk treatment plan that includes purchasing cyber insurance for potential data breach costs. Which risk treatment option does this represent?

40

Under the GDPR, which of the following is a data subject right?

41

A security team is evaluating the effectiveness of their patching program. Which metric would best indicate how quickly the organization applies critical patches?

42

A company is conducting a third-party risk assessment for a SaaS provider. The provider has provided a SOC 2 Type II report, penetration test results, and a completed security questionnaire. Which of these provides the most independent and comprehensive view of the provider's control environment over time?

43

A security architect is designing a data lifecycle management program. Which TWO of the following are phases of the data lifecycle? (Select TWO.)

44

A security manager is developing key risk indicators (KRIs) for the organization's cybersecurity program. Which THREE of the following are examples of KRIs? (Select THREE.)

45

A company is implementing continuous compliance monitoring for PCI DSS. Which TWO activities are most appropriate for this approach? (Select TWO.)

46

A security analyst is calculating the annualized loss expectancy (ALE) for a server that has an asset value of $100,000, an exposure factor (EF) of 0.5, and an annualized rate of occurrence (ARO) of 2. What is the ALE?

47

A company processes personal data of EU citizens and wants to implement privacy by design. Which of the following is the BEST first step in this process?

48

An organization is evaluating a third-party vendor that will have access to its customer database. The vendor provides a SOC 2 Type II report dated six months ago. Which of the following is the BEST next step?

49

An organization's security policy defines that all sensitive data must be encrypted. However, a business unit has a legacy application that cannot support encryption without a major rewrite. The risk owner decides to accept the risk. This is an example of which risk treatment strategy?

50

Which of the following is a key difference between a security guideline and a security procedure?

51

A security manager is reviewing Key Risk Indicators (KRIs) and Key Performance Indicators (KPIs) for the security program. Which of the following is an example of a KRI?

52

An organization is required to comply with PCI DSS. Which of the following is a mandatory requirement for protecting cardholder data?

53

A company wants to implement continuous compliance monitoring. Which of the following approaches BEST supports this goal?

54

Which risk management framework is specifically designed for U.S. federal agencies and includes a six-step process: Categorize, Select, Implement, Assess, Authorize, and Monitor?

55

A healthcare organization subject to HIPAA must ensure that patients can access their medical records. This requirement is an example of which data subject right under privacy regulations?

56

An organization is using the FAIR framework to quantify risk. The analyst estimates the probable loss event frequency (LEF) as 4 per year and the probable loss magnitude (LM) as $25,000 per event. What is the annualized loss expectancy (ALE) under FAIR?

57

During a policy gap analysis, it is discovered that the organization has a policy stating that sensitive data must be encrypted, but there are no procedures for implementing encryption on mobile devices. This is an example of a gap between:

58

A security architect is designing a data classification scheme. Which TWO of the following are commonly used classification levels? (Select TWO.)

59

An organization is implementing a vendor risk management program and is reviewing a contract that includes a right-to-audit clause. Which THREE of the following are common elements that should be verified during such an audit? (Select THREE.)

60

A compliance officer is preparing for an audit and needs to collect evidence. Which TWO of the following are considered acceptable forms of audit evidence? (Select TWO.)

61

A security analyst is calculating the annualized loss expectancy (ALE) for a server that has an asset value of $50,000 and an exposure factor (EF) of 0.2. The annualized rate of occurrence (ARO) is estimated at 4. What is the ALE?

62

A company is evaluating a new cloud service provider. The provider offers a SOC 2 Type II report, a third-party penetration test summary, and a completed security questionnaire. However, the company's procurement team discovers that the provider uses a subcontractor for data storage. Which of the following is the BEST next step for the security team?

63

An organization is implementing a privacy program to comply with GDPR. Which of the following BEST describes the concept of 'privacy by design' as it applies to a new customer relationship management (CRM) system?

64

A security manager is reviewing the company's security policy hierarchy. Which of the following correctly orders these documents from highest to lowest authority?

65

A financial institution must comply with the Sarbanes-Oxley Act (SOX). Which of the following is a primary focus of SOX compliance?

66

A security team is selecting key risk indicators (KRIs) for the organization's cybersecurity program. Which of the following is an example of a KRI that provides a leading indicator of risk?

67

After a risk assessment, a company identifies that the residual risk for a critical application is higher than the risk appetite. The risk owner proposes implementing additional controls to reduce the risk further. Which risk treatment option does this represent?

68

A healthcare organization is required to comply with HIPAA. During an audit, the auditor requests evidence of access controls for electronic protected health information (ePHI). Which of the following would be the BEST evidence to provide?

69

An organization wants to implement continuous compliance monitoring for PCI DSS. Which of the following tools would be MOST effective for this purpose?

70

A company is adopting the NIST Risk Management Framework (RMF). Which step in the RMF involves selecting security controls based on the risk assessment?

71

A multinational corporation is implementing a data classification scheme. Which of the following data types should be classified as 'restricted'?

72

During a vendor risk assessment, a third-party vendor refuses to provide a SOC 2 report but offers a completed security questionnaire. The vendor handles sensitive customer data. Which of the following is the BEST course of action?

73

A security manager is implementing a policy exception management process. Which TWO of the following are essential components of an effective exception management process?

74

A compliance officer is preparing for a GDPR audit. Which THREE of the following are key data subject rights under GDPR that the organization must be able to demonstrate?

75

A security analyst is evaluating security metrics for the security program. Which TWO of the following are considered key performance indicators (KPIs) for measuring the effectiveness of a security program?

76

A security analyst is calculating the annualized loss expectancy (ALE) for a server that processes credit card data. The server has a $100,000 asset value, and the exposure factor for a security breach is 0.4. Historical data shows that such breaches occur twice per year. What is the ALE?

77

An organization is implementing a risk management framework and wants to align with a standard that emphasizes a continuous, iterative process for identifying, assessing, and responding to risk. Which framework is most appropriate?

78

A company is conducting a vendor risk assessment and receives a SOC 2 Type II report from a cloud service provider. The report covers a 12-month period and includes an opinion on the effectiveness of controls. Which of the following is the primary benefit of using this report?

79

Which of the following risk treatment options involves transferring the financial impact of a risk to a third party, such as through insurance?

80

A security manager is reviewing the organization's security policy hierarchy. Which of the following correctly orders these documents from highest to lowest level of authority?

81

An organization is implementing a privacy by design approach for a new customer-facing application. Which of the following actions best exemplifies this principle?

82

Under GDPR, which of the following is a data subject right that allows an individual to request that their personal data be erased?

83

A security analyst is reviewing metrics for the security program. Which metric best measures the effectiveness of incident response processes?

84

Which of the following is a key difference between compliance and security?

85

A company wants to ensure that a third-party vendor allows them to perform an audit of the vendor's security controls. Which clause should be included in the contract?

86

A security architect is designing a data classification scheme. Which classification level should be used for data that, if disclosed, could cause serious damage to the organization's reputation or financial standing?

87

An organization is using the FAIR model to quantify risk. Which of the following is a primary component of the FAIR taxonomy?

88

A security officer is reviewing continuous compliance monitoring tools. Which TWO of the following are primary benefits of implementing such tools? (Select TWO.)

89

A healthcare organization is implementing a vendor risk management program. Which THREE of the following should be included in the vendor risk assessment process? (Select THREE.)

90

A security analyst is defining key risk indicators (KRIs) for the security program. Which TWO of the following are examples of KRIs? (Select TWO.)

91

A security analyst calculates the annual loss expectancy (ALE) for a critical asset. The single loss expectancy (SLE) is $50,000, and the annualized rate of occurrence (ARO) is 0.2. What is the annual loss expectancy?

92

An organization is implementing a privacy program in accordance with GDPR. Which TWO of the following are data subject rights under GDPR? (Select TWO.)

93

A company is conducting a third-party risk assessment of a cloud service provider. Which TWO of the following are appropriate sources of evidence for evaluating the provider's security controls? (Select TWO.)

94

A security architect is designing a data classification scheme aligned with a new privacy regulation. Which THREE of the following are common data classification levels used in enterprise environments? (Select THREE.)

95

An organization's security team is reviewing security metrics to present to the board. Which THREE of the following are commonly used Key Performance Indicators (KPIs) for a security program? (Select THREE.)

96

During a compliance audit for PCI DSS, the auditor identifies that cardholder data is stored beyond the required retention period. The organization wants to implement proper data lifecycle management. Which THREE of the following should the organization include in its data retention policy? (Select THREE.)

97

An organization is developing a security policy hierarchy. Which TWO of the following correctly represent the typical order from highest to lowest level in a policy framework? (Select TWO.)

98

A risk manager is applying the FAIR model to quantify a risk. Which TWO of the following are primary components used in FAIR analysis? (Select TWO.)

Practice all 98 Governance, Risk, and Compliance questions

Other CAS-004 exam domains

Scripting, Containers and AutomationApplication Environment, Configuration and SecuritySecurity ArchitectureSecurity Engineering and CryptographySecurity OperationsGovernance, Risk and ComplianceSecurity Engineering

Frequently asked questions

What does the Governance, Risk, and Compliance domain cover on the CAS-004 exam?

The Governance, Risk, and Compliance domain covers the key concepts tested in this area of the CAS-004 exam blueprint published by CompTIA. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all CAS-004 domains — no account required.

How many Governance, Risk, and Compliance questions are in the CAS-004 question bank?

The Courseiva CAS-004 question bank contains 98 questions in the Governance, Risk, and Compliance domain. Click any question to see the full explanation and answer breakdown.

What is the best way to practice Governance, Risk, and Compliance for CAS-004?

Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.

Can I practice only Governance, Risk, and Compliance questions for CAS-004?

Yes — the session launcher on this page draws questions exclusively from the Governance, Risk, and Compliance domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.

Free forever · No credit card required

Track your CAS-004 domain progress

Save your results, see per-domain analytics, and get readiness scores — free, for every certification.

Sign Up Free

Free forever · Every certification included

Practice Session

10 questions20 questions30 questions50 questions

Study Resources

All DomainsPractice TestMock ExamFlashcardsStudy Guide

Related Exams

CS0-003SY0-701CISSP