Practice CAS-004 Governance, Risk and Compliance questions with full explanations on every answer.
Start practicing
Governance, Risk and Compliance — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
A global financial firm must comply with GDPR and SOX. The CISO wants to consolidate controls across frameworks using a single set of controls. Which approach best addresses this requirement?
2A healthcare organization is planning to migrate patient data to a cloud provider. The risk assessment identifies that the provider's SOC 2 report does not cover HIPAA controls. What is the BEST course of action?
3An organization wants to ensure that its third-party vendors comply with the company's security policies. Which of the following is the MOST effective method?
4A company's data classification policy labels all financial data as 'Confidential.' An employee accidentally emails a spreadsheet containing customer payment information to an unauthorized external party. Which type of control failure occurred?
5Which of the following is the PRIMARY purpose of a business impact analysis (BIA)?
6A multinational corporation is implementing a privacy program that must comply with both GDPR and CCPA. Which approach to privacy impact assessments (PIAs) is most appropriate?
7An organization's risk appetite is defined as 'low' for data privacy. Which of the following risk treatments is most aligned with this appetite?
8A security architect is designing a system that must comply with FedRAMP Moderate controls. The system will use a cloud service provider (CSP) that is already FedRAMP Authorized. What is the primary benefit of using this CSP?
9A company's security policy requires that all remote access be conducted via VPN. An employee uses a personal device without VPN to access company email. Which type of policy violation is this?
10An organization discovers that a vendor's data breach exposed customer PII. The contract with the vendor does not address breach notification. What is the BEST way to prevent this in the future?
11A company's risk register shows a high-likelihood, high-impact risk related to ransomware. The cost to mitigate fully is $2M, while the expected annual loss is $500K. Which risk response is most appropriate?
12Which TWO of the following are key components of a governance framework? (Select TWO)
13Which THREE of the following are required for a valid Business Associate Agreement (BAA) under HIPAA? (Select THREE)
14Which TWO of the following are examples of administrative controls? (Select TWO)
15Which THREE of the following are common challenges when implementing a vendor risk management program? (Select THREE)
16You are the security architect for a mid-sized e-commerce company that processes credit card payments. The company must comply with PCI DSS. Currently, the cardholder data environment (CDE) includes a web server, an application server, and a database server, all on the same flat network segment. The QSA has identified that the CDE is not properly segmented, and network access controls are insufficient. The company wants to minimize the scope of PCI compliance by reducing the number of systems that handle cardholder data. You propose implementing network segmentation to isolate the CDE. Which of the following is the most effective approach to reduce PCI scope while maintaining business functionality?
17You are a security consultant for a law firm that handles highly confidential client data. The firm wants to implement a data loss prevention (DLP) solution to prevent sensitive data from leaving the network via email. The firm's email system is Microsoft 365. The DLP policy must comply with the firm's data classification policy, which identifies 'Legal Strategy' as top secret and 'Client Contact Info' as confidential. The firm also wants to allow attorneys to send confidential information to clients with a business justification. Which of the following DLP rule configurations best meets these requirements?
18A multinational corporation must comply with GDPR, CCPA, and LGPD. The CISO proposes a unified data classification policy. Which approach best minimizes compliance conflicts?
19A security engineer is reviewing firewall logs and finds multiple failed SSH attempts from an internal IP. Which control should be implemented to reduce this risk?
20A healthtech startup is developing a mobile app that collects PHI. They plan to use a third-party cloud provider for data storage. What is the most critical compliance requirement before signing the contract?
21An organization is evaluating risk treatment options for a critical vulnerability with a CVSS score of 9.8. The cost to remediate is $500,000, and the potential loss if exploited is estimated at $2,000,000. Which risk response is most appropriate?
22A company's risk assessment identifies that employees often use weak passwords. Which control directly addresses this risk?
23Which TWO of the following are key elements of a data classification policy?
24Which THREE of the following are required components of a Business Continuity Plan (BCP) per ISO 22301?
25An auditor reviews this IAM policy attached to a user group. What is the primary compliance concern?
26A security analyst reviews this output from an SSH session. What security control is in place on the remote server?
27A financial institution must ensure that its data classification policy aligns with regulatory requirements for customer financial information. Which of the following actions best demonstrates governance in this context?
28A security analyst is reviewing the results of a vulnerability scan and identifies a critical vulnerability in a legacy application that cannot be patched because it is no longer supported by the vendor. The application is critical for business operations. Which of the following risk treatment strategies should the organization implement?
29During a third-party risk assessment, an organization discovers that a cloud service provider (CSP) stores data in a jurisdiction with conflicting privacy laws. The organization's legal team advises that this could expose the organization to regulatory penalties. Which of the following contractual clauses would best address this compliance risk?
30An organization is implementing a governance framework to ensure that security controls are aligned with business objectives. Which of the following frameworks is specifically designed for this purpose?
31A multinational corporation is subject to GDPR and the California Consumer Privacy Act (CCPA). A security architect is designing a data governance solution to meet both regulations. Which TWO controls are most appropriate?
32A regional healthcare provider with 2,000 employees recently acquired a smaller clinic that uses a legacy electronic health record (EHR) system. The provider's security team performed a risk assessment and identified that the legacy system does not support encryption at rest, lacks role-based access controls (RBAC), and stores administrative credentials in plaintext. The system is scheduled to be decommissioned in 18 months, but it must remain operational to support patient care during the transition. The provider is subject to HIPAA and state breach notification laws. The CEO wants to avoid any disruption to patient services but also minimize regulatory risk. Which of the following is the BEST course of action?
33A global e-commerce company processes payment card data and is required to comply with PCI DSS. During a quarterly vulnerability scan, the security team discovers that a web application firewall (WAF) rule is blocking legitimate traffic, causing transaction failures. The WAF is a critical compensating control for a known vulnerability in the application that cannot be patched for 90 days. The compliance officer is concerned about maintaining PCI DSS compliance while ensuring business continuity. The security team proposes temporarily disabling the WAF to restore service while they fine-tune the rules. Which of the following is the BEST action?
34A company is implementing a new cloud-based SaaS application and needs to ensure compliance with GDPR. The security team is tasked with updating the data protection impact assessment (DPIA). Which of the following should the team prioritize?
35A security analyst discovers that an employee has been using a personal USB drive to transfer sensitive customer data from a workstation to a home computer. This violates the company's data handling policy. According to the company's incident response plan, which of the following is the FIRST step the analyst should take?
36A multinational organization is adopting a zero trust architecture and needs to align its network segmentation with regulatory requirements. The compliance team has identified that certain data must be isolated to meet PCI DSS scope reduction. Which of the following design approaches BEST supports both zero trust and PCI DSS compliance?
37A security manager is reviewing the company's vendor risk management program. Which of the following should be included as a mandatory step BEFORE entering into a contract with a new cloud service provider?
38During a compliance audit, an organization discovers that its backup data for a critical database is stored in an unencrypted format on a tape that is kept offsite. The organization's data protection policy requires encryption of all data at rest. Which of the following is the BEST remediation action?
39A company is merging with another organization and needs to integrate their identity management systems. The security team is concerned about maintaining least privilege and segregation of duties across the combined environment. Which of the following approaches BEST addresses these concerns?
40A security team is developing a data classification policy. Which TWO of the following elements should be included in the policy to ensure effective data governance?
41Drag and drop the steps to deploy a new certificate from an internal CA using Group Policy into the correct order.
42Drag and drop the steps to perform a vulnerability scan using Nessus into the correct order.
43Match each port number to its associated protocol.
44Match each encryption standard or algorithm to its type.
45A company is implementing a new vendor risk management program. Which of the following is the BEST approach to assess third-party security controls?
46An organization needs to ensure compliance with GDPR regarding data subject access requests. What is the MOST important control to implement?
47A security architect is designing a system for a healthcare provider that must comply with HIPAA. Which control is required for ePHI transmission?
48A company is evaluating its disaster recovery plan. Which metric indicates the maximum acceptable downtime?
49During a risk assessment, a residual risk is identified as high. What should be the NEXT step?
50An organization wants to adopt a cybersecurity framework that provides a structured approach to managing cyber risks. Which framework is BEST suited?
51A company's internal audit found that employees often share passwords. Which policy change would BEST address this?
52A multinational corporation must comply with multiple data protection laws. What is the BEST strategy?
53A security manager is reviewing business continuity plans. Which element is MOST critical to test regularly?
54Which TWO are key metrics used in business continuity planning?
55Which THREE are key elements of a security policy?
56Which TWO are required by PCI DSS for all merchants?
57Based on the exhibit, what vulnerability is present in the firewall rule?
58Based on the exhibit, which security issue does this IAM policy represent?
59Based on the exhibit, what type of attack is indicated?
60An organization is migrating sensitive customer data to a public cloud. Which of the following actions best demonstrates due diligence for compliance with GDPR?
61During a third-party risk assessment, a security architect discovers that a vendor's data retention policy does not align with the organization's legal requirements. Which of the following is the BEST course of action?
62Which of the following is the PRIMARY purpose of a business continuity plan (BCP)?
63Which TWO of the following are key components of a risk assessment methodology?
64Which THREE of the following are required for PCI DSS compliance regarding cardholder data?
65Refer to the exhibit. Which of the following best describes the effect of this ACL?
66A security architect is designing a data classification scheme. Which of the following is the MOST effective way to ensure consistent labeling across the organization?
67During an audit, a compliance officer finds that the organization has not conducted a risk assessment in over two years. Which of the following is the MOST significant risk?
68Which TWO of the following are examples of compensating controls for a security control deficiency?
69Refer to the exhibit. Which of the following best describes the security constraint imposed by this policy?
70Which of the following is the BEST definition of a risk register?
71A security analyst is reviewing a third-party assessment report and notes that the vendor's encryption algorithms are outdated. The contract requires the vendor to follow industry best practices. Which of the following is the BEST response?
72Refer to the exhibit. This clause is a requirement of which of the following?
73An organization wants to ensure that its supply chain vendors are compliant with its security policies. Which of the following is the MOST effective approach?
74A security team is adopting the NIST risk management framework. Which step should they perform first?
75A company is implementing a risk management framework to comply with PCI DSS. Which type of control is a firewall rule that blocks all inbound traffic except HTTP and HTTPS?
76A security analyst discovers that a third-party vendor has been granted access to the company's production database for support purposes. The vendor's contract expires in two weeks. What is the BEST course of action to ensure compliance with the principle of least privilege and reduce risk?
77An organization is evaluating its cloud service provider's security posture as part of third-party risk management. Which regulatory framework requires the organization to ensure that the provider has appropriate technical and organizational measures to protect personal data?
78A security architect is designing a risk mitigation strategy for a critical application. Which TWO of the following are examples of risk acceptance? (Select TWO.)
79During a business continuity planning meeting, the team identifies several critical systems. Which THREE of the following are key components of a Business Impact Analysis (BIA)? (Select THREE.)
80An organization is creating a data classification policy. Which THREE of the following are common classification levels used in government and defense? (Select THREE.)
81A compliance officer is reviewing logs from a web application and finds multiple failed login attempts from a single IP address. Which type of control should be implemented to reduce the risk of brute-force attacks?
82An organization is merging with another company and needs to ensure that the combined entity's security policies are aligned. Which document type should the security team prioritize to harmonize security expectations and responsibilities?
83A security auditor finds that a company's backup tapes are stored in the same building as the primary data center. Which risk treatment strategy does this lack represent?
84A small business wants to achieve compliance with PCI DSS. Which approach should they take to minimize the scope of the assessment?
85An organization is required to retain logs for seven years per regulatory requirement. Which of the following should be considered to ensure the integrity of these logs?
86A company is implementing a risk management framework and needs to prioritize remediation of vulnerabilities based on potential impact. Which of the following is the MOST appropriate approach?
87A financial institution is required to comply with PCI DSS. A low-severity vulnerability is found in the cardholder data environment that would cost significant downtime to patch. What is the BEST course of action?
88An organization wants to ensure that its employees understand their responsibilities regarding data protection. Which of the following is the MOST effective way to achieve this?
89A company is evaluating a new cloud service provider. The provider has a SOC 2 Type II report covering the previous year. Which additional assurance should the company request to verify the provider's current security controls?
90During a risk assessment, the analyst identifies that a legacy system containing sensitive data cannot be patched due to vendor end-of-life. The system is critical to operations. Which risk treatment strategy is MOST appropriate?
91Which of the following is the MOST effective way to detect unauthorized changes to critical files?
92A multinational organization is subject to GDPR and local data protection laws. A data subject from country X requests deletion of personal data, but the data is also required for a legal hold under country Y's law. What is the BEST course of action?
93A security team discovers a misconfiguration that exposes sensitive data. The operations team wants to wait until the next maintenance window. What is the BEST course of action?
94A company is merging with another company that has a different security posture. The CISO wants to integrate the two security programs quickly. Which of the following is the MOST critical first step?
95A risk assessment report is being prepared for senior management. Which TWO of the following should be included to effectively communicate risk?
96A company is implementing a vendor risk management program. Which THREE of the following should be included in the initial vendor assessment?
97During a compliance audit, the auditor finds that several systems are missing security patches. The CISO needs to decide on a risk treatment. Which TWO of the following actions are appropriate?
98Refer to the exhibit. The security team has been asked to remediate the vulnerability before the next PCI DSS audit. Which of the following is the MOST appropriate action?
99Refer to the exhibit. A security analyst reviews the firewall logs and sees traffic from 192.168.1.200 to the database server 10.0.0.10 on TCP port 1433. 192.168.1.200 is not in the approved IP list for database access. What is the BEST immediate action?
100Refer to the exhibit. The data classification policy defines levels and rules. During an audit, a database containing both PII and credit card numbers is found labeled as 'Internal'. Which of the following is the BEST first action?
101A financial services company is implementing a risk management framework. The security team has identified that the current encryption algorithm for customer data in transit is deprecated. According to NIST SP 800-53, which of the following is the MOST appropriate step to address this finding?
102An organization needs to demonstrate compliance with the General Data Protection Regulation (GDPR) for processing personal data of EU citizens. Which of the following is a mandatory requirement under GDPR?
103During a compliance audit, an organization's security team discovers that sensitive data in a legacy database is stored in plaintext. The database is critical for operations and cannot be taken offline for patching until the next maintenance window in three months. Which of the following is the BEST compensating control to reduce risk immediately?
104A healthcare provider is migrating patient records to a cloud EHR system. The security officer is concerned about data ownership and portability. Which contractual clause is MOST critical to include in the cloud service agreement?
105A small business wants to achieve compliance with the Payment Card Industry Data Security Standard (PCI DSS). Which of the following is an essential requirement they must implement?
106An organization's business continuity plan (BCP) includes a recovery time objective (RTO) of 4 hours for its critical ERP system. During a disaster, the system is restored in 5 hours. Which of the following is the MOST significant impact?
107A company is evaluating a vendor that will process sensitive customer data. The vendor's SOC 2 Type II report shows that controls were in place but had several exceptions noted. Which of the following is the BEST course of action?
108A multinational corporation must comply with both the EU's GDPR and the California Consumer Privacy Act (CCPA). Which of the following scenarios would cause a conflict between these regulations?
109An organization is implementing a third-party risk management program. Which of the following is the FIRST step in the vendor risk assessment process?
110Which TWO of the following are essential elements of an effective data governance framework?
111Which THREE of the following are required by the NIST Cybersecurity Framework (CSF) for the 'Protect' function?
112Which TWO of the following are common compliance frameworks used in the healthcare industry?
113Refer to the exhibit. Based on the data classification policy JSON, what action is MOST consistent with the policy?
114You are the security architect for a global manufacturing company that has recently experienced a ransomware attack. The attack originated from a third-party vendor's compromised VPN account, which had been granted privileged access to the corporate network for remote maintenance. The vendor is a critical supplier of industrial control system (ICS) components. The incident severely disrupted production for three days. Post-incident analysis reveals that the vendor's security posture was not assessed prior to granting access, and the contract did not include specific security requirements or audit rights. The company now wants to implement a vendor risk management program to prevent future incidents. Which of the following is the MOST comprehensive and effective course of action to address the root cause?
115You are the compliance officer for a financial institution that must adhere to the Payment Card Industry Data Security Standard (PCI DSS). During a quarterly vulnerability scan, you discover that several critical vulnerabilities in the cardholder data environment (CDE) were not remediated within the required 30-day window. Additionally, the most recent penetration test report shows that a segmentation control between the CDE and the corporate network is not functioning as intended. The next PCI DSS assessment is in two months. Which of the following remediation actions should be prioritized FIRST to maintain compliance?
116A financial institution is adopting a new vendor-managed SaaS platform for customer data processing. The CISO wants to ensure the vendor's security controls meet regulatory requirements before data is transferred. Which of the following should be completed FIRST?
117A healthcare organization is implementing HIPAA Security Rule safeguards. Which TWO of the following are required administrative safeguards? (Choose TWO.)
118During an incident response exercise, a company discovers that sensitive data was exfiltrated. The CIRT needs to determine the root cause and prevent recurrence. Which THREE of the following steps are part of the lessons learned process? (Choose THREE.)
119A small business uses a single on-premise server running a custom application and a SQL database. The IT manager is concerned about data loss due to hardware failure. The company has a backup tape drive but often forgets to change tapes. The RTO is 24 hours and RPO is 4 hours. Which of the following is the BEST improvement to meet the RPO/RTO requirements?
120A company is developing a new mobile app that will process users' biometric data for authentication. The legal team is concerned about compliance with the GDPR's data protection by design. Which of the following is the MOST appropriate control to implement?
121A multinational corporation is migrating its data centers to a hybrid cloud model. The security team must ensure that data sovereignty laws are respected. The company operates in the EU, US, and Asia. Which of the following is the BEST approach?
122A security analyst at a large enterprise notices that several servers have missing security patches that are critical. The patch management process requires approval from the change advisory board (CAB) which meets weekly. The next meeting is in three days, but the vulnerability is being actively exploited. What should the analyst do?
123A company that processes credit card transactions discovers that a third-party vendor with access to its network has suffered a data breach. The vendor's access was limited but included a connection to the cardholder data environment. The company must comply with PCI DSS. Which of the following is the FIRST action the company should take?
124A security engineer is designing a new network architecture for a government agency that requires compliance with NIST SP 800-53. The network must segregate data tiers and enforce least privilege. Which of the following designs BEST meets the requirements?
125A security analyst is performing a risk assessment for a critical application. Which TWO of the following are characteristics of a quantitative risk assessment methodology?
126The exhibit shows results from a CIS Controls assessment. Based on the findings, which control deficiency poses the greatest risk to the organization and should be prioritized for remediation?
127A mid-sized healthcare organization processes protected health information (PHI) and must comply with HIPAA and the GDPR for its EU patients. The organization uses a hybrid cloud environment with on-premises servers and AWS. Recently, an employee's laptop was stolen containing unencrypted PHI. The incident response team was activated. The security architect must determine the best course of action to address compliance obligations. The organization has a data classification policy, but it is not consistently enforced. A business continuity plan exists but has not been tested in two years. The CEO is concerned about reputational damage and legal liability. Which of the following should the security architect recommend FIRST?
The Governance, Risk and Compliance domain covers the key concepts tested in this area of the CAS-004 exam blueprint published by CompTIA. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all CAS-004 domains — no account required.
The Courseiva CAS-004 question bank contains 127 questions in the Governance, Risk and Compliance domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Governance, Risk and Compliance domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included