Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsCAS-004DomainsGovernance, Risk and Compliance
CAS-004Free — No Signup

Governance, Risk and Compliance

Practice CAS-004 Governance, Risk and Compliance questions with full explanations on every answer.

127questions

Start practicing

Governance, Risk and Compliance — choose a session length

10 questions~10 min20 questions~20 min30 questions~30 min50 questions~50 min

Free · No account required

CAS-004 Domains

Scripting, Containers and AutomationApplication Environment, Configuration and SecurityGovernance, Risk and ComplianceSecurity EngineeringSecurity ArchitectureSecurity Operations

Practice Governance, Risk and Compliance questions

10Q20Q30Q50Q

All CAS-004 Governance, Risk and Compliance questions (127)

Start session

Click any question to see the full explanation and answer options, or start a focused practice session above.

1

A global financial firm must comply with GDPR and SOX. The CISO wants to consolidate controls across frameworks using a single set of controls. Which approach best addresses this requirement?

2

A healthcare organization is planning to migrate patient data to a cloud provider. The risk assessment identifies that the provider's SOC 2 report does not cover HIPAA controls. What is the BEST course of action?

3

An organization wants to ensure that its third-party vendors comply with the company's security policies. Which of the following is the MOST effective method?

4

A company's data classification policy labels all financial data as 'Confidential.' An employee accidentally emails a spreadsheet containing customer payment information to an unauthorized external party. Which type of control failure occurred?

5

Which of the following is the PRIMARY purpose of a business impact analysis (BIA)?

6

A multinational corporation is implementing a privacy program that must comply with both GDPR and CCPA. Which approach to privacy impact assessments (PIAs) is most appropriate?

7

An organization's risk appetite is defined as 'low' for data privacy. Which of the following risk treatments is most aligned with this appetite?

8

A security architect is designing a system that must comply with FedRAMP Moderate controls. The system will use a cloud service provider (CSP) that is already FedRAMP Authorized. What is the primary benefit of using this CSP?

9

A company's security policy requires that all remote access be conducted via VPN. An employee uses a personal device without VPN to access company email. Which type of policy violation is this?

10

An organization discovers that a vendor's data breach exposed customer PII. The contract with the vendor does not address breach notification. What is the BEST way to prevent this in the future?

11

A company's risk register shows a high-likelihood, high-impact risk related to ransomware. The cost to mitigate fully is $2M, while the expected annual loss is $500K. Which risk response is most appropriate?

12

Which TWO of the following are key components of a governance framework? (Select TWO)

13

Which THREE of the following are required for a valid Business Associate Agreement (BAA) under HIPAA? (Select THREE)

14

Which TWO of the following are examples of administrative controls? (Select TWO)

15

Which THREE of the following are common challenges when implementing a vendor risk management program? (Select THREE)

16

You are the security architect for a mid-sized e-commerce company that processes credit card payments. The company must comply with PCI DSS. Currently, the cardholder data environment (CDE) includes a web server, an application server, and a database server, all on the same flat network segment. The QSA has identified that the CDE is not properly segmented, and network access controls are insufficient. The company wants to minimize the scope of PCI compliance by reducing the number of systems that handle cardholder data. You propose implementing network segmentation to isolate the CDE. Which of the following is the most effective approach to reduce PCI scope while maintaining business functionality?

17

You are a security consultant for a law firm that handles highly confidential client data. The firm wants to implement a data loss prevention (DLP) solution to prevent sensitive data from leaving the network via email. The firm's email system is Microsoft 365. The DLP policy must comply with the firm's data classification policy, which identifies 'Legal Strategy' as top secret and 'Client Contact Info' as confidential. The firm also wants to allow attorneys to send confidential information to clients with a business justification. Which of the following DLP rule configurations best meets these requirements?

18

A multinational corporation must comply with GDPR, CCPA, and LGPD. The CISO proposes a unified data classification policy. Which approach best minimizes compliance conflicts?

19

A security engineer is reviewing firewall logs and finds multiple failed SSH attempts from an internal IP. Which control should be implemented to reduce this risk?

20

A healthtech startup is developing a mobile app that collects PHI. They plan to use a third-party cloud provider for data storage. What is the most critical compliance requirement before signing the contract?

21

An organization is evaluating risk treatment options for a critical vulnerability with a CVSS score of 9.8. The cost to remediate is $500,000, and the potential loss if exploited is estimated at $2,000,000. Which risk response is most appropriate?

22

A company's risk assessment identifies that employees often use weak passwords. Which control directly addresses this risk?

23

Which TWO of the following are key elements of a data classification policy?

24

Which THREE of the following are required components of a Business Continuity Plan (BCP) per ISO 22301?

25

An auditor reviews this IAM policy attached to a user group. What is the primary compliance concern?

26

A security analyst reviews this output from an SSH session. What security control is in place on the remote server?

27

A financial institution must ensure that its data classification policy aligns with regulatory requirements for customer financial information. Which of the following actions best demonstrates governance in this context?

28

A security analyst is reviewing the results of a vulnerability scan and identifies a critical vulnerability in a legacy application that cannot be patched because it is no longer supported by the vendor. The application is critical for business operations. Which of the following risk treatment strategies should the organization implement?

29

During a third-party risk assessment, an organization discovers that a cloud service provider (CSP) stores data in a jurisdiction with conflicting privacy laws. The organization's legal team advises that this could expose the organization to regulatory penalties. Which of the following contractual clauses would best address this compliance risk?

30

An organization is implementing a governance framework to ensure that security controls are aligned with business objectives. Which of the following frameworks is specifically designed for this purpose?

31

A multinational corporation is subject to GDPR and the California Consumer Privacy Act (CCPA). A security architect is designing a data governance solution to meet both regulations. Which TWO controls are most appropriate?

32

A regional healthcare provider with 2,000 employees recently acquired a smaller clinic that uses a legacy electronic health record (EHR) system. The provider's security team performed a risk assessment and identified that the legacy system does not support encryption at rest, lacks role-based access controls (RBAC), and stores administrative credentials in plaintext. The system is scheduled to be decommissioned in 18 months, but it must remain operational to support patient care during the transition. The provider is subject to HIPAA and state breach notification laws. The CEO wants to avoid any disruption to patient services but also minimize regulatory risk. Which of the following is the BEST course of action?

33

A global e-commerce company processes payment card data and is required to comply with PCI DSS. During a quarterly vulnerability scan, the security team discovers that a web application firewall (WAF) rule is blocking legitimate traffic, causing transaction failures. The WAF is a critical compensating control for a known vulnerability in the application that cannot be patched for 90 days. The compliance officer is concerned about maintaining PCI DSS compliance while ensuring business continuity. The security team proposes temporarily disabling the WAF to restore service while they fine-tune the rules. Which of the following is the BEST action?

34

A company is implementing a new cloud-based SaaS application and needs to ensure compliance with GDPR. The security team is tasked with updating the data protection impact assessment (DPIA). Which of the following should the team prioritize?

35

A security analyst discovers that an employee has been using a personal USB drive to transfer sensitive customer data from a workstation to a home computer. This violates the company's data handling policy. According to the company's incident response plan, which of the following is the FIRST step the analyst should take?

36

A multinational organization is adopting a zero trust architecture and needs to align its network segmentation with regulatory requirements. The compliance team has identified that certain data must be isolated to meet PCI DSS scope reduction. Which of the following design approaches BEST supports both zero trust and PCI DSS compliance?

37

A security manager is reviewing the company's vendor risk management program. Which of the following should be included as a mandatory step BEFORE entering into a contract with a new cloud service provider?

38

During a compliance audit, an organization discovers that its backup data for a critical database is stored in an unencrypted format on a tape that is kept offsite. The organization's data protection policy requires encryption of all data at rest. Which of the following is the BEST remediation action?

39

A company is merging with another organization and needs to integrate their identity management systems. The security team is concerned about maintaining least privilege and segregation of duties across the combined environment. Which of the following approaches BEST addresses these concerns?

40

A security team is developing a data classification policy. Which TWO of the following elements should be included in the policy to ensure effective data governance?

41

Drag and drop the steps to deploy a new certificate from an internal CA using Group Policy into the correct order.

42

Drag and drop the steps to perform a vulnerability scan using Nessus into the correct order.

43

Match each port number to its associated protocol.

44

Match each encryption standard or algorithm to its type.

45

A company is implementing a new vendor risk management program. Which of the following is the BEST approach to assess third-party security controls?

46

An organization needs to ensure compliance with GDPR regarding data subject access requests. What is the MOST important control to implement?

47

A security architect is designing a system for a healthcare provider that must comply with HIPAA. Which control is required for ePHI transmission?

48

A company is evaluating its disaster recovery plan. Which metric indicates the maximum acceptable downtime?

49

During a risk assessment, a residual risk is identified as high. What should be the NEXT step?

50

An organization wants to adopt a cybersecurity framework that provides a structured approach to managing cyber risks. Which framework is BEST suited?

51

A company's internal audit found that employees often share passwords. Which policy change would BEST address this?

52

A multinational corporation must comply with multiple data protection laws. What is the BEST strategy?

53

A security manager is reviewing business continuity plans. Which element is MOST critical to test regularly?

54

Which TWO are key metrics used in business continuity planning?

55

Which THREE are key elements of a security policy?

56

Which TWO are required by PCI DSS for all merchants?

57

Based on the exhibit, what vulnerability is present in the firewall rule?

58

Based on the exhibit, which security issue does this IAM policy represent?

59

Based on the exhibit, what type of attack is indicated?

60

An organization is migrating sensitive customer data to a public cloud. Which of the following actions best demonstrates due diligence for compliance with GDPR?

61

During a third-party risk assessment, a security architect discovers that a vendor's data retention policy does not align with the organization's legal requirements. Which of the following is the BEST course of action?

62

Which of the following is the PRIMARY purpose of a business continuity plan (BCP)?

63

Which TWO of the following are key components of a risk assessment methodology?

64

Which THREE of the following are required for PCI DSS compliance regarding cardholder data?

65

Refer to the exhibit. Which of the following best describes the effect of this ACL?

66

A security architect is designing a data classification scheme. Which of the following is the MOST effective way to ensure consistent labeling across the organization?

67

During an audit, a compliance officer finds that the organization has not conducted a risk assessment in over two years. Which of the following is the MOST significant risk?

68

Which TWO of the following are examples of compensating controls for a security control deficiency?

69

Refer to the exhibit. Which of the following best describes the security constraint imposed by this policy?

70

Which of the following is the BEST definition of a risk register?

71

A security analyst is reviewing a third-party assessment report and notes that the vendor's encryption algorithms are outdated. The contract requires the vendor to follow industry best practices. Which of the following is the BEST response?

72

Refer to the exhibit. This clause is a requirement of which of the following?

73

An organization wants to ensure that its supply chain vendors are compliant with its security policies. Which of the following is the MOST effective approach?

74

A security team is adopting the NIST risk management framework. Which step should they perform first?

75

A company is implementing a risk management framework to comply with PCI DSS. Which type of control is a firewall rule that blocks all inbound traffic except HTTP and HTTPS?

76

A security analyst discovers that a third-party vendor has been granted access to the company's production database for support purposes. The vendor's contract expires in two weeks. What is the BEST course of action to ensure compliance with the principle of least privilege and reduce risk?

77

An organization is evaluating its cloud service provider's security posture as part of third-party risk management. Which regulatory framework requires the organization to ensure that the provider has appropriate technical and organizational measures to protect personal data?

78

A security architect is designing a risk mitigation strategy for a critical application. Which TWO of the following are examples of risk acceptance? (Select TWO.)

79

During a business continuity planning meeting, the team identifies several critical systems. Which THREE of the following are key components of a Business Impact Analysis (BIA)? (Select THREE.)

80

An organization is creating a data classification policy. Which THREE of the following are common classification levels used in government and defense? (Select THREE.)

81

A compliance officer is reviewing logs from a web application and finds multiple failed login attempts from a single IP address. Which type of control should be implemented to reduce the risk of brute-force attacks?

82

An organization is merging with another company and needs to ensure that the combined entity's security policies are aligned. Which document type should the security team prioritize to harmonize security expectations and responsibilities?

83

A security auditor finds that a company's backup tapes are stored in the same building as the primary data center. Which risk treatment strategy does this lack represent?

84

A small business wants to achieve compliance with PCI DSS. Which approach should they take to minimize the scope of the assessment?

85

An organization is required to retain logs for seven years per regulatory requirement. Which of the following should be considered to ensure the integrity of these logs?

86

A company is implementing a risk management framework and needs to prioritize remediation of vulnerabilities based on potential impact. Which of the following is the MOST appropriate approach?

87

A financial institution is required to comply with PCI DSS. A low-severity vulnerability is found in the cardholder data environment that would cost significant downtime to patch. What is the BEST course of action?

88

An organization wants to ensure that its employees understand their responsibilities regarding data protection. Which of the following is the MOST effective way to achieve this?

89

A company is evaluating a new cloud service provider. The provider has a SOC 2 Type II report covering the previous year. Which additional assurance should the company request to verify the provider's current security controls?

90

During a risk assessment, the analyst identifies that a legacy system containing sensitive data cannot be patched due to vendor end-of-life. The system is critical to operations. Which risk treatment strategy is MOST appropriate?

91

Which of the following is the MOST effective way to detect unauthorized changes to critical files?

92

A multinational organization is subject to GDPR and local data protection laws. A data subject from country X requests deletion of personal data, but the data is also required for a legal hold under country Y's law. What is the BEST course of action?

93

A security team discovers a misconfiguration that exposes sensitive data. The operations team wants to wait until the next maintenance window. What is the BEST course of action?

94

A company is merging with another company that has a different security posture. The CISO wants to integrate the two security programs quickly. Which of the following is the MOST critical first step?

95

A risk assessment report is being prepared for senior management. Which TWO of the following should be included to effectively communicate risk?

96

A company is implementing a vendor risk management program. Which THREE of the following should be included in the initial vendor assessment?

97

During a compliance audit, the auditor finds that several systems are missing security patches. The CISO needs to decide on a risk treatment. Which TWO of the following actions are appropriate?

98

Refer to the exhibit. The security team has been asked to remediate the vulnerability before the next PCI DSS audit. Which of the following is the MOST appropriate action?

99

Refer to the exhibit. A security analyst reviews the firewall logs and sees traffic from 192.168.1.200 to the database server 10.0.0.10 on TCP port 1433. 192.168.1.200 is not in the approved IP list for database access. What is the BEST immediate action?

100

Refer to the exhibit. The data classification policy defines levels and rules. During an audit, a database containing both PII and credit card numbers is found labeled as 'Internal'. Which of the following is the BEST first action?

101

A financial services company is implementing a risk management framework. The security team has identified that the current encryption algorithm for customer data in transit is deprecated. According to NIST SP 800-53, which of the following is the MOST appropriate step to address this finding?

102

An organization needs to demonstrate compliance with the General Data Protection Regulation (GDPR) for processing personal data of EU citizens. Which of the following is a mandatory requirement under GDPR?

103

During a compliance audit, an organization's security team discovers that sensitive data in a legacy database is stored in plaintext. The database is critical for operations and cannot be taken offline for patching until the next maintenance window in three months. Which of the following is the BEST compensating control to reduce risk immediately?

104

A healthcare provider is migrating patient records to a cloud EHR system. The security officer is concerned about data ownership and portability. Which contractual clause is MOST critical to include in the cloud service agreement?

105

A small business wants to achieve compliance with the Payment Card Industry Data Security Standard (PCI DSS). Which of the following is an essential requirement they must implement?

106

An organization's business continuity plan (BCP) includes a recovery time objective (RTO) of 4 hours for its critical ERP system. During a disaster, the system is restored in 5 hours. Which of the following is the MOST significant impact?

107

A company is evaluating a vendor that will process sensitive customer data. The vendor's SOC 2 Type II report shows that controls were in place but had several exceptions noted. Which of the following is the BEST course of action?

108

A multinational corporation must comply with both the EU's GDPR and the California Consumer Privacy Act (CCPA). Which of the following scenarios would cause a conflict between these regulations?

109

An organization is implementing a third-party risk management program. Which of the following is the FIRST step in the vendor risk assessment process?

110

Which TWO of the following are essential elements of an effective data governance framework?

111

Which THREE of the following are required by the NIST Cybersecurity Framework (CSF) for the 'Protect' function?

112

Which TWO of the following are common compliance frameworks used in the healthcare industry?

113

Refer to the exhibit. Based on the data classification policy JSON, what action is MOST consistent with the policy?

114

You are the security architect for a global manufacturing company that has recently experienced a ransomware attack. The attack originated from a third-party vendor's compromised VPN account, which had been granted privileged access to the corporate network for remote maintenance. The vendor is a critical supplier of industrial control system (ICS) components. The incident severely disrupted production for three days. Post-incident analysis reveals that the vendor's security posture was not assessed prior to granting access, and the contract did not include specific security requirements or audit rights. The company now wants to implement a vendor risk management program to prevent future incidents. Which of the following is the MOST comprehensive and effective course of action to address the root cause?

115

You are the compliance officer for a financial institution that must adhere to the Payment Card Industry Data Security Standard (PCI DSS). During a quarterly vulnerability scan, you discover that several critical vulnerabilities in the cardholder data environment (CDE) were not remediated within the required 30-day window. Additionally, the most recent penetration test report shows that a segmentation control between the CDE and the corporate network is not functioning as intended. The next PCI DSS assessment is in two months. Which of the following remediation actions should be prioritized FIRST to maintain compliance?

116

A financial institution is adopting a new vendor-managed SaaS platform for customer data processing. The CISO wants to ensure the vendor's security controls meet regulatory requirements before data is transferred. Which of the following should be completed FIRST?

117

A healthcare organization is implementing HIPAA Security Rule safeguards. Which TWO of the following are required administrative safeguards? (Choose TWO.)

118

During an incident response exercise, a company discovers that sensitive data was exfiltrated. The CIRT needs to determine the root cause and prevent recurrence. Which THREE of the following steps are part of the lessons learned process? (Choose THREE.)

119

A small business uses a single on-premise server running a custom application and a SQL database. The IT manager is concerned about data loss due to hardware failure. The company has a backup tape drive but often forgets to change tapes. The RTO is 24 hours and RPO is 4 hours. Which of the following is the BEST improvement to meet the RPO/RTO requirements?

120

A company is developing a new mobile app that will process users' biometric data for authentication. The legal team is concerned about compliance with the GDPR's data protection by design. Which of the following is the MOST appropriate control to implement?

121

A multinational corporation is migrating its data centers to a hybrid cloud model. The security team must ensure that data sovereignty laws are respected. The company operates in the EU, US, and Asia. Which of the following is the BEST approach?

122

A security analyst at a large enterprise notices that several servers have missing security patches that are critical. The patch management process requires approval from the change advisory board (CAB) which meets weekly. The next meeting is in three days, but the vulnerability is being actively exploited. What should the analyst do?

123

A company that processes credit card transactions discovers that a third-party vendor with access to its network has suffered a data breach. The vendor's access was limited but included a connection to the cardholder data environment. The company must comply with PCI DSS. Which of the following is the FIRST action the company should take?

124

A security engineer is designing a new network architecture for a government agency that requires compliance with NIST SP 800-53. The network must segregate data tiers and enforce least privilege. Which of the following designs BEST meets the requirements?

125

A security analyst is performing a risk assessment for a critical application. Which TWO of the following are characteristics of a quantitative risk assessment methodology?

126

The exhibit shows results from a CIS Controls assessment. Based on the findings, which control deficiency poses the greatest risk to the organization and should be prioritized for remediation?

127

A mid-sized healthcare organization processes protected health information (PHI) and must comply with HIPAA and the GDPR for its EU patients. The organization uses a hybrid cloud environment with on-premises servers and AWS. Recently, an employee's laptop was stolen containing unencrypted PHI. The incident response team was activated. The security architect must determine the best course of action to address compliance obligations. The organization has a data classification policy, but it is not consistently enforced. A business continuity plan exists but has not been tested in two years. The CEO is concerned about reputational damage and legal liability. Which of the following should the security architect recommend FIRST?

Practice all 127 Governance, Risk and Compliance questions

Other CAS-004 exam domains

Scripting, Containers and AutomationApplication Environment, Configuration and SecuritySecurity EngineeringSecurity ArchitectureSecurity Operations

Frequently asked questions

What does the Governance, Risk and Compliance domain cover on the CAS-004 exam?

The Governance, Risk and Compliance domain covers the key concepts tested in this area of the CAS-004 exam blueprint published by CompTIA. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all CAS-004 domains — no account required.

How many Governance, Risk and Compliance questions are in the CAS-004 question bank?

The Courseiva CAS-004 question bank contains 127 questions in the Governance, Risk and Compliance domain. Click any question to see the full explanation and answer breakdown.

What is the best way to practice Governance, Risk and Compliance for CAS-004?

Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.

Can I practice only Governance, Risk and Compliance questions for CAS-004?

Yes — the session launcher on this page draws questions exclusively from the Governance, Risk and Compliance domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.

Free forever · No credit card required

Track your CAS-004 domain progress

Save your results, see per-domain analytics, and get readiness scores — free, for every certification.

Sign Up Free

Free forever · Every certification included

Practice Session

10 questions20 questions30 questions50 questions

Study Resources

All DomainsPractice TestMock ExamFlashcardsStudy Guide

Related Exams

CS0-003SY0-701CISSP