Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Governance, Risk and Compliance practice sets

CAS-004 Governance, Risk and Compliance • Complete Question Bank

CAS-004 Governance, Risk and Compliance — All Questions With Answers

Complete CAS-004 Governance, Risk and Compliance question bank — all 0 questions with answers and detailed explanations.

127
Questions
Free
No signup
Certifications/CAS-004/Practice Test/Governance, Risk and Compliance/All Questions
Question 1mediummultiple choice
Read the full Governance, Risk and Compliance explanation →

A global financial firm must comply with GDPR and SOX. The CISO wants to consolidate controls across frameworks using a single set of controls. Which approach best addresses this requirement?

Question 2hardmultiple choice
Read the full NAT/PAT explanation →

A healthcare organization is planning to migrate patient data to a cloud provider. The risk assessment identifies that the provider's SOC 2 report does not cover HIPAA controls. What is the BEST course of action?

Question 3easymultiple choice
Read the full Governance, Risk and Compliance explanation →

An organization wants to ensure that its third-party vendors comply with the company's security policies. Which of the following is the MOST effective method?

Question 4mediummultiple choice
Read the full Governance, Risk and Compliance explanation →

A company's data classification policy labels all financial data as 'Confidential.' An employee accidentally emails a spreadsheet containing customer payment information to an unauthorized external party. Which type of control failure occurred?

Question 5easymultiple choice
Read the full Governance, Risk and Compliance explanation →

Which of the following is the PRIMARY purpose of a business impact analysis (BIA)?

Question 6hardmultiple choice
Read the full NAT/PAT explanation →

A multinational corporation is implementing a privacy program that must comply with both GDPR and CCPA. Which approach to privacy impact assessments (PIAs) is most appropriate?

Question 7mediummultiple choice
Read the full Governance, Risk and Compliance explanation →

An organization's risk appetite is defined as 'low' for data privacy. Which of the following risk treatments is most aligned with this appetite?

Question 8hardmultiple choice
Read the full Governance, Risk and Compliance explanation →

A security architect is designing a system that must comply with FedRAMP Moderate controls. The system will use a cloud service provider (CSP) that is already FedRAMP Authorized. What is the primary benefit of using this CSP?

Question 9easymultiple choice
Read the full VPN explanation →

A company's security policy requires that all remote access be conducted via VPN. An employee uses a personal device without VPN to access company email. Which type of policy violation is this?

Question 10mediummultiple choice
Read the full Governance, Risk and Compliance explanation →

An organization discovers that a vendor's data breach exposed customer PII. The contract with the vendor does not address breach notification. What is the BEST way to prevent this in the future?

Question 11hardmultiple choice
Read the full Governance, Risk and Compliance explanation →

A company's risk register shows a high-likelihood, high-impact risk related to ransomware. The cost to mitigate fully is $2M, while the expected annual loss is $500K. Which risk response is most appropriate?

Question 12mediummulti select
Read the full Governance, Risk and Compliance explanation →

Which TWO of the following are key components of a governance framework? (Select TWO)

Question 13hardmulti select
Read the full Governance, Risk and Compliance explanation →

Which THREE of the following are required for a valid Business Associate Agreement (BAA) under HIPAA? (Select THREE)

Question 14easymulti select
Read the full Governance, Risk and Compliance explanation →

Which TWO of the following are examples of administrative controls? (Select TWO)

Question 15mediummulti select
Read the full Governance, Risk and Compliance explanation →

Which THREE of the following are common challenges when implementing a vendor risk management program? (Select THREE)

Question 16hardmultiple choice
Read the full Governance, Risk and Compliance explanation →

You are the security architect for a mid-sized e-commerce company that processes credit card payments. The company must comply with PCI DSS. Currently, the cardholder data environment (CDE) includes a web server, an application server, and a database server, all on the same flat network segment. The QSA has identified that the CDE is not properly segmented, and network access controls are insufficient. The company wants to minimize the scope of PCI compliance by reducing the number of systems that handle cardholder data. You propose implementing network segmentation to isolate the CDE. Which of the following is the most effective approach to reduce PCI scope while maintaining business functionality?

Question 17mediummultiple choice
Read the full Governance, Risk and Compliance explanation →

You are a security consultant for a law firm that handles highly confidential client data. The firm wants to implement a data loss prevention (DLP) solution to prevent sensitive data from leaving the network via email. The firm's email system is Microsoft 365. The DLP policy must comply with the firm's data classification policy, which identifies 'Legal Strategy' as top secret and 'Client Contact Info' as confidential. The firm also wants to allow attorneys to send confidential information to clients with a business justification. Which of the following DLP rule configurations best meets these requirements?

Question 18mediummultiple choice
Read the full NAT/PAT explanation →

A multinational corporation must comply with GDPR, CCPA, and LGPD. The CISO proposes a unified data classification policy. Which approach best minimizes compliance conflicts?

Question 19easymultiple choice
Read the full Governance, Risk and Compliance explanation →

A security engineer is reviewing firewall logs and finds multiple failed SSH attempts from an internal IP. Which control should be implemented to reduce this risk?

Question 20hardmultiple choice
Read the full Governance, Risk and Compliance explanation →

A healthtech startup is developing a mobile app that collects PHI. They plan to use a third-party cloud provider for data storage. What is the most critical compliance requirement before signing the contract?

Question 21mediummultiple choice
Read the full Governance, Risk and Compliance explanation →

An organization is evaluating risk treatment options for a critical vulnerability with a CVSS score of 9.8. The cost to remediate is $500,000, and the potential loss if exploited is estimated at $2,000,000. Which risk response is most appropriate?

Question 22easymultiple choice
Read the full Governance, Risk and Compliance explanation →

A company's risk assessment identifies that employees often use weak passwords. Which control directly addresses this risk?

Question 23mediummulti select
Read the full Governance, Risk and Compliance explanation →

Which TWO of the following are key elements of a data classification policy?

Question 24hardmulti select
Read the full Governance, Risk and Compliance explanation →

Which THREE of the following are required components of a Business Continuity Plan (BCP) per ISO 22301?

Question 25hardmultiple choice
Read the full Governance, Risk and Compliance explanation →

An auditor reviews this IAM policy attached to a user group. What is the primary compliance concern?

Exhibit

Refer to the exhibit.

```json
{
  "PolicyName": "IAM-AdminAccess",
  "PolicyDocument": {
    "Version": "2012-10-17",
    "Statement": [
      {
        "Effect": "Allow",
        "Action": "*",
        "Resource": "*"
      }
    ]
  }
}
```
Question 26mediummultiple choice
Read the full Governance, Risk and Compliance explanation →

A security analyst reviews this output from an SSH session. What security control is in place on the remote server?

Exhibit

Refer to the exhibit.
```
C:\.ssh> ssh admin@192.168.1.100
admin@192.168.1.100's password:
Permission denied, please try again.
admin@192.168.1.100's password:
Permission denied, please try again.
admin@192.168.1.100's password:
Received disconnect from 192.168.1.100 port 22:2: Too many authentication failures
Authentication failed.
```
Question 27easymultiple choice
Read the full Governance, Risk and Compliance explanation →

A financial institution must ensure that its data classification policy aligns with regulatory requirements for customer financial information. Which of the following actions best demonstrates governance in this context?

Question 28mediummultiple choice
Read the full NAT/PAT explanation →

A security analyst is reviewing the results of a vulnerability scan and identifies a critical vulnerability in a legacy application that cannot be patched because it is no longer supported by the vendor. The application is critical for business operations. Which of the following risk treatment strategies should the organization implement?

Question 29hardmultiple choice
Read the full Governance, Risk and Compliance explanation →

During a third-party risk assessment, an organization discovers that a cloud service provider (CSP) stores data in a jurisdiction with conflicting privacy laws. The organization's legal team advises that this could expose the organization to regulatory penalties. Which of the following contractual clauses would best address this compliance risk?

Question 30mediummultiple choice
Read the full Governance, Risk and Compliance explanation →

An organization is implementing a governance framework to ensure that security controls are aligned with business objectives. Which of the following frameworks is specifically designed for this purpose?

Question 31hardmulti select
Read the full NAT/PAT explanation →

A multinational corporation is subject to GDPR and the California Consumer Privacy Act (CCPA). A security architect is designing a data governance solution to meet both regulations. Which TWO controls are most appropriate?

Question 32hardmultiple choice
Read the full NAT/PAT explanation →

A regional healthcare provider with 2,000 employees recently acquired a smaller clinic that uses a legacy electronic health record (EHR) system. The provider's security team performed a risk assessment and identified that the legacy system does not support encryption at rest, lacks role-based access controls (RBAC), and stores administrative credentials in plaintext. The system is scheduled to be decommissioned in 18 months, but it must remain operational to support patient care during the transition. The provider is subject to HIPAA and state breach notification laws. The CEO wants to avoid any disruption to patient services but also minimize regulatory risk. Which of the following is the BEST course of action?

Question 33hardmultiple choice
Read the full NAT/PAT explanation →

A global e-commerce company processes payment card data and is required to comply with PCI DSS. During a quarterly vulnerability scan, the security team discovers that a web application firewall (WAF) rule is blocking legitimate traffic, causing transaction failures. The WAF is a critical compensating control for a known vulnerability in the application that cannot be patched for 90 days. The compliance officer is concerned about maintaining PCI DSS compliance while ensuring business continuity. The security team proposes temporarily disabling the WAF to restore service while they fine-tune the rules. Which of the following is the BEST action?

Question 34easymultiple choice
Read the full Governance, Risk and Compliance explanation →

A company is implementing a new cloud-based SaaS application and needs to ensure compliance with GDPR. The security team is tasked with updating the data protection impact assessment (DPIA). Which of the following should the team prioritize?

Question 35mediummultiple choice
Read the full Governance, Risk and Compliance explanation →

A security analyst discovers that an employee has been using a personal USB drive to transfer sensitive customer data from a workstation to a home computer. This violates the company's data handling policy. According to the company's incident response plan, which of the following is the FIRST step the analyst should take?

Question 36hardmultiple choice
Read the full NAT/PAT explanation →

A multinational organization is adopting a zero trust architecture and needs to align its network segmentation with regulatory requirements. The compliance team has identified that certain data must be isolated to meet PCI DSS scope reduction. Which of the following design approaches BEST supports both zero trust and PCI DSS compliance?

Question 37easymultiple choice
Read the full Governance, Risk and Compliance explanation →

A security manager is reviewing the company's vendor risk management program. Which of the following should be included as a mandatory step BEFORE entering into a contract with a new cloud service provider?

Question 38mediummultiple choice
Read the full Governance, Risk and Compliance explanation →

During a compliance audit, an organization discovers that its backup data for a critical database is stored in an unencrypted format on a tape that is kept offsite. The organization's data protection policy requires encryption of all data at rest. Which of the following is the BEST remediation action?

Question 39hardmultiple choice
Read the full Governance, Risk and Compliance explanation →

A company is merging with another organization and needs to integrate their identity management systems. The security team is concerned about maintaining least privilege and segregation of duties across the combined environment. Which of the following approaches BEST addresses these concerns?

Question 40mediummulti select
Read the full Governance, Risk and Compliance explanation →

A security team is developing a data classification policy. Which TWO of the following elements should be included in the policy to ensure effective data governance?

Question 41mediumdrag order
Read the full Governance, Risk and Compliance explanation →

Drag and drop the steps to deploy a new certificate from an internal CA using Group Policy into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 42mediumdrag order
Read the full Governance, Risk and Compliance explanation →

Drag and drop the steps to perform a vulnerability scan using Nessus into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 43mediummatching
Read the full Governance, Risk and Compliance explanation →

Match each port number to its associated protocol.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

RDP

SSH

HTTPS

LDAP

LDAPS

Question 44mediummatching
Read the full Governance, Risk and Compliance explanation →

Match each encryption standard or algorithm to its type.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Symmetric block cipher

Asymmetric public-key cryptosystem

Hash function (one-way)

Elliptic curve digital signature algorithm

Keyed-hash message authentication code

Question 45mediummultiple choice
Read the full Governance, Risk and Compliance explanation →

A company is implementing a new vendor risk management program. Which of the following is the BEST approach to assess third-party security controls?

Question 46easymultiple choice
Read the full Governance, Risk and Compliance explanation →

An organization needs to ensure compliance with GDPR regarding data subject access requests. What is the MOST important control to implement?

Question 47mediummultiple choice
Read the full Governance, Risk and Compliance explanation →

A security architect is designing a system for a healthcare provider that must comply with HIPAA. Which control is required for ePHI transmission?

Question 48easymultiple choice
Read the full Governance, Risk and Compliance explanation →

A company is evaluating its disaster recovery plan. Which metric indicates the maximum acceptable downtime?

Question 49hardmultiple choice
Read the full Governance, Risk and Compliance explanation →

During a risk assessment, a residual risk is identified as high. What should be the NEXT step?

Question 50mediummultiple choice
Read the full Governance, Risk and Compliance explanation →

An organization wants to adopt a cybersecurity framework that provides a structured approach to managing cyber risks. Which framework is BEST suited?

Question 51easymultiple choice
Read the full Governance, Risk and Compliance explanation →

A company's internal audit found that employees often share passwords. Which policy change would BEST address this?

Question 52hardmultiple choice
Read the full NAT/PAT explanation →

A multinational corporation must comply with multiple data protection laws. What is the BEST strategy?

Question 53hardmultiple choice
Read the full Governance, Risk and Compliance explanation →

A security manager is reviewing business continuity plans. Which element is MOST critical to test regularly?

Question 54easymulti select
Read the full Governance, Risk and Compliance explanation →

Which TWO are key metrics used in business continuity planning?

Question 55mediummulti select
Read the full Governance, Risk and Compliance explanation →

Which THREE are key elements of a security policy?

Question 56hardmulti select
Read the full Governance, Risk and Compliance explanation →

Which TWO are required by PCI DSS for all merchants?

Question 57mediummultiple choice
Read the full Governance, Risk and Compliance explanation →

Based on the exhibit, what vulnerability is present in the firewall rule?

Exhibit

Refer to the exhibit.
Firewall rule:
rule id 10: allow source 203.0.113.0/24 destination 10.0.1.100 service any
Question 58hardmultiple choice
Read the full Governance, Risk and Compliance explanation →

Based on the exhibit, which security issue does this IAM policy represent?

Exhibit

Refer to the exhibit.
{
  "Effect": "Allow",
  "Principal": "*",
  "Action": "s3:GetObject",
  "Resource": "arn:aws:s3:::mybucket/*"
}
Question 59easymultiple choice
Read the full Governance, Risk and Compliance explanation →

Based on the exhibit, what type of attack is indicated?

Exhibit

Refer to the exhibit.
Log entry:
2025-02-14 09:23:45 VPN login FAILED from IP 192.0.2.10 user admin
2025-02-14 09:23:46 VPN login FAILED from IP 192.0.2.10 user admin
2025-02-14 09:23:47 VPN login FAILED from IP 192.0.2.10 user admin
2025-02-14 09:23:48 VPN login SUCCESS from IP 192.0.2.10 user admin
Question 60mediummultiple choice
Read the full Governance, Risk and Compliance explanation →

An organization is migrating sensitive customer data to a public cloud. Which of the following actions best demonstrates due diligence for compliance with GDPR?

Question 61hardmultiple choice
Read the full Governance, Risk and Compliance explanation →

During a third-party risk assessment, a security architect discovers that a vendor's data retention policy does not align with the organization's legal requirements. Which of the following is the BEST course of action?

Question 62easymultiple choice
Read the full Governance, Risk and Compliance explanation →

Which of the following is the PRIMARY purpose of a business continuity plan (BCP)?

Question 63mediummulti select
Read the full Governance, Risk and Compliance explanation →

Which TWO of the following are key components of a risk assessment methodology?

Question 64hardmulti select
Read the full Governance, Risk and Compliance explanation →

Which THREE of the following are required for PCI DSS compliance regarding cardholder data?

Question 65mediummultiple choice
Study the full ACL explanation →

Refer to the exhibit. Which of the following best describes the effect of this ACL?

Exhibit

Refer to the exhibit.
```
access-list 101 deny ip any 10.0.0.0 0.0.0.255
```
Question 66mediummultiple choice
Read the full Governance, Risk and Compliance explanation →

A security architect is designing a data classification scheme. Which of the following is the MOST effective way to ensure consistent labeling across the organization?

Question 67hardmultiple choice
Read the full Governance, Risk and Compliance explanation →

During an audit, a compliance officer finds that the organization has not conducted a risk assessment in over two years. Which of the following is the MOST significant risk?

Question 68easymulti select
Read the full Governance, Risk and Compliance explanation →

Which TWO of the following are examples of compensating controls for a security control deficiency?

Question 69mediummultiple choice
Read the full Governance, Risk and Compliance explanation →

Refer to the exhibit. Which of the following best describes the security constraint imposed by this policy?

Exhibit

Refer to the exhibit.
```json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::example-bucket/*",
      "Condition": {
        "StringEquals": {
          "aws:sourceVpce": "vpce-123abc"
        }
      }
    }
  ]
}
```
Question 70easymultiple choice
Read the full Governance, Risk and Compliance explanation →

Which of the following is the BEST definition of a risk register?

Question 71hardmultiple choice
Read the full Governance, Risk and Compliance explanation →

A security analyst is reviewing a third-party assessment report and notes that the vendor's encryption algorithms are outdated. The contract requires the vendor to follow industry best practices. Which of the following is the BEST response?

Question 72mediummultiple choice
Read the full Governance, Risk and Compliance explanation →

Refer to the exhibit. This clause is a requirement of which of the following?

Exhibit

Refer to the exhibit.
```
The Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
  (a) the pseudonymization and encryption of personal data;
  (b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
  (c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
  (d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
```
Question 73mediummultiple choice
Read the full Governance, Risk and Compliance explanation →

An organization wants to ensure that its supply chain vendors are compliant with its security policies. Which of the following is the MOST effective approach?

Question 74easymultiple choice
Read the full Governance, Risk and Compliance explanation →

A security team is adopting the NIST risk management framework. Which step should they perform first?

Question 75easymultiple choice
Read the full Governance, Risk and Compliance explanation →

A company is implementing a risk management framework to comply with PCI DSS. Which type of control is a firewall rule that blocks all inbound traffic except HTTP and HTTPS?

Question 76mediummultiple choice
Read the full Governance, Risk and Compliance explanation →

A security analyst discovers that a third-party vendor has been granted access to the company's production database for support purposes. The vendor's contract expires in two weeks. What is the BEST course of action to ensure compliance with the principle of least privilege and reduce risk?

Question 77hardmultiple choice
Read the full Governance, Risk and Compliance explanation →

An organization is evaluating its cloud service provider's security posture as part of third-party risk management. Which regulatory framework requires the organization to ensure that the provider has appropriate technical and organizational measures to protect personal data?

Question 78mediummulti select
Read the full Governance, Risk and Compliance explanation →

A security architect is designing a risk mitigation strategy for a critical application. Which TWO of the following are examples of risk acceptance? (Select TWO.)

Question 79hardmulti select
Read the full Governance, Risk and Compliance explanation →

During a business continuity planning meeting, the team identifies several critical systems. Which THREE of the following are key components of a Business Impact Analysis (BIA)? (Select THREE.)

Question 80easymulti select
Read the full Governance, Risk and Compliance explanation →

An organization is creating a data classification policy. Which THREE of the following are common classification levels used in government and defense? (Select THREE.)

Question 81easymultiple choice
Read the full Governance, Risk and Compliance explanation →

A compliance officer is reviewing logs from a web application and finds multiple failed login attempts from a single IP address. Which type of control should be implemented to reduce the risk of brute-force attacks?

Question 82mediummultiple choice
Read the full Governance, Risk and Compliance explanation →

An organization is merging with another company and needs to ensure that the combined entity's security policies are aligned. Which document type should the security team prioritize to harmonize security expectations and responsibilities?

Question 83hardmultiple choice
Read the full Governance, Risk and Compliance explanation →

A security auditor finds that a company's backup tapes are stored in the same building as the primary data center. Which risk treatment strategy does this lack represent?

Question 84easymultiple choice
Read the full Governance, Risk and Compliance explanation →

A small business wants to achieve compliance with PCI DSS. Which approach should they take to minimize the scope of the assessment?

Question 85mediummultiple choice
Read the full Governance, Risk and Compliance explanation →

An organization is required to retain logs for seven years per regulatory requirement. Which of the following should be considered to ensure the integrity of these logs?

Question 86easymultiple choice
Read the full Governance, Risk and Compliance explanation →

A company is implementing a risk management framework and needs to prioritize remediation of vulnerabilities based on potential impact. Which of the following is the MOST appropriate approach?

Question 87easymultiple choice
Read the full NAT/PAT explanation →

A financial institution is required to comply with PCI DSS. A low-severity vulnerability is found in the cardholder data environment that would cost significant downtime to patch. What is the BEST course of action?

Question 88easymultiple choice
Read the full Governance, Risk and Compliance explanation →

An organization wants to ensure that its employees understand their responsibilities regarding data protection. Which of the following is the MOST effective way to achieve this?

Question 89mediummultiple choice
Read the full Governance, Risk and Compliance explanation →

A company is evaluating a new cloud service provider. The provider has a SOC 2 Type II report covering the previous year. Which additional assurance should the company request to verify the provider's current security controls?

Question 90mediummultiple choice
Read the full NAT/PAT explanation →

During a risk assessment, the analyst identifies that a legacy system containing sensitive data cannot be patched due to vendor end-of-life. The system is critical to operations. Which risk treatment strategy is MOST appropriate?

Question 91mediummultiple choice
Read the full Governance, Risk and Compliance explanation →

Which of the following is the MOST effective way to detect unauthorized changes to critical files?

Question 92hardmultiple choice
Read the full NAT/PAT explanation →

A multinational organization is subject to GDPR and local data protection laws. A data subject from country X requests deletion of personal data, but the data is also required for a legal hold under country Y's law. What is the BEST course of action?

Question 93hardmultiple choice
Read the full Governance, Risk and Compliance explanation →

A security team discovers a misconfiguration that exposes sensitive data. The operations team wants to wait until the next maintenance window. What is the BEST course of action?

Question 94hardmultiple choice
Read the full Governance, Risk and Compliance explanation →

A company is merging with another company that has a different security posture. The CISO wants to integrate the two security programs quickly. Which of the following is the MOST critical first step?

Question 95easymulti select
Read the full Governance, Risk and Compliance explanation →

A risk assessment report is being prepared for senior management. Which TWO of the following should be included to effectively communicate risk?

Question 96mediummulti select
Read the full Governance, Risk and Compliance explanation →

A company is implementing a vendor risk management program. Which THREE of the following should be included in the initial vendor assessment?

Question 97hardmulti select
Read the full NAT/PAT explanation →

During a compliance audit, the auditor finds that several systems are missing security patches. The CISO needs to decide on a risk treatment. Which TWO of the following actions are appropriate?

Question 98easymultiple choice
Read the full Governance, Risk and Compliance explanation →

Refer to the exhibit. The security team has been asked to remediate the vulnerability before the next PCI DSS audit. Which of the following is the MOST appropriate action?

Exhibit

Vulnerability Scan Report
Host: 10.0.0.50
Port: 443
Vulnerability: TLS 1.0 enabled (CVE-2016-2183)
Severity: High
CVSS: 7.5
PCI DSS: Non-compliant (Requirement 4.1)
Question 99mediummultiple choice
Read the full Governance, Risk and Compliance explanation →

Refer to the exhibit. A security analyst reviews the firewall logs and sees traffic from 192.168.1.200 to the database server 10.0.0.10 on TCP port 1433. 192.168.1.200 is not in the approved IP list for database access. What is the BEST immediate action?

Exhibit

[2024-01-15 02:34:12] ALLOW TCP 192.168.1.200:55432 -> 10.0.0.10:1433
[2024-01-15 02:34:18] ALLOW TCP 192.168.1.200:55433 -> 10.0.0.10:1433
[2024-01-15 02:34:25] ALLOW TCP 192.168.1.200:55434 -> 10.0.0.10:1433
Question 100hardmultiple choice
Read the full Governance, Risk and Compliance explanation →

Refer to the exhibit. The data classification policy defines levels and rules. During an audit, a database containing both PII and credit card numbers is found labeled as 'Internal'. Which of the following is the BEST first action?

Exhibit

{
  "dataClassification": {
    "levels": ["Public", "Internal", "Confidential", "Critical"],
    "default": "Internal",
    "rules": [
      {"dataType": "PII", "level": "Confidential"},
      {"dataType": "PCI", "level": "Critical"}
    ]
  }
}
Question 101mediummultiple choice
Read the full Governance, Risk and Compliance explanation →

A financial services company is implementing a risk management framework. The security team has identified that the current encryption algorithm for customer data in transit is deprecated. According to NIST SP 800-53, which of the following is the MOST appropriate step to address this finding?

Question 102easymultiple choice
Read the full Governance, Risk and Compliance explanation →

An organization needs to demonstrate compliance with the General Data Protection Regulation (GDPR) for processing personal data of EU citizens. Which of the following is a mandatory requirement under GDPR?

Question 103hardmultiple choice
Read the full NAT/PAT explanation →

During a compliance audit, an organization's security team discovers that sensitive data in a legacy database is stored in plaintext. The database is critical for operations and cannot be taken offline for patching until the next maintenance window in three months. Which of the following is the BEST compensating control to reduce risk immediately?

Question 104mediummultiple choice
Read the full NAT/PAT explanation →

A healthcare provider is migrating patient records to a cloud EHR system. The security officer is concerned about data ownership and portability. Which contractual clause is MOST critical to include in the cloud service agreement?

Question 105easymultiple choice
Read the full Governance, Risk and Compliance explanation →

A small business wants to achieve compliance with the Payment Card Industry Data Security Standard (PCI DSS). Which of the following is an essential requirement they must implement?

Question 106hardmultiple choice
Read the full Governance, Risk and Compliance explanation →

An organization's business continuity plan (BCP) includes a recovery time objective (RTO) of 4 hours for its critical ERP system. During a disaster, the system is restored in 5 hours. Which of the following is the MOST significant impact?

Question 107mediummultiple choice
Read the full Governance, Risk and Compliance explanation →

A company is evaluating a vendor that will process sensitive customer data. The vendor's SOC 2 Type II report shows that controls were in place but had several exceptions noted. Which of the following is the BEST course of action?

Question 108hardmultiple choice
Read the full NAT/PAT explanation →

A multinational corporation must comply with both the EU's GDPR and the California Consumer Privacy Act (CCPA). Which of the following scenarios would cause a conflict between these regulations?

Question 109easymultiple choice
Read the full Governance, Risk and Compliance explanation →

An organization is implementing a third-party risk management program. Which of the following is the FIRST step in the vendor risk assessment process?

Question 110mediummulti select
Read the full Governance, Risk and Compliance explanation →

Which TWO of the following are essential elements of an effective data governance framework?

Question 111hardmulti select
Read the full Governance, Risk and Compliance explanation →

Which THREE of the following are required by the NIST Cybersecurity Framework (CSF) for the 'Protect' function?

Question 112easymulti select
Read the full Governance, Risk and Compliance explanation →

Which TWO of the following are common compliance frameworks used in the healthcare industry?

Question 113mediummultiple choice
Read the full Governance, Risk and Compliance explanation →

Refer to the exhibit. Based on the data classification policy JSON, what action is MOST consistent with the policy?

Exhibit

Refer to the exhibit.

{
  "dataClassification": {
    "policyName": "Corporate Data Classification",
    "version": "2.1",
    "categories": [
      {
        "label": "Public",
        "allowedStorage": ["SharePoint Online"],
        "allowedTransmission": ["Email (unencrypted)"]
      },
      {
        "label": "Internal",
        "allowedStorage": ["SharePoint Online", "On-premises file server"],
        "allowedTransmission": ["Email with TLS", "VPN"]
      },
      {
        "label": "Confidential",
        "allowedStorage": ["On-premises encrypted database"],
        "allowedTransmission": ["VPN only", "Encrypted email"]
      },
      {
        "label": "Restricted",
        "allowedStorage": ["Air-gapped system"],
        "allowedTransmission": ["None (physical transfer only)"]
      }
    ]
  },
  "event": "User attempted to send a document classified as 'Confidential' via unencrypted email."
}
Question 114hardmultiple choice
Read the full VPN explanation →

You are the security architect for a global manufacturing company that has recently experienced a ransomware attack. The attack originated from a third-party vendor's compromised VPN account, which had been granted privileged access to the corporate network for remote maintenance. The vendor is a critical supplier of industrial control system (ICS) components. The incident severely disrupted production for three days. Post-incident analysis reveals that the vendor's security posture was not assessed prior to granting access, and the contract did not include specific security requirements or audit rights. The company now wants to implement a vendor risk management program to prevent future incidents. Which of the following is the MOST comprehensive and effective course of action to address the root cause?

Question 115mediummultiple choice
Read the full Governance, Risk and Compliance explanation →

You are the compliance officer for a financial institution that must adhere to the Payment Card Industry Data Security Standard (PCI DSS). During a quarterly vulnerability scan, you discover that several critical vulnerabilities in the cardholder data environment (CDE) were not remediated within the required 30-day window. Additionally, the most recent penetration test report shows that a segmentation control between the CDE and the corporate network is not functioning as intended. The next PCI DSS assessment is in two months. Which of the following remediation actions should be prioritized FIRST to maintain compliance?

Question 116mediummultiple choice
Read the full Governance, Risk and Compliance explanation →

A financial institution is adopting a new vendor-managed SaaS platform for customer data processing. The CISO wants to ensure the vendor's security controls meet regulatory requirements before data is transferred. Which of the following should be completed FIRST?

Question 117easymulti select
Read the full Governance, Risk and Compliance explanation →

A healthcare organization is implementing HIPAA Security Rule safeguards. Which TWO of the following are required administrative safeguards? (Choose TWO.)

Question 118hardmulti select
Read the full Governance, Risk and Compliance explanation →

During an incident response exercise, a company discovers that sensitive data was exfiltrated. The CIRT needs to determine the root cause and prevent recurrence. Which THREE of the following steps are part of the lessons learned process? (Choose THREE.)

Question 119easymultiple choice
Read the full Governance, Risk and Compliance explanation →

A small business uses a single on-premise server running a custom application and a SQL database. The IT manager is concerned about data loss due to hardware failure. The company has a backup tape drive but often forgets to change tapes. The RTO is 24 hours and RPO is 4 hours. Which of the following is the BEST improvement to meet the RPO/RTO requirements?

Question 120easymultiple choice
Read the full Governance, Risk and Compliance explanation →

A company is developing a new mobile app that will process users' biometric data for authentication. The legal team is concerned about compliance with the GDPR's data protection by design. Which of the following is the MOST appropriate control to implement?

Question 121mediummultiple choice
Read the full NAT/PAT explanation →

A multinational corporation is migrating its data centers to a hybrid cloud model. The security team must ensure that data sovereignty laws are respected. The company operates in the EU, US, and Asia. Which of the following is the BEST approach?

Question 122mediummultiple choice
Read the full NAT/PAT explanation →

A security analyst at a large enterprise notices that several servers have missing security patches that are critical. The patch management process requires approval from the change advisory board (CAB) which meets weekly. The next meeting is in three days, but the vulnerability is being actively exploited. What should the analyst do?

Question 123hardmultiple choice
Read the full Governance, Risk and Compliance explanation →

A company that processes credit card transactions discovers that a third-party vendor with access to its network has suffered a data breach. The vendor's access was limited but included a connection to the cardholder data environment. The company must comply with PCI DSS. Which of the following is the FIRST action the company should take?

Question 124hardmultiple choice
Read the full Governance, Risk and Compliance explanation →

A security engineer is designing a new network architecture for a government agency that requires compliance with NIST SP 800-53. The network must segregate data tiers and enforce least privilege. Which of the following designs BEST meets the requirements?

Question 125mediummulti select
Read the full Governance, Risk and Compliance explanation →

A security analyst is performing a risk assessment for a critical application. Which TWO of the following are characteristics of a quantitative risk assessment methodology?

Question 126hardmultiple choice
Read the full Governance, Risk and Compliance explanation →

The exhibit shows results from a CIS Controls assessment. Based on the findings, which control deficiency poses the greatest risk to the organization and should be prioritized for remediation?

Exhibit

Refer to the exhibit.

CIS Controls Assessment Results:
Control 3: Data Protection — Score: 2/5
  - Subcontrol 3.1: Inventory of sensitive data — 0/5 (Not implemented)
  - Subcontrol 3.2: Encryption of sensitive data at rest — 4/5
  - Subcontrol 3.3: Encryption of sensitive data in transit — 3/5
Control 8: Incident Response — Score: 3/5
  - Subcontrol 8.1: Incident response plan — 5/5
  - Subcontrol 8.2: Incident response testing — 1/5
Control 13: Network Monitoring and Defense — Score: 1/5
  - Subcontrol 13.1: Centralized logging — 2/5
  - Subcontrol 13.2: Intrusion detection — 0/5
Question 127easymultiple choice
Read the full NAT/PAT explanation →

A mid-sized healthcare organization processes protected health information (PHI) and must comply with HIPAA and the GDPR for its EU patients. The organization uses a hybrid cloud environment with on-premises servers and AWS. Recently, an employee's laptop was stolen containing unencrypted PHI. The incident response team was activated. The security architect must determine the best course of action to address compliance obligations. The organization has a data classification policy, but it is not consistently enforced. A business continuity plan exists but has not been tested in two years. The CEO is concerned about reputational damage and legal liability. Which of the following should the security architect recommend FIRST?

Practice tests

Scored 10-question sessions with instant feedback and explanations.

CAS-004 Practice Test 1 — 10 Questions→CAS-004 Practice Test 2 — 10 Questions→CAS-004 Practice Test 3 — 10 Questions→CAS-004 Practice Test 4 — 10 Questions→CAS-004 Practice Test 5 — 10 Questions→CAS-004 Practice Exam 1 — 20 Questions→CAS-004 Practice Exam 2 — 20 Questions→CAS-004 Practice Exam 3 — 20 Questions→CAS-004 Practice Exam 4 — 20 Questions→Free CAS-004 Practice Test 1 — 30 Questions→Free CAS-004 Practice Test 2 — 30 Questions→Free CAS-004 Practice Test 3 — 30 Questions→CAS-004 Practice Questions 1 — 50 Questions→CAS-004 Practice Questions 2 — 50 Questions→CAS-004 Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Scripting, Containers and AutomationApplication Environment, Configuration and SecurityGovernance, Risk and ComplianceSecurity EngineeringSecurity ArchitectureSecurity Operations

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Governance, Risk and Compliance setsAll Governance, Risk and Compliance questionsCAS-004 Practice Hub