CCNA Governance, Risk and Compliance Questions

52 of 127 questions · Page 2/2 · Governance, Risk and Compliance · Answers revealed

76
Matchingmedium

Match each encryption standard or algorithm to its type.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Symmetric block cipher

Asymmetric public-key cryptosystem

Hash function (one-way)

Elliptic curve digital signature algorithm

Keyed-hash message authentication code

Why these pairings

Understanding encryption types is critical for cryptography domain.

77
MCQmedium

A security architect is designing a data classification scheme. Which of the following is the MOST effective way to ensure consistent labeling across the organization?

A.Implementing DLP solutions.
B.Manual labeling by data owners.
C.User training and awareness.
D.Automated classification based on data content.
AnswerD

Automated tools using content analysis ensure consistent and accurate labeling without human error.

Why this answer

Option D is correct because automated classification minimizes human error and provides uniform application of labels.

78
MCQhard

Based on the exhibit, which security issue does this IAM policy represent?

A.No versioning configured
B.Overly permissive resource access
C.Missing server-side encryption
D.Insufficient logging and monitoring
AnswerB

Allowing all principals (*) to get any object in the bucket is a significant security risk.

Why this answer

Option B is correct because the policy allows any principal to read all objects in the bucket, making it overly permissive. Option A is wrong encryption is not addressed. Option C is wrong versioning is not relevant.

Option D is wrong logging is not mentioned.

79
MCQeasy

Which of the following is the PRIMARY purpose of a business impact analysis (BIA)?

A.Identify vulnerabilities and threats
B.Identify critical business processes and their impact if disrupted
C.Determine recovery time objectives (RTOs)
D.Develop continuity strategies
AnswerB

Core purpose of BIA

Why this answer

The primary purpose of a business impact analysis (BIA) is to identify critical business processes and quantify the operational and financial impact if they were disrupted. This foundational step determines which systems and functions are essential to the organization's survival, directly informing the selection of recovery strategies and objectives. Without a BIA, continuity planning lacks a data-driven basis for prioritizing resources.

Exam trap

The trap here is that candidates confuse the BIA's role as a data-gathering and analysis phase with the subsequent planning outputs (RTOs, strategies), leading them to select a downstream deliverable instead of the primary purpose.

How to eliminate wrong answers

Option A is wrong because identifying vulnerabilities and threats is the primary purpose of a risk assessment, not a BIA; a BIA focuses on impact to business processes, not the specific threats that could cause disruption. Option C is wrong because determining recovery time objectives (RTOs) is an output derived from the BIA's impact analysis, not the primary purpose itself; the BIA provides the data (e.g., maximum tolerable downtime) that allows RTOs to be set. Option D is wrong because developing continuity strategies is a subsequent phase that uses the BIA's findings (critical processes and impact tolerances) to design recovery plans, not the BIA's core goal.

80
MCQhard

An organization's business continuity plan (BCP) includes a recovery time objective (RTO) of 4 hours for its critical ERP system. During a disaster, the system is restored in 5 hours. Which of the following is the MOST significant impact?

A.Unacceptable business downtime and potential contractual penalties
B.Need to reroute network traffic to the DR site
C.Higher cost for cyber insurance premiums
D.Increased recovery point objective (RPO) for the last backup
AnswerA

Missing RTO leads to unacceptable downtime and penalties.

Why this answer

Option C is correct because exceeding the RTO results in unacceptable downtime and potential revenue loss. Option A is wrong because RPO affects data loss, not uptime. Option B is wrong because rerouting does not fix the missed RTO.

Option D is wrong because insurance may cover financial loss but does not address the operational impact.

81
MCQeasy

A company is developing a new mobile app that will process users' biometric data for authentication. The legal team is concerned about compliance with the GDPR's data protection by design. Which of the following is the MOST appropriate control to implement?

A.Obtain explicit consent from users before data collection.
B.Store biometric data in hashed form on the device.
C.Implement strong encryption for data in transit and at rest.
D.Conduct a Data Protection Impact Assessment (DPIA) before development.
AnswerD

DPIA is mandated for high-risk processing and is a key part of data protection by design.

Why this answer

D is correct. A DPIA is required by GDPR for high-risk processing like biometrics. Consent is important but does not replace the DPIA.

Encryption is a technical control but the DPIA is foundational for 'by design'.

82
MCQmedium

Refer to the exhibit. Based on the data classification policy JSON, what action is MOST consistent with the policy?

A.Block the email and notify the security team
B.Allow the email but reclassify the document as 'Internal'
C.Allow the email with an exception request
D.Encrypt the email automatically with S/MIME
AnswerA

The policy prohibits unencrypted transmission of Confidential data.

Why this answer

Option A is correct because the policy states that Confidential data must be transmitted via VPN or encrypted email; unencrypted email is not allowed, so the transmission should be blocked. Option B is wrong because the policy does not permit downgrading classification. Option C is wrong because no override clause is indicated.

Option D is wrong because unencrypted email is explicitly prohibited.

83
MCQhard

A healthcare organization is planning to migrate patient data to a cloud provider. The risk assessment identifies that the provider's SOC 2 report does not cover HIPAA controls. What is the BEST course of action?

A.Request the provider's most recent SOC 3 report
B.Accept the risk and proceed with migration
C.Require the provider to sign a Business Associate Agreement (BAA)
D.Require the provider to encrypt all data at rest and in transit
AnswerC

Mandatory under HIPAA for covered entities

Why this answer

Option B is correct because a BA agreement is required under HIPAA to ensure the provider contractually agrees to safeguard ePHI. Option A is wrong because the risk assessment should drive decisions, not just acceptance. Option C is wrong because encryption does not eliminate the need for contractual protections.

Option D is wrong because a SOC 2 report without HIPAA coverage does not suffice.

84
Multi-Selecteasy

Which TWO are key metrics used in business continuity planning?

Select 2 answers
A.Mean Time to Repair (MTTR)
B.Recovery Time Objective (RTO)
C.Recovery Point Objective (RPO)
D.Service Level Agreement (SLA)
E.Mean Time Between Failures (MTBF)
AnswersB, C

RTO is the maximum acceptable downtime.

Why this answer

Options A and B are correct. RTO defines acceptable downtime; RPO defines acceptable data loss. MTBF, MTTR, and SLA are not specifically business continuity metrics.

85
MCQeasy

An organization needs to ensure compliance with GDPR regarding data subject access requests. What is the MOST important control to implement?

A.Encrypt all personal data at rest and in transit
B.Minimize the collection of personal data
C.Implement a process to respond to access requests within one month
D.Appoint a Data Protection Officer (DPO)
AnswerC

GDPR mandates response to access requests within one month.

Why this answer

Option B is correct because GDPR requires responses to access requests within one month. Option A is wrong while encryption is important, it is not the primary control for access requests. Option C is wrong a DPO is required but not specifically for access requests.

Option D is wrong data minimization is a principle but does not directly address access requests.

86
MCQmedium

A company is implementing a new vendor risk management program. Which of the following is the BEST approach to assess third-party security controls?

A.Check the vendor’s financial stability
B.Use a standardized security questionnaire and conduct on-site audits
C.Rely on the vendor’s self-assessment questionnaire
D.Review only public breach reports about the vendor
AnswerB

Combining a questionnaire with on-site audits provides thorough, independent verification.

Why this answer

Option C is correct because a standardized questionnaire and on-site audits provide a comprehensive assessment of vendor security practices. Option A is wrong because relying solely on vendor self-assessments may be biased and incomplete. Option B is wrong because financial stability does not guarantee security.

Option D is wrong because checking only public breaches is reactive and insufficient.

87
MCQmedium

An organization discovers that a vendor's data breach exposed customer PII. The contract with the vendor does not address breach notification. What is the BEST way to prevent this in the future?

A.Purchase cyber insurance covering vendor breaches
B.Terminate the vendor relationship immediately
C.Add a breach notification clause in vendor contracts
D.Conduct more frequent vendor risk assessments
AnswerC

Legally obligates vendor to notify

Why this answer

Adding a breach notification clause directly addresses the contractual gap that left the organization without recourse or timely notification when the vendor suffered a data breach. This contractual remedy ensures that future incidents trigger a predefined notification process, aligning with regulatory requirements such as GDPR or HIPAA that mandate breach notification obligations for data processors. Without such a clause, the organization has no enforceable mechanism to compel the vendor to report breaches, regardless of other risk management activities.

Exam trap

CompTIA often tests the distinction between preventive controls (contractual clauses) and detective/reactive controls (assessments, insurance), leading candidates to choose 'more frequent risk assessments' because it sounds proactive, but only a contract clause creates a binding obligation.

How to eliminate wrong answers

Option A is wrong because cyber insurance covers financial losses after a breach but does not prevent the breach or ensure notification; it is a reactive financial tool, not a preventive contractual control. Option B is wrong because terminating the vendor relationship immediately does not address the root cause—lack of contractual safeguards—and may disrupt operations without guaranteeing that a replacement vendor will have better terms. Option D is wrong because conducting more frequent vendor risk assessments can identify risks but cannot enforce notification obligations; without a contractual clause, the vendor has no legal duty to report breaches discovered during or after assessments.

88
MCQhard

During a third-party risk assessment, an organization discovers that a cloud service provider (CSP) stores data in a jurisdiction with conflicting privacy laws. The organization's legal team advises that this could expose the organization to regulatory penalties. Which of the following contractual clauses would best address this compliance risk?

A.Insert a right-to-audit clause allowing the organization to inspect the CSP's facilities.
B.Include a Data Processing Agreement (DPA) that requires data to be stored only in approved jurisdictions.
C.Negotiate a service-level agreement (SLA) guaranteeing 99.99% uptime.
D.Require the CSP to sign a business associate agreement (BAA) under HIPAA.
AnswerB

A DPA with data residency clauses legally restricts where data can be stored, addressing the compliance risk.

Why this answer

A Data Processing Agreement (DPA) is the correct contractual mechanism to enforce data residency restrictions. By requiring the CSP to store data only in approved jurisdictions, the DPA directly addresses the compliance risk of conflicting privacy laws and potential regulatory penalties, as it legally binds the provider to specific geographic data handling requirements.

Exam trap

Cisco often tests the distinction between operational controls (audit clauses, SLAs) and legal/compliance controls (DPAs), trapping candidates who confuse visibility with enforcement or apply US-specific agreements (like BAAs) to global privacy issues.

How to eliminate wrong answers

Option A is wrong because a right-to-audit clause allows the organization to inspect the CSP's facilities and processes, but it does not proactively restrict where data is stored; it only provides visibility after the fact, not a preventive control. Option C is wrong because an SLA guaranteeing 99.99% uptime addresses availability and performance, not data residency or privacy law compliance; it is irrelevant to the jurisdictional conflict. Option D is wrong because a Business Associate Agreement (BAA) under HIPAA is specific to protected health information (PHI) in the United States and does not apply to general privacy law conflicts in other jurisdictions; it also does not restrict data storage locations.

89
Multi-Selecthard

Which THREE of the following are required for PCI DSS compliance regarding cardholder data?

Select 3 answers
A.Maintain a vulnerability management program.
B.Store cardholder data after authorization.
C.Restrict access to cardholder data by business need-to-know.
D.Encrypt transmitted cardholder data over open networks.
E.Implement multifactor authentication for all physical access to data centers.
AnswersA, C, D

Requirements 6 and 11 require a vulnerability management program to identify and remediate vulnerabilities.

Why this answer

PCI DSS requires encryption of transmissions (Req 4), access restriction (Req 7), and vulnerability management (Req 6/11). MFA for physical access is not required; data storage after authorization is limited.

90
MCQeasy

An organization is implementing a third-party risk management program. Which of the following is the FIRST step in the vendor risk assessment process?

A.Identify the vendor and the type of data it will handle
B.Conduct an on-site audit of the vendor's facilities
C.Review the vendor's contractual security clauses
D.Determine risk treatment options
AnswerA

First step is understanding the vendor and data.

Why this answer

Option A is correct because identifying the vendor and the data it will access is foundational. Option B is wrong because a contract review comes later. Option C is wrong because on-site audits occur after initial assessment.

Option D is wrong because risk treatment is after assessment.

91
MCQmedium

A company is evaluating a new cloud service provider. The provider has a SOC 2 Type II report covering the previous year. Which additional assurance should the company request to verify the provider's current security controls?

A.Accept the SOC 2 report as sufficient
B.Implement continuous monitoring of the provider
C.Request a penetration test report covering the current year
D.Request a third-party audit of the SOC 2 report
AnswerC

Provides current assessment of security posture.

Why this answer

A penetration test report provides current, independent validation of security controls. Option B relies on a historical report; Option C is duplicative; Option D is not a standard assurance method.

92
MCQmedium

Refer to the exhibit. Which of the following best describes the security constraint imposed by this policy?

A.Only allows access during business hours.
B.Only allows access from a specific IAM user.
C.Only allows access to a specific S3 bucket.
D.Only allows access from a specific VPC endpoint.
AnswerD

The condition 'aws:sourceVpce' restricts the source to a specific VPC endpoint ID.

Why this answer

Option B is correct because the condition string requires the request to originate from the specified VPC endpoint, enforcing a network-level constraint.

93
Multi-Selecteasy

A risk assessment report is being prepared for senior management. Which TWO of the following should be included to effectively communicate risk?

Select 2 answers
A.Remediation deadlines
B.Risk register with scores
C.Executive summary
D.Names of employees responsible
E.Detailed control configurations
AnswersB, C

Provides detailed risk information for decision-making.

Why this answer

An executive summary provides high-level findings, and a risk register details identified risks. Other options are operational details not suitable for senior management.

94
Multi-Selecthard

During an incident response exercise, a company discovers that sensitive data was exfiltrated. The CIRT needs to determine the root cause and prevent recurrence. Which THREE of the following steps are part of the lessons learned process? (Choose THREE.)

Select 3 answers
A.Conduct a full forensic analysis of affected systems.
B.Identify gaps in security controls and recommend improvements.
C.Update the incident response plan based on findings.
D.Document the timeline of events and actions taken.
E.Disable the compromised accounts immediately.
AnswersB, C, D

Identifying gaps and recommending improvements is a core lesson learned activity.

Why this answer

A, C, and E are correct. Lessons learned includes updating the plan, identifying gaps, and documenting events. B is part of investigation, not lessons learned.

D is immediate containment.

95
MCQhard

A security analyst is reviewing a third-party assessment report and notes that the vendor's encryption algorithms are outdated. The contract requires the vendor to follow industry best practices. Which of the following is the BEST response?

A.Conduct a penetration test on the vendor's system.
B.Request the vendor to upgrade encryption algorithms to current standards.
C.Terminate the contract immediately.
D.Accept the risk because the vendor is technically compliant with the contract.
AnswerB

Directly asking the vendor to comply with the contract's best-practice clause is the most appropriate first step.

Why this answer

Option A is correct because the contract establishes the requirement, and requesting an upgrade is the proper first step to remedy the deficiency.

96
MCQmedium

A multinational corporation must comply with GDPR, CCPA, and LGPD. The CISO proposes a unified data classification policy. Which approach best minimizes compliance conflicts?

A.Adopt a unified policy based on GDPR as the strictest regulation
B.Create a unified policy meeting the most stringent requirements of all three regulations
C.Use a single policy based on the company's country of incorporation
D.Implement separate policies for each regulation
AnswerB

A unified baseline using the most restrictive elements ensures compliance with all three.

Why this answer

Option B is correct because a unified policy that meets the most stringent requirements of GDPR, CCPA, and LGPD ensures baseline compliance across all jurisdictions without violating any regulation. This approach minimizes conflicts by harmonizing data classification rules, such as consent management and data subject rights, under the highest common denominator, which is GDPR for most provisions like explicit consent and 72-hour breach notification.

Exam trap

CompTIA often tests the misconception that adopting the strictest single regulation (GDPR) is sufficient, but the trap is that each regulation has unique requirements (e.g., CCPA’s right to opt out of sale, LGPD’s appointment of a DPO under Article 41) that must be explicitly addressed in a unified policy to avoid compliance gaps.

How to eliminate wrong answers

Option A is wrong because adopting a unified policy based solely on GDPR as the strictest regulation may not address CCPA-specific requirements, such as the right to opt out of the sale of personal information (California Civil Code §1798.120) or LGPD’s unique legal basis for processing (e.g., legitimate interest under Article 10), leading to non-compliance. Option C is wrong because using a single policy based on the company's country of incorporation ignores extraterritorial scope requirements of GDPR (Article 3), CCPA (California Consumer Privacy Act), and LGPD (Article 3), creating gaps for data subjects in other jurisdictions. Option D is wrong because implementing separate policies for each regulation increases administrative overhead, risks conflicting data handling procedures (e.g., different retention periods), and fails to provide a unified data classification framework, which the CISO specifically proposed to minimize conflicts.

97
Multi-Selecthard

Which THREE of the following are required for a valid Business Associate Agreement (BAA) under HIPAA? (Select THREE)

Select 3 answers
A.Indemnification clause for breaches
B.Permitted and required uses of PHI
C.Requirement to store data in the United States
D.Safeguards to protect PHI
E.Procedures for breach notification
AnswersB, D, E

Must be specified

Why this answer

A Business Associate Agreement (BAA) must specify the permitted and required uses of Protected Health Information (PHI) by the business associate. This is a core requirement under HIPAA §164.504(e)(2)(i) to ensure the business associate does not use or disclose PHI beyond what is authorized by the covered entity or required by law.

Exam trap

Cisco often tests the distinction between mandatory BAA elements (permitted uses, safeguards, breach notification) and optional contractual terms (indemnification, data storage location) to see if candidates confuse common business contract clauses with HIPAA regulatory requirements.

98
MCQeasy

A small business wants to achieve compliance with the Payment Card Industry Data Security Standard (PCI DSS). Which of the following is an essential requirement they must implement?

A.Implement logging and monitoring of all access to cardholder data
B.Encrypt all cardholder data at rest
C.Conduct vulnerability scans on a monthly basis
D.Perform continuous penetration testing
AnswerA

PCI DSS Requirement 10 requires logging and monitoring.

Why this answer

Option A is correct because PCI DSS Requirement 10 mandates logging and monitoring of access to cardholder data. Option B is wrong because encryption in transit is required, not at rest by all merchants. Option C is wrong because quarterly scans are required, not monthly.

Option D is wrong because penetration testing is required annually, not continuously.

99
Multi-Selectmedium

A security architect is designing a risk mitigation strategy for a critical application. Which TWO of the following are examples of risk acceptance? (Select TWO.)

Select 2 answers
A.Outsourcing the application hosting to a third party.
B.Obtaining senior management sign-off to accept the risk without additional controls.
C.Purchasing cyber insurance to cover potential losses.
D.Formally acknowledging the residual risk after controls are implemented.
E.Implementing an intrusion prevention system to reduce the likelihood of attacks.
AnswersB, D

Management sign-off is a documented acceptance.

Why this answer

Risk acceptance involves acknowledging the risk and taking no further action, or obtaining a formal waiver. Insurance transfers risk, not accepts. Implementing controls reduces risk.

Outsourcing transfers risk.

100
MCQhard

A global e-commerce company processes payment card data and is required to comply with PCI DSS. During a quarterly vulnerability scan, the security team discovers that a web application firewall (WAF) rule is blocking legitimate traffic, causing transaction failures. The WAF is a critical compensating control for a known vulnerability in the application that cannot be patched for 90 days. The compliance officer is concerned about maintaining PCI DSS compliance while ensuring business continuity. The security team proposes temporarily disabling the WAF to restore service while they fine-tune the rules. Which of the following is the BEST action?

A.Segment the affected application from the rest of the network and remove the WAF from the data path.
B.Disable the WAF immediately to restore service and document the decision as a risk acceptance.
C.Accept the risk of transaction failures and keep the WAF in place until the rules are fully tested.
D.Temporarily modify the WAF rule set to allow legitimate traffic while maintaining security, and schedule a permanent fix within 24 hours.
AnswerD

Fine-tuning rules restores service without compromising the compensating control.

Why this answer

Option B is correct because fine-tuning the WAF rules quickly is the best approach to restore service while maintaining security. Option A is wrong because disabling the WAF would remove the compensating control and violate PCI DSS requirement 6.6. Option C is wrong because relying solely on network segmentation may not provide equivalent protection.

Option D is wrong because accepting risk without a compensating control is not permitted under PCI DSS.

101
MCQeasy

An organization needs to demonstrate compliance with the General Data Protection Regulation (GDPR) for processing personal data of EU citizens. Which of the following is a mandatory requirement under GDPR?

A.Obtain explicit consent for all data processing
B.Notify supervisory authority of a breach within 24 hours
C.Implement data protection by design and default
D.Store all personal data within the EU
AnswerC

GDPR requires data protection by design and default.

Why this answer

Option A is correct because GDPR mandates that data protection must be integrated into processing activities (Data Protection by Design and Default). Option B is wrong because data localization is not a blanket requirement. Option C is wrong because breach notification is within 72 hours, not 24.

Option D is wrong because consent is not always required; other lawful bases exist.

102
MCQmedium

A financial services company is implementing a risk management framework. The security team has identified that the current encryption algorithm for customer data in transit is deprecated. According to NIST SP 800-53, which of the following is the MOST appropriate step to address this finding?

A.Implement compensating controls such as network segmentation
B.Update the encryption algorithm to a FIPS 140-2 validated one
C.Accept the risk because the algorithm is still functional
D.Transfer the risk by purchasing cyber insurance
AnswerB

Updating aligns with NIST SP 800-53 cryptographic controls.

Why this answer

Option C is correct because updating the encryption algorithm aligns with NIST SP 800-53 controls for cryptographic protection. Option A is wrong because accepting risk without mitigation is not appropriate for a deprecated algorithm. Option B is wrong because compensating controls do not address the root cause.

Option D is wrong because transferring risk via cyber insurance does not fix the technical issue.

103
MCQmedium

You are a security consultant for a law firm that handles highly confidential client data. The firm wants to implement a data loss prevention (DLP) solution to prevent sensitive data from leaving the network via email. The firm's email system is Microsoft 365. The DLP policy must comply with the firm's data classification policy, which identifies 'Legal Strategy' as top secret and 'Client Contact Info' as confidential. The firm also wants to allow attorneys to send confidential information to clients with a business justification. Which of the following DLP rule configurations best meets these requirements?

A.Encrypt all emails containing any sensitive data and allow delivery
B.Block both top secret and confidential content with no override
C.Block top secret content and allow confidential content with an audit log
D.Block top secret content and allow confidential content with an override requiring a business justification
AnswerD

Balances security and usability

Why this answer

Option D is correct because it aligns with the firm's data classification policy by blocking top-secret 'Legal Strategy' content outright, while allowing 'Client Contact Info' (confidential) to be sent with a business justification override. This balances security with operational needs, as Microsoft 365 DLP supports policy tips and override options with justification for lower-sensitivity data, ensuring compliance without disrupting attorney-client communication.

Exam trap

The trap here is that candidates often confuse 'allow with audit log' (passive monitoring) with 'allow with override requiring justification' (active enforcement), overlooking the specific business requirement for a justification workflow.

How to eliminate wrong answers

Option A is wrong because encrypting all emails containing sensitive data does not prevent data leakage; it only protects data in transit, and the firm requires blocking top-secret content, not just encrypting it. Option B is wrong because blocking both top-secret and confidential content with no override is too restrictive; it would prevent attorneys from sending confidential client contact info even with a legitimate business need, violating the requirement to allow such communication with justification. Option C is wrong because allowing confidential content with only an audit log provides no enforcement mechanism; the firm explicitly requires a business justification override for confidential data, not just passive logging.

104
Multi-Selecteasy

An organization is creating a data classification policy. Which THREE of the following are common classification levels used in government and defense? (Select THREE.)

Select 3 answers
A.Top Secret
B.Private
C.Secret
D.Confidential
E.Public
AnswersA, C, D

Top Secret is a standard classification.

Why this answer

Common government classification levels are Unclassified, Confidential, Secret, and Top Secret. Private and Public are common in commercial but not standard in government classification.

105
MCQmedium

A security analyst at a large enterprise notices that several servers have missing security patches that are critical. The patch management process requires approval from the change advisory board (CAB) which meets weekly. The next meeting is in three days, but the vulnerability is being actively exploited. What should the analyst do?

A.Implement temporary compensating controls until the CAB approves.
B.Apply the patches immediately without waiting for CAB approval.
C.Notify the system owners and leave the decision to them.
D.Document the issue and wait for the CAB meeting.
AnswerA

Compensating controls mitigate risk while following the change management process.

Why this answer

C is correct. Implementing compensating controls reduces immediate risk while awaiting formal approval. Immediate patching bypasses change control and may cause instability.

Waiting is too slow. Leaving decision to owners abdicates responsibility.

106
MCQmedium

A security analyst is reviewing the results of a vulnerability scan and identifies a critical vulnerability in a legacy application that cannot be patched because it is no longer supported by the vendor. The application is critical for business operations. Which of the following risk treatment strategies should the organization implement?

A.Risk transfer by purchasing cyber insurance to cover potential losses.
B.Risk mitigation by applying a vendor-supplied patch.
C.Risk avoidance by decommissioning the application and migrating to a new system.
D.Risk acceptance with compensating controls such as network segmentation and strict access controls.
AnswerD

Acceptance acknowledges the residual risk, and compensating controls reduce likelihood/impact.

Why this answer

Option D is correct because when a legacy application cannot be patched due to vendor end-of-life, the organization must accept the residual risk while implementing compensating controls. Network segmentation (e.g., VLANs, ACLs) and strict access controls (e.g., least privilege, MFA) reduce the attack surface and contain potential exploitation, aligning with the risk acceptance strategy under the NIST SP 800-37 risk management framework.

Exam trap

The trap here is that candidates often confuse risk acceptance with doing nothing, but in CAS-004, risk acceptance requires documented compensating controls to reduce residual risk to an acceptable level, not simply ignoring the vulnerability.

How to eliminate wrong answers

Option A is wrong because risk transfer via cyber insurance does not reduce the likelihood or impact of a vulnerability being exploited; it only provides financial reimbursement after a breach, leaving the technical exposure unaddressed. Option B is wrong because a vendor-supplied patch is unavailable by definition (the application is no longer supported), making risk mitigation via patching impossible. Option C is wrong because risk avoidance by decommissioning the application would halt critical business operations, which is not feasible; the question explicitly states the application is critical for business operations.

107
Multi-Selecteasy

Which TWO of the following are examples of compensating controls for a security control deficiency?

Select 2 answers
A.Increasing logging and monitoring.
B.Implementing stricter access controls.
C.Accepting the risk.
D.Purchasing cyber insurance.
E.Re-architecting the network.
AnswersA, B

Enhanced monitoring can detect unauthorized activities that a deficient control might not prevent.

Why this answer

Compensating controls are alternative measures that mitigate the risk from a primary control failure; stricter access and enhanced monitoring are good examples.

108
Multi-Selectmedium

A security team is developing a data classification policy. Which TWO of the following elements should be included in the policy to ensure effective data governance?

Select 2 answers
A.Handling requirements for each classification level, including storage and transmission
B.Data retention and disposal schedules
C.Encryption algorithms to be used for data at rest
D.Data loss prevention (DLP) rules
E.Criteria for classifying data into categories such as public, internal, confidential
AnswersA, E

Specifies how data should be protected based on classification.

Why this answer

Option A is correct because a data classification policy must define handling requirements for each classification level, specifying how data should be stored, transmitted, and accessed. This ensures consistent protection controls are applied based on sensitivity, which is a core governance principle. Without these requirements, data may be mishandled, leading to compliance violations or data breaches.

Exam trap

CompTIA often tests the distinction between policy elements (what the policy should contain) and derived controls (e.g., DLP rules, encryption algorithms), leading candidates to confuse operational implementation details with foundational policy components.

109
MCQmedium

Based on the exhibit, what vulnerability is present in the firewall rule?

A.Overly permissive service specification
B.Source IP range is too broad
C.No logging is enabled
D.Missing application ID control
AnswerA

Allowing 'any' service gives full access to all ports and protocols.

Why this answer

Option D is correct because allowing 'any' service is overly permissive. Option A is wrong a /24 is a specific range, not too broad. Option B is wrong logging is not shown but not a vulnerability.

Option C is wrong application ID is not relevant to the rule.

110
MCQhard

An organization is evaluating its cloud service provider's security posture as part of third-party risk management. Which regulatory framework requires the organization to ensure that the provider has appropriate technical and organizational measures to protect personal data?

A.PCI DSS
B.SOX
C.GDPR
D.HIPAA
AnswerC

GDPR requires data processors to have appropriate measures.

Why this answer

GDPR Article 28 explicitly requires data processors to implement appropriate technical and organizational measures. PCI DSS focuses on cardholder data, SOX on financial controls, and HIPAA on healthcare data.

111
MCQeasy

Refer to the exhibit. The security team has been asked to remediate the vulnerability before the next PCI DSS audit. Which of the following is the MOST appropriate action?

A.Move the host to a separate VLAN
B.Disable TLS 1.0 and enable TLS 1.2 only
C.Apply a compensating control such as an API gateway
D.Accept the risk because the CVSS score is below 8.0
AnswerB

Eliminates the vulnerability and achieves compliance.

Why this answer

Disabling TLS 1.0 and enabling TLS 1.2 directly addresses the vulnerability and PCI DSS requirement. Compensating controls may not satisfy the audit; accepting risk is not allowed for high severity; moving the host does not fix the issue.

112
MCQmedium

Refer to the exhibit. Which of the following best describes the effect of this ACL?

A.Blocks all traffic to the 10.0.0.0/24 network.
B.Blocks all traffic from the 10.0.0.0/24 network.
C.Permits all traffic to the 10.0.0.0/24 network.
D.Permits all traffic from the 10.0.0.0/24 network.
AnswerA

The 'deny ip any 10.0.0.0 0.0.0.255' denies any source IP to destination network 10.0.0.0/24.

Why this answer

Option B is correct because the ACL explicitly denies all traffic destined to the 10.0.0.0/24 network.

113
MCQeasy

A company is implementing a risk management framework and needs to prioritize remediation of vulnerabilities based on potential impact. Which of the following is the MOST appropriate approach?

A.Focus on vulnerabilities with the highest CVSS score regardless of asset value
B.Remediate all vulnerabilities within 30 days of discovery
C.Perform a quantitative risk assessment using asset value and loss expectancy
D.Address vulnerabilities in order of ease of exploitation
AnswerC

This approach combines asset value and potential loss to prioritize risks effectively.

Why this answer

A quantitative risk assessment uses asset value and loss expectancy to prioritize risks based on impact. Option A ignores asset criticality; Option B considers only likelihood; Option D is not prioritization.

114
MCQhard

During an audit, a compliance officer finds that the organization has not conducted a risk assessment in over two years. Which of the following is the MOST significant risk?

A.Inability to prioritize security investments.
B.Loss of customer trust.
C.Non-compliance with regulatory fines.
D.Increased likelihood of successful attacks.
AnswerC

Many regulations require periodic risk assessments; failure to conduct them can result in significant fines and penalties.

Why this answer

Option C is correct because regulatory fines can be substantial and are directly tied to compliance requirements, making it the most significant risk.

115
MCQmedium

Refer to the exhibit. This clause is a requirement of which of the following?

A.PCI DSS.
B.GDPR Article 32.
C.ISO 27001.
D.HIPAA Security Rule.
AnswerB

Article 32 of the GDPR details the security of processing, including pseudonymization, encryption, and resilience.

Why this answer

Option B is correct because the text is a direct excerpt from the GDPR, Article 32, which mandates security measures for personal data processing.

116
Multi-Selecthard

Which TWO are required by PCI DSS for all merchants?

Select 2 answers
A.Implement network segmentation
B.Maintain a vulnerability management program
C.Store CVV codes
D.Encrypt cardholder data at rest
E.Use only tokenization
AnswersB, D

PCI DSS requirement 6 requires a vulnerability management program.

Why this answer

Options A and B are correct. PCI DSS requires encryption of cardholder data at rest (requirement 3) and a vulnerability management program (requirement 6). Tokenization is optional, CVV storage is prohibited, and network segmentation is a recommended control but not a requirement for all merchants.

117
MCQeasy

A small business uses a single on-premise server running a custom application and a SQL database. The IT manager is concerned about data loss due to hardware failure. The company has a backup tape drive but often forgets to change tapes. The RTO is 24 hours and RPO is 4 hours. Which of the following is the BEST improvement to meet the RPO/RTO requirements?

A.Purchase a second identical server and set up failover clustering.
B.Switch to daily differential backups and store tapes offsite.
C.Implement a RAID 1 mirroring for the server's hard drives.
D.Use a cloud-based backup service with hourly incremental backups.
AnswerD

Hourly backups meet RPO of 4 hours; cloud restore can meet RTO of 24 hours.

Why this answer

D is correct. Hourly cloud backups meet the 4-hour RPO and likely achieve 24-hour RTO. RAID protects against disk failure but not other hardware failures.

Daily backups may miss the RPO. Failover clustering is expensive and complex for a small business.

118
MCQeasy

A company's internal audit found that employees often share passwords. Which policy change would BEST address this?

A.Implement multi-factor authentication
B.Increase password complexity requirements
C.Require password changes every 30 days
D.Provide security awareness training on password sharing
AnswerA

MFA provides an additional layer, making password sharing less effective for unauthorized access.

Why this answer

Option A is correct because multi-factor authentication reduces reliance on passwords alone. Option B is wrong increasing complexity may not stop sharing. Option C is wrong periodic changes do not prevent sharing.

Option D is wrong training helps but MFA is a technical control.

119
MCQeasy

A security manager is reviewing the company's vendor risk management program. Which of the following should be included as a mandatory step BEFORE entering into a contract with a new cloud service provider?

A.Establishing an incident response plan
B.Performing a penetration test of the vendor's infrastructure
C.Conducting a third-party security assessment
D.Requesting monthly vulnerability reports
AnswerC

Pre-contract assessment ensures vendor meets security requirements.

Why this answer

Option C is correct because a third-party security assessment is a mandatory due diligence step before entering into a contract with a new cloud service provider. This assessment evaluates the vendor's security controls, compliance posture, and risk profile against the organization's requirements, ensuring that the vendor meets minimum security standards before any data or systems are entrusted to them. Without this pre-contract assessment, the organization would be accepting unknown risks that could lead to data breaches or compliance violations.

Exam trap

The trap here is that candidates often confuse post-contract operational activities (like incident response planning or vulnerability reporting) with pre-contract due diligence, leading them to select options that are important but not mandatory before signing a contract.

How to eliminate wrong answers

Option A is wrong because establishing an incident response plan is an operational step that should occur after the contract is signed and the service is being integrated, not before entering into the contract; it is not a prerequisite for vendor selection. Option B is wrong because performing a penetration test of the vendor's infrastructure is typically not feasible or allowed before a contract is in place, as it requires legal agreements and access permissions that do not exist pre-contract; such testing is usually conducted post-contract as part of ongoing validation. Option D is wrong because requesting monthly vulnerability reports is a post-contract monitoring activity, not a pre-contract due diligence step; the vendor may not even have such reports available before the business relationship is established.

120
MCQhard

A company is merging with another company that has a different security posture. The CISO wants to integrate the two security programs quickly. Which of the following is the MOST critical first step?

A.Establish a joint governance committee
B.Align security policies and standards
C.Implement the same security tools across the enterprise
D.Conduct a joint risk assessment
AnswerA

Governance provides strategic oversight for integration.

Why this answer

Establishing a joint governance committee provides oversight and direction for integration. Options A, B, and C are tactical steps that should follow governance.

121
MCQeasy

Based on the exhibit, what type of attack is indicated?

A.Brute-force attack
B.Man-in-the-middle
C.Denial of service
D.Replay attack
AnswerA

Multiple failed attempts then success is characteristic of brute-force.

Why this answer

Option C is correct because repeated failed logins followed by a success indicates a brute-force attack. Option A is wrong MITM involves interception. Option B is wrong replay involves capturing and retransmitting.

Option D is wrong DoS involves overwhelming resources.

122
MCQeasy

A compliance officer is reviewing logs from a web application and finds multiple failed login attempts from a single IP address. Which type of control should be implemented to reduce the risk of brute-force attacks?

A.Account lockout policy
B.Network firewall
C.Password hashing
D.Encryption of traffic
AnswerA

Account lockout limits the number of attempts, reducing brute-force risk.

Why this answer

Account lockout policies prevent brute-force attacks by locking accounts after a number of failed attempts. Encryption, firewalls, and hashing do not directly address brute-force login attempts.

123
MCQeasy

An organization wants to ensure that its third-party vendors comply with the company's security policies. Which of the following is the MOST effective method?

A.Include security requirements in contracts and conduct periodic audits
B.Require vendors to obtain ISO 27001 certification
C.Send annual self-assessment questionnaires
D.Perform quarterly penetration tests on vendor networks
AnswerA

Legally binding and verifiable

Why this answer

Including security requirements in contracts and conducting periodic audits is the most effective method because it creates a legally binding obligation for vendors to adhere to the organization's security policies, and audits provide direct, verifiable evidence of compliance. Unlike self-assessments or certifications, audits allow the organization to actively inspect controls, configurations, and processes, ensuring ongoing adherence rather than relying on a point-in-time assertion. This approach aligns with the NIST SP 800-53 continuous monitoring framework and is a core principle of third-party risk management (TPRM) in the CAS-004 domain.

Exam trap

Cisco often tests the misconception that a one-time certification or a technical test like a penetration test is sufficient to ensure ongoing compliance, when in reality, continuous contractual obligations and independent audits are required to enforce and verify policy adherence over time.

How to eliminate wrong answers

Option B is wrong because requiring ISO 27001 certification only proves that a vendor had a compliant Information Security Management System (ISMS) at the time of certification, but it does not guarantee ongoing compliance with the organization's specific security policies, nor does it provide a mechanism for the organization to verify current controls or address unique contractual requirements. Option C is wrong because annual self-assessment questionnaires rely on the vendor's self-reported data, which is subjective, lacks independent verification, and can easily miss critical security gaps or misconfigurations, making it unreliable for ensuring compliance. Option D is wrong because quarterly penetration tests on vendor networks only assess technical vulnerabilities at a point in time and do not evaluate the vendor's adherence to security policies, processes, or administrative controls, nor do they cover all aspects of compliance such as data handling, access management, or incident response procedures.

124
Matchingmedium

Match each port number to its associated protocol.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

RDP

SSH

HTTPS

LDAP

LDAPS

Why these pairings

These are well-known port assignments for common protocols.

125
MCQmedium

An organization wants to ensure that its supply chain vendors are compliant with its security policies. Which of the following is the MOST effective approach?

A.Conduct on-site audits of all vendors.
B.Include security requirements in contracts and rely on legal remedies.
C.Require vendors to complete a self-assessment questionnaire.
D.Implement a continuous monitoring program using automated tools.
AnswerD

Continuous monitoring provides ongoing visibility into vendor security and reduces manual effort.

Why this answer

Option C is correct because continuous monitoring offers real-time visibility and is scalable for a large vendor base, aligning with best practices for third-party risk management.

126
MCQhard

A multinational organization is adopting a zero trust architecture and needs to align its network segmentation with regulatory requirements. The compliance team has identified that certain data must be isolated to meet PCI DSS scope reduction. Which of the following design approaches BEST supports both zero trust and PCI DSS compliance?

A.Deploying VLANs to separate cardholder data from other traffic
B.Implementing microsegmentation with software-defined networking
C.Using network access control (NAC) to enforce endpoint compliance
D.Placing all systems that process cardholder data in a DMZ
AnswerB

Microsegmentation enables fine-grained, dynamic isolation and aligns with zero trust.

Why this answer

Microsegmentation with software-defined networking (SDN) enables granular, identity-aware isolation of workloads at the virtual network layer, which directly supports zero trust's 'never trust, always verify' principle by restricting lateral movement. For PCI DSS scope reduction, microsegmentation allows the organization to create a logical, auditable boundary around cardholder data environment (CDE) assets without relying on physical network topology, thereby reducing the scope of PCI DSS compliance assessments. This approach is superior because it provides dynamic, policy-driven segmentation that can adapt to regulatory changes while maintaining strict least-privilege access.

Exam trap

CompTIA often tests the misconception that VLANs are sufficient for security segmentation, but the trap here is that VLANs lack the identity-aware, dynamic policy enforcement and east-west traffic control required by zero trust, and they do not provide the auditable, scope-reducing isolation that PCI DSS demands.

How to eliminate wrong answers

Option A is wrong because VLANs operate at Layer 2 and provide only coarse, static segmentation that can be bypassed via VLAN hopping attacks (e.g., double tagging per IEEE 802.1Q) and do not enforce identity-based access controls required by zero trust. Option C is wrong because NAC (e.g., 802.1X) focuses on pre-admission endpoint compliance and posture assessment, not on isolating workloads or reducing PCI DSS scope; it does not provide the granular east-west traffic control needed for zero trust segmentation. Option D is wrong because placing all CDE systems in a DMZ violates the principle of least privilege by exposing them to untrusted networks, increases attack surface, and does not achieve scope reduction—PCI DSS requires isolation of CDE from untrusted networks, not exposure.

127
MCQhard

A security architect is designing a system that must comply with FedRAMP Moderate controls. The system will use a cloud service provider (CSP) that is already FedRAMP Authorized. What is the primary benefit of using this CSP?

A.The agency no longer needs to conduct any risk assessments
B.The CSP guarantees 100% security
C.The system automatically complies with all international regulations
D.The CSP's authorization can be reused, reducing the agency's assessment burden
AnswerD

Leverages existing authorization

Why this answer

The primary benefit of using a FedRAMP Authorized CSP is that the CSP has already undergone a rigorous third-party assessment and continuous monitoring process. This allows the agency to reuse the existing authorization (via the 'JAB' or agency Provisional Authorization), significantly reducing the time, cost, and effort required for the agency's own assessment and authorization (ATO) process. It does not eliminate the agency's responsibility for risk management or compliance with FedRAMP Moderate controls, but it leverages the CSP's proven security posture.

Exam trap

Cisco often tests the misconception that FedRAMP authorization absolves the agency of all compliance work, when in fact the agency must still perform a system-specific risk assessment and maintain its own ATO for the overall system.

How to eliminate wrong answers

Option A is wrong because the agency is still required to conduct its own risk assessments, including a system-specific risk assessment for the overall system and the CSP's inherited controls; FedRAMP authorization does not eliminate the agency's risk management responsibilities. Option B is wrong because no CSP or system can guarantee 100% security; FedRAMP authorization indicates a baseline of security controls have been implemented and assessed, but residual risk always remains. Option C is wrong because FedRAMP is a U.S. federal program and does not automatically confer compliance with international regulations such as GDPR, ISO 27001, or the EU Cloud Code of Conduct; separate assessments are needed for international frameworks.

← PreviousPage 2 of 2 · 127 questions total

Ready to test yourself?

Try a timed practice session using only Governance, Risk and Compliance questions.