CCNA Casp Grc Questions

75 of 98 questions · Page 1/2 · Casp Grc topic · Answers revealed

1
MCQmedium

A security manager is reviewing a set of documents: an organizational security policy, a standard for encryption, a guideline for remote access, and a procedure for incident response. Which document is at the highest level in the policy hierarchy?

A.Remote access guideline
B.Encryption standard
C.Organizational security policy
D.Incident response procedure
AnswerC

Policy is the top-level document.

Why this answer

In the policy hierarchy, policy is the highest-level document, setting overarching direction. Standards, guidelines, and procedures are subordinate.

2
MCQeasy

Which risk treatment option involves reducing the likelihood or impact of a risk through controls?

A.Mitigate
B.Avoid
C.Accept
D.Transfer
AnswerA

Mitigation applies controls to reduce risk.

Why this answer

Mitigate (or reduce) involves implementing controls to lower risk to an acceptable level.

3
MCQeasy

Which security metric measures the average time it takes to detect a security incident after it has occurred?

A.Mean Time to Detect (MTTD)
B.Mean Time Between Failures (MTBF)
C.Mean Time to Respond (MTTR)
D.Mean Time to Recover (MTTR)
AnswerA

MTTD is the correct metric.

Why this answer

Mean Time to Detect (MTTD) is a key metric for incident detection efficiency.

4
Multi-Selectmedium

A security architect is designing a data classification scheme. Which TWO of the following are commonly used classification levels? (Select TWO.)

Select 2 answers
A.Unclassified
B.Confidential
C.For Official Use Only
D.Public
E.Top Secret
AnswersB, D

Confidential is a common corporate classification for sensitive data.

Why this answer

Common data classification levels include Public (no harm if disclosed), Internal (limited internal use), Confidential (sensitive, limited access), and Restricted (highly sensitive).

5
MCQmedium

An organization is evaluating a third-party vendor that will have access to its customer database. The vendor provides a SOC 2 Type II report dated six months ago. Which of the following is the BEST next step?

A.Conduct a vendor risk assessment using a security questionnaire
B.Accept the SOC 2 report as sufficient evidence
C.Perform an on-site audit of the vendor
D.Request a new penetration test report from the vendor
AnswerA

A current questionnaire helps identify changes since the SOC 2 report.

Why this answer

A SOC 2 Type II report shows the effectiveness of controls over a period, but it is dated. The organization should supplement it with a current security questionnaire to assess changes and current posture.

6
Multi-Selectmedium

A company is implementing continuous compliance monitoring for PCI DSS. Which TWO activities are most appropriate for this approach? (Select TWO.)

Select 2 answers
A.Manual review of access logs every month
B.Automated daily file integrity monitoring on critical systems
C.Annual on-site audit by a Qualified Security Assessor (QSA)
D.Automated quarterly vulnerability scanning of the cardholder data environment
E.Real-time monitoring of firewall and intrusion detection system logs
AnswersB, E

Daily automated checks are continuous.

Why this answer

Continuous compliance monitoring involves automated, ongoing checks. Automated scanning of cardholder data environments and real-time monitoring of firewall logs are continuous activities. Annual audits and manual reviews are periodic.

7
MCQeasy

Which of the following risk treatment options involves transferring the financial impact of a risk to a third party, such as through insurance?

A.Avoid
B.Accept
C.Transfer
D.Mitigate
AnswerC

Correct. Risk transfer passes the risk to a third party, e.g., via insurance.

Why this answer

Risk transfer shifts the financial burden to another party, e.g., purchasing cyber insurance.

8
MCQeasy

A multinational corporation that processes personal data of EU residents is required to appoint a Data Protection Officer (DPO) and implement data protection impact assessments. Which regulation primarily drives these requirements?

A.PCI DSS
B.SOX
C.GDPR
D.HIPAA
AnswerC

The GDPR is the EU regulation requiring DPOs and DPIAs.

Why this answer

The GDPR mandates DPO appointment for certain organizations and requires Data Protection Impact Assessments (DPIAs) for high-risk processing activities.

9
MCQeasy

A company wants to ensure that a third-party vendor allows them to perform an audit of the vendor's security controls. Which clause should be included in the contract?

A.Indemnification clause
B.Right-to-audit clause
C.Non-disclosure agreement (NDA)
D.Service level agreement (SLA)
AnswerB

Correct. This clause allows the customer to audit the vendor's controls.

Why this answer

A right-to-audit clause grants the customer the ability to audit the vendor's security controls.

10
MCQmedium

An organization is implementing a data classification scheme. Which data type should be given the highest protection and is typically restricted to a very small number of individuals?

A.Restricted
B.Confidential
C.Internal
D.Public
AnswerA

Restricted data is the most sensitive and requires highest protection.

Why this answer

Restricted data is the highest classification, reserved for data that could cause severe damage if disclosed, such as trade secrets or PII, and access is tightly controlled.

11
MCQhard

A company is conducting a vendor risk assessment and receives a SOC 2 Type II report from a cloud service provider. The report covers a 12-month period and includes an opinion on the effectiveness of controls. Which of the following is the primary benefit of using this report?

A.It guarantees the vendor is compliant with all regulations
B.It offers an independent assessment of control effectiveness over time
C.It eliminates the need for a right-to-audit clause
D.It provides real-time monitoring data from the vendor
AnswerB

Correct. SOC 2 Type II provides an independent opinion on controls over a period.

Why this answer

SOC 2 Type II reports provide an independent auditor's opinion on the effectiveness of controls over a period, which helps the company assess the vendor's security posture without conducting its own audit.

12
MCQmedium

When conducting a vendor risk assessment, which contractual clause is most important for ensuring ongoing visibility into the vendor's security posture?

A.Indemnification clause
B.Right-to-audit clause
C.Non-disclosure agreement (NDA)
D.Service level agreement (SLA)
AnswerB

This clause enables periodic audits of the vendor's security controls.

Why this answer

A right-to-audit clause allows the organization to perform or request audits of the vendor's controls, providing ongoing assurance.

13
MCQmedium

A security architect is designing a data classification scheme. Which of the following is the highest level of sensitivity that would typically require the most stringent controls?

A.Restricted
B.Public
C.Internal
D.Confidential
AnswerA

Correct: Restricted data is the highest classification and requires the most controls.

Why this answer

Restricted data is the most sensitive and requires the highest level of protection.

14
MCQmedium

A security analyst is reviewing metrics for the security program. Which metric best measures the effectiveness of incident response processes?

A.Mean time to detect (MTTD)
B.Patch compliance percentage
C.Mean time to respond (MTTR)
D.Number of vulnerabilities by severity
AnswerC

Correct. MTTR measures how quickly incidents are resolved.

Why this answer

Mean time to respond (MTTR) measures the average time taken to remediate an incident, indicating response efficiency.

15
MCQeasy

A company wants to ensure that its data handling practices align with the principle of 'privacy by design'. Which of the following actions best supports this principle?

A.Incorporating privacy controls during the initial system architecture
B.Encrypting data at rest only
C.Performing an annual privacy audit
D.Providing privacy training to employees
AnswerA

Correct: Privacy by design requires proactive embedding of privacy in design.

Why this answer

Privacy by design integrates privacy into the system design from the start, not as an afterthought.

16
Multi-Selecteasy

A security analyst is defining key risk indicators (KRIs) for the security program. Which TWO of the following are examples of KRIs? (Select TWO.)

Select 2 answers
A.Percentage of employees who completed security awareness training
B.Time to patch critical systems
C.Budget spent on security tools
D.Number of unpatched critical vulnerabilities
E.Number of security incidents reported in the last quarter
AnswersD, E

Correct. High numbers indicate increased risk.

Why this answer

KRIs are metrics that indicate risk levels. Number of unpatched critical vulnerabilities and number of security incidents are direct risk indicators.

17
MCQeasy

A security analyst is calculating the annualized loss expectancy (ALE) for a server that has an asset value of $50,000 and an exposure factor (EF) of 0.2. The annualized rate of occurrence (ARO) is estimated at 4. What is the ALE?

A.$10,000
B.$40,000
C.$50,000
D.$200,000
AnswerB

Correct calculation: $50,000 × 0.2 × 4 = $40,000.

Why this answer

ALE = SLE × ARO; SLE = AV × EF = $50,000 × 0.2 = $10,000; ALE = $10,000 × 4 = $40,000.

18
MCQeasy

Under the GDPR, which of the following is a data subject right?

A.Right to transfer data across borders without restriction
B.Right to unlimited processing
C.Right to erasure (right to be forgotten)
D.Right to sell data
AnswerC

This is a core GDPR right.

Why this answer

The GDPR grants data subjects the right to request deletion of their personal data under certain conditions.

19
Multi-Selecthard

A security analyst is prioritizing remediation of vulnerabilities. Which three of the following factors should be considered when determining the risk level of a vulnerability? (Choose three.)

Select 3 answers
A.Availability of a public exploit
B.Vendor patch availability
C.Asset value or criticality
D.CVSS base score
E.Number of days since the vulnerability was discovered
AnswersA, C, D

Public exploits increase likelihood of attack.

Why this answer

Risk is a function of impact and likelihood. CVSS score provides severity; asset value indicates impact; exploit availability indicates likelihood of attack.

20
MCQmedium

An organization discovers that a third-party vendor has a subcontractor that processes its data. The organization did not have a contract with the subcontractor. This is an example of which type of risk?

A.Residual risk
B.Third-party risk
C.Fourth-party risk
D.Supply chain risk
AnswerC

Fourth-party risk involves vendors of your vendors.

Why this answer

Fourth-party risk is the risk that arises from a vendor's use of subcontractors, which may not be directly managed by the organization.

21
MCQmedium

A security team is selecting key risk indicators (KRIs) for the organization's cybersecurity program. Which of the following is an example of a KRI that provides a leading indicator of risk?

A.Mean time to detect (MTTD) for security incidents
B.Number of security incidents reported last month
C.Percentage of systems with antivirus installed
D.Number of unpatched critical vulnerabilities
AnswerD

This is a leading indicator of potential breaches.

Why this answer

KRIs ideally should be leading indicators that predict future risk. Number of unpatched critical vulnerabilities is a leading indicator because it indicates potential for future exploitation. MTTD is lagging (measures past incidents).

Patch compliance % is a KPI, not necessarily a risk indicator. Number of incidents is lagging.

22
MCQmedium

During a policy gap analysis, it is discovered that the organization has a policy stating that sensitive data must be encrypted, but there are no procedures for implementing encryption on mobile devices. This is an example of a gap between:

A.Standards and guidelines
B.Policy and standards
C.Policy and guidelines
D.Policy and procedures
AnswerD

The policy exists but the procedures to operationalize it are missing.

Why this answer

A gap exists when a policy sets a requirement but the supporting procedures to implement it are missing.

23
MCQhard

An organization is implementing a privacy program based on privacy by design. Which principle requires that privacy controls be integrated into the system's default settings?

A.Full functionality – positive-sum, not zero-sum
B.Privacy embedded into design
C.Privacy as the default setting
D.Proactive not reactive; preventative not remedial
AnswerC

This principle ensures privacy settings are automatically applied.

Why this answer

Privacy by design includes the principle that privacy settings should be maximized by default, so users do not need to take action to protect their data.

24
Multi-Selectmedium

A security manager is implementing a policy exception management process. Which TWO of the following are essential components of an effective exception management process?

Select 2 answers
A.A policy that all exceptions are denied
B.A defined expiration date for each exception
C.A formal request and approval workflow
D.Automatic approval for temporary workarounds
E.Immediate policy revision to eliminate the need for exceptions
AnswersB, C

Prevents indefinite exceptions and ensures periodic review.

Why this answer

An exception management process must include: (1) a formal request and approval workflow to ensure accountability, and (2) a defined expiration date to prevent permanent exceptions. Temporary workarounds without expiration undermine security. Exceptions may be approved if risk is accepted.

Policy changes are separate.

25
MCQhard

An organization is implementing a privacy program to comply with GDPR. Which of the following BEST describes the concept of 'privacy by design' as it applies to a new customer relationship management (CRM) system?

A.Incorporating data minimization and access controls into the system architecture from the start.
B.Assigning a data protection officer to review system logs quarterly.
C.Adding a privacy notice to the CRM after deployment.
D.Conducting a privacy impact assessment (PIA) after the system is live.
AnswerA

This aligns with privacy by design principles.

Why this answer

Privacy by design requires embedding privacy controls into the system's architecture from the outset, not as an afterthought. This includes data minimization, purpose limitation, and security controls integrated during development.

26
Multi-Selecthard

A healthcare organization is implementing a vendor risk management program. Which THREE of the following should be included in the vendor risk assessment process? (Select THREE.)

Select 3 answers
A.Requiring the vendor to purchase cyber insurance
B.Reviewing the vendor's financial statements
C.Reviewing the vendor's SOC 2 Type II report
D.Conducting a penetration test of the vendor's environment
E.Administering a security questionnaire to the vendor
AnswersC, D, E

Correct. SOC 2 reports provide independent assurance.

Why this answer

Effective vendor risk assessment includes reviewing audit reports, performing security questionnaires, and conducting penetration tests to evaluate controls.

27
Multi-Selecthard

A security architect is designing a data classification scheme aligned with a new privacy regulation. Which THREE of the following are common data classification levels used in enterprise environments? (Select THREE.)

Select 3 answers
A.Public
B.Internal
C.Critical
D.Secret
E.Confidential
AnswersA, B, E

Data that can be freely disclosed; no sensitivity.

Why this answer

Common classification levels include public (no impact), internal (moderate impact), confidential (high impact), and restricted (very high impact). Secret is typically a government classification, not enterprise. Critical is not a standard classification level.

28
Multi-Selectmedium

An organization's security team is reviewing security metrics to present to the board. Which THREE of the following are commonly used Key Performance Indicators (KPIs) for a security program? (Select THREE.)

Select 3 answers
A.Patch compliance percentage
B.Mean time to respond (MTTR)
C.Number of firewalls deployed
D.Vulnerabilities by severity
E.Mean time to detect (MTTD)
AnswersA, B, E

Indicates the proportion of systems with up-to-date patches.

Why this answer

Common security KPIs include mean time to detect (MTTD), mean time to respond (MTTR), and patch compliance percentage. Vulnerability by severity is typically a Key Risk Indicator (KRI). Number of firewalls is a configuration metric, not a KPI.

29
MCQhard

An organization is adopting the NIST Risk Management Framework (RMF). During which step would the security team select and implement security controls, and how does this map to the organization's governance structure?

A.Step 4: Assess — controls are evaluated for effectiveness.
B.Step 1: Prepare — the organization establishes risk management roles and responsibilities.
C.Step 5: Authorize — a senior official accepts the risk.
D.Step 2: Select and Step 3: Implement — controls are chosen based on risk assessment and integrated into the system.
AnswerD

These steps directly involve selecting and deploying security controls.

Why this answer

In NIST RMF, Step 2 (Select) and Step 3 (Implement) involve selecting controls from NIST SP 800-53 and implementing them. This aligns with governance through the risk executive function.

30
MCQmedium

During a vendor risk assessment, a company receives a SOC 2 Type II report from a cloud service provider. What does this report primarily attest to?

A.The design and operating effectiveness of controls over a period of time
B.The vendor's financial stability
C.The vendor's compliance with privacy laws
D.The vendor's penetration test results
AnswerA

Correct: SOC 2 Type II assesses control effectiveness over a period.

Why this answer

SOC 2 Type II reports on the effectiveness of controls over a period of time.

31
MCQeasy

Under GDPR, which of the following is a data subject right that allows an individual to request that their personal data be erased?

A.Right to portability
B.Right to access
C.Right to erasure
D.Right to rectification
AnswerC

Correct. Also known as the right to be forgotten.

Why this answer

GDPR Article 17 gives individuals the right to erasure ('right to be forgotten').

32
MCQeasy

Which key performance indicator (KPI) is most useful for measuring the effectiveness of an incident response process?

A.Patch compliance percentage
B.Vulnerabilities by severity
C.Number of security awareness training sessions
D.Mean time to respond (MTTR)
AnswerD

MTTR measures the average time to respond to incidents, a direct measure of response efficiency.

Why this answer

Mean time to respond (MTTR) directly measures how quickly incidents are contained and remediated, reflecting process efficiency.

33
MCQmedium

An organization is using the FAIR model to quantify risk. Which of the following is a primary component of the FAIR taxonomy?

A.Inherent risk and residual risk
B.Annualized loss expectancy and single loss expectancy
C.Loss event frequency and loss magnitude
D.Threat event frequency and vulnerability
AnswerC

Correct. These are the two main branches in FAIR.

Why this answer

FAIR decomposes risk into loss event frequency and loss magnitude. These are core components used to calculate risk.

34
MCQeasy

A financial institution must comply with the Sarbanes-Oxley Act (SOX). Which of the following is a primary focus of SOX compliance?

A.Security of credit card transactions
B.Privacy of health information
C.Protection of personally identifiable information (PII)
D.Accuracy and reliability of financial reporting
AnswerD

SOX is about financial integrity and internal controls.

Why this answer

SOX focuses on internal controls over financial reporting (ICFR) and requires management to assess and report on the effectiveness of these controls, which includes IT controls that impact financial data.

35
MCQmedium

A company is required to comply with PCI DSS. What is the primary purpose of conducting quarterly network vulnerability scans?

A.To ensure firewall rules are correctly configured
B.To verify encryption strength
C.To detect and remediate vulnerabilities in a timely manner
D.To monitor user access logs
AnswerC

Quarterly scans help maintain security by finding vulnerabilities regularly.

Why this answer

PCI DSS Requirement 11.2 mandates quarterly external and internal vulnerability scans to identify and address vulnerabilities.

36
Multi-Selectmedium

A risk manager is applying the FAIR model to quantify a risk. Which TWO of the following are primary components used in FAIR analysis? (Select TWO.)

Select 2 answers
A.Loss Magnitude (LM)
B.Single Loss Expectancy (SLE)
C.Annual Loss Expectancy (ALE)
D.Loss Event Frequency (LEF)
E.Annualized Rate of Occurrence (ARO)
AnswersA, D

The probable magnitude of a loss event.

Why this answer

FAIR model decomposes risk into Loss Event Frequency (LEF) and Loss Magnitude (LM). Single Loss Expectancy (SLE) and Annualized Rate of Occurrence (ARO) are used in quantitative risk analysis (e.g., ALE), but not primary FAIR components. Exposure Factor (EF) is part of SLE calculation.

Annual Loss Expectancy (ALE) is a result, not a component.

37
Multi-Selecthard

An organization is implementing a vendor risk management program and is reviewing a contract that includes a right-to-audit clause. Which THREE of the following are common elements that should be verified during such an audit? (Select THREE.)

Select 3 answers
A.Employee satisfaction surveys
B.Vendor's financial stability
C.Access control mechanisms
D.Incident response procedures
E.Data encryption practices
AnswersC, D, E

Access controls are critical to protect data.

Why this answer

Right-to-audit allows the customer to verify vendor compliance. Common audit areas include security controls, data handling, incident response, and access controls.

38
MCQhard

A security analyst calculates the annualized loss expectancy (ALE) for a server. The single loss expectancy (SLE) is $50,000, and the annualized rate of occurrence (ARO) is 0.2. What is the ALE?

A.$50,200
B.$2,500
C.$10,000
D.$250,000
AnswerC

Correct calculation: $50,000 × 0.2 = $10,000.

Why this answer

ALE = SLE × ARO = $50,000 × 0.2 = $10,000.

39
MCQhard

An organization's security policy defines that all sensitive data must be encrypted. However, a business unit has a legacy application that cannot support encryption without a major rewrite. The risk owner decides to accept the risk. This is an example of which risk treatment strategy?

A.Risk acceptance
B.Risk mitigation
C.Risk transfer
D.Risk avoidance
AnswerA

The risk owner formally accepts the residual risk.

Why this answer

Risk acceptance is acknowledging the risk and deciding to tolerate it without additional controls, often documented in a risk register.

40
Multi-Selecthard

During a compliance audit for PCI DSS, the auditor identifies that cardholder data is stored beyond the required retention period. The organization wants to implement proper data lifecycle management. Which THREE of the following should the organization include in its data retention policy? (Select THREE.)

Select 3 answers
A.Encryption requirements for data in transit
B.Retention schedules for each data classification level
C.Process for legal hold to suspend deletion
D.Data classification scheme definitions
E.Secure disposal methods for data at end of life
AnswersB, C, E

Specifies how long each type of data should be kept.

Why this answer

A data retention policy should specify retention schedules for each data type, define secure destruction methods, and include a process for legal hold exceptions. Encryption during transmission is a security control, not a retention policy element. The data classification scheme is separate from retention.

41
MCQmedium

A security team is evaluating the effectiveness of their patching program. Which metric would best indicate how quickly the organization applies critical patches?

A.Number of unpatched systems
B.Patch compliance percentage
C.Mean time to patch
D.Vulnerabilities by severity
AnswerC

This directly measures how quickly patches are applied.

Why this answer

Mean time to patch measures the average time from patch release to deployment, indicating responsiveness.

42
MCQmedium

A financial institution is evaluating a cloud service provider for hosting customer data. During the due diligence process, which report would best help the institution assess the provider's control environment and compliance with SOC 2?

A.SOC 2 Type II report
B.ISO 27001 certificate
C.Penetration test report
D.Vulnerability scan results
AnswerA

This report evaluates the design and operating effectiveness of controls over time, suitable for assessing a service provider's control environment.

Why this answer

A SOC 2 Type II report provides an auditor's opinion on the effectiveness of controls over a period, directly addressing the service provider's control environment and compliance with Trust Services Criteria.

43
MCQmedium

An organization is reviewing its third-party risk management process. Which of the following clauses should be included in contracts with critical vendors to ensure ongoing visibility into their security posture?

A.Non-disclosure agreement (NDA)
B.Service-level agreement (SLA) for uptime
C.Right-to-audit clause
D.Data processing agreement (DPA)
AnswerC

Correct: This clause gives the organization the right to audit the vendor's security controls.

Why this answer

A right-to-audit clause allows the organization to audit the vendor's controls and verify compliance.

44
MCQmedium

A security analyst is calculating the annualized loss expectancy (ALE) for a server that processes credit card data. The server has a $100,000 asset value, and the exposure factor for a security breach is 0.4. Historical data shows that such breaches occur twice per year. What is the ALE?

A.$100,000
B.$40,000
C.$80,000
D.$200,000
AnswerC

Correct. ALE = SLE × ARO = ($100,000 × 0.4) × 2 = $80,000.

Why this answer

ALE = SLE × ARO, where SLE = AV × EF = $100,000 × 0.4 = $40,000, and ARO = 2. So ALE = $40,000 × 2 = $80,000.

45
MCQhard

A company is considering adopting the NIST Risk Management Framework (RMF). Which of the following steps is unique to NIST RMF compared to ISO 27005?

A.System categorization
B.Risk identification
C.Risk treatment
D.Risk assessment
AnswerA

Correct: NIST RMF starts with categorizing the system and information based on FIPS 199, which is unique.

Why this answer

NIST RMF includes a formal step to categorize the information system and information based on impact, which is not explicitly part of ISO 27005's risk assessment process.

46
MCQmedium

A security analyst calculates the annual loss expectancy (ALE) for a critical asset. The single loss expectancy (SLE) is $50,000, and the annualized rate of occurrence (ARO) is 0.2. What is the annual loss expectancy?

A.$0
B.$10,000
C.$50,200
D.$250,000
AnswerB

ALE = SLE × ARO = $50,000 × 0.2 = $10,000.

Why this answer

ALE = SLE × ARO = $50,000 × 0.2 = $10,000. Annual loss expectancy represents the expected monetary loss per year from a risk.

47
MCQmedium

A security manager is reviewing Key Risk Indicators (KRIs) and Key Performance Indicators (KPIs) for the security program. Which of the following is an example of a KRI?

A.Mean time to detect (MTTD) security incidents
B.Number of critical vulnerabilities exceeding the risk appetite threshold
C.Percentage of systems patched within 30 days
D.Number of security incidents per month
AnswerB

This indicates risk level relative to tolerance.

Why this answer

KRIs measure risk levels, such as the number of critical vulnerabilities that exceed the risk appetite threshold. KPIs measure performance, like patch compliance percentage.

48
MCQmedium

An organization has identified a vulnerability in a legacy system that cannot be patched. The system is critical for operations, and the cost of mitigating the vulnerability exceeds the potential loss. Which risk treatment option is most appropriate?

A.Risk acceptance
B.Risk avoidance
C.Risk mitigation
D.Risk transfer
AnswerA

Correct: The organization accepts the residual risk because mitigation is too expensive.

Why this answer

Risk acceptance is chosen when the cost of mitigation exceeds the potential loss and the risk is within risk appetite.

49
MCQeasy

Which risk management framework is specifically designed for U.S. federal agencies and includes a six-step process: Categorize, Select, Implement, Assess, Authorize, and Monitor?

A.ISO 27005
B.COBIT
C.NIST RMF
D.FAIR
AnswerC

NIST RMF is the framework used by U.S. federal agencies.

Why this answer

NIST Risk Management Framework (RMF) includes the six steps: Categorize, Select, Implement, Assess, Authorize, and Monitor.

50
Multi-Selectmedium

A security officer is reviewing continuous compliance monitoring tools. Which TWO of the following are primary benefits of implementing such tools? (Select TWO.)

Select 2 answers
A.Guarantees 100% compliance with all regulations
B.Provides real-time visibility into compliance posture
C.Reduces the need for periodic audits by enabling ongoing tracking
D.Replaces the need for a risk management framework
E.Eliminates all security risks
AnswersB, C

Correct. Continuous monitoring offers real-time insight.

Why this answer

Continuous monitoring provides real-time visibility and allows for ongoing tracking of controls, enabling quicker detection of non-compliance.

51
MCQeasy

A security analyst is calculating the annualized loss expectancy (ALE) for a server that has an asset value of $100,000, an exposure factor (EF) of 0.5, and an annualized rate of occurrence (ARO) of 2. What is the ALE?

A.$100,000
B.$150,000
C.$50,000
D.$200,000
AnswerA

Correct calculation: ALE = AV × EF × ARO = $100,000 × 0.5 × 2 = $100,000.

Why this answer

ALE = SLE × ARO, where SLE = AV × EF = $100,000 × 0.5 = $50,000. Then ALE = $50,000 × 2 = $100,000.

52
Multi-Selectmedium

A security architect is designing a data lifecycle management program. Which TWO of the following are phases of the data lifecycle? (Select TWO.)

Select 2 answers
A.Data replication
B.Data anonymization
C.Data creation
D.Data destruction
E.Data monetization
AnswersC, D

The initial phase where data is generated.

Why this answer

The data lifecycle typically includes creation, storage, use, sharing, archiving, and destruction. Creation and destruction are standard phases.

53
MCQmedium

A security analyst is performing a quantitative risk assessment for a server that processes payment card data. The server has an asset value of $50,000. Based on historical data, the exposure factor (EF) for a ransomware attack is 80%, and the annualized rate of occurrence (ARO) is 0.5. What is the annualized loss expectancy (ALE)?

A.$20,000
B.$40,000
C.$50,000
D.$25,000
AnswerA

Correct calculation: SLE = AV × EF = $40,000, ALE = $40,000 × 0.5 = $20,000.

Why this answer

ALE = SLE × ARO, where SLE = AV × EF = $50,000 × 0.8 = $40,000, and ARO = 0.5, so ALE = $40,000 × 0.5 = $20,000.

54
Multi-Selecteasy

A security analyst is evaluating security metrics for the security program. Which TWO of the following are considered key performance indicators (KPIs) for measuring the effectiveness of a security program?

Select 2 answers
A.Employee satisfaction score
B.Number of critical vulnerabilities identified
C.Patch compliance percentage
D.Total budget spent on security
E.Mean time to respond (MTTR) to incidents
AnswersC, E

Indicates how well the organization maintains patching.

Why this answer

KPIs measure the effectiveness of security controls and processes. Mean time to respond (MTTR) measures incident response effectiveness. Patch compliance percentage measures the effectiveness of patch management.

Number of vulnerabilities is a KRI, not a KPI per se. Budget spent is a financial metric. Employee satisfaction is HR-related.

55
Multi-Selecteasy

An organization is developing a security policy hierarchy. Which TWO of the following correctly represent the typical order from highest to lowest level in a policy framework? (Select TWO.)

Select 2 answers
A.Policy, Standard, Guideline, Procedure
B.Policy, Procedure, Guideline, Standard
C.Guideline, Policy, Standard, Procedure
D.Standard, Policy, Procedure, Guideline
E.Policy is the highest level document
AnswersA, E

This is the correct hierarchy from highest to lowest.

Why this answer

The policy hierarchy typically is: Policy (high-level requirements), Standard (mandatory rules), Guideline (recommended practices), Procedure (step-by-step instructions). The correct order is Policy then Procedure is not correct; Policy, Standard, Guideline, Procedure is the full order.

56
MCQeasy

Which of the following is the correct order of the security policy hierarchy from highest to lowest?

A.Policy → Standard → Guideline → Procedure
B.Standard → Policy → Guideline → Procedure
C.Policy → Guideline → Standard → Procedure
D.Procedure → Guideline → Standard → Policy
AnswerA

Correct: Policy sets the direction, Standard defines mandatory requirements, Guideline offers recommendations, Procedure details steps.

Why this answer

The typical hierarchy is Policy (high-level), Standard (mandatory controls), Guideline (recommended), Procedure (step-by-step).

57
MCQmedium

A company processes personal data of EU citizens and wants to implement privacy by design. Which of the following is the BEST first step in this process?

A.Appointing a Data Protection Officer (DPO)
B.Implementing data encryption at rest and in transit
C.Developing a data retention policy
D.Conducting a Privacy Impact Assessment (PIA)
AnswerD

A PIA is a foundational step that identifies privacy risks and informs design decisions.

Why this answer

Privacy by design requires embedding privacy into the design of systems and processes from the outset. Conducting a Privacy Impact Assessment (PIA) early helps identify and mitigate privacy risks before implementation.

58
MCQhard

An organization is implementing a privacy by design approach for a new customer-facing application. Which of the following actions best exemplifies this principle?

A.Adding a privacy notice to the application post-launch
B.Conducting a privacy impact assessment after the application is deployed
C.Minimizing data collection to only what is necessary for the application's function
D.Encrypting data at rest and in transit
AnswerC

Correct. Data minimization is a core privacy by design principle.

Why this answer

Privacy by design means embedding privacy into the design and architecture of systems, not as an afterthought. Data minimization (collecting only what is necessary) is a key principle.

59
MCQhard

An organization has implemented a risk treatment plan that includes purchasing cyber insurance for potential data breach costs. Which risk treatment option does this represent?

A.Risk mitigation
B.Risk avoidance
C.Risk acceptance
D.Risk transfer
AnswerD

Insurance transfers the financial impact to a third party.

Why this answer

Cyber insurance transfers the financial risk to an insurance company, which is risk transfer.

60
MCQmedium

An organization is implementing a risk management framework and wants to align with a standard that emphasizes a continuous, iterative process for identifying, assessing, and responding to risk. Which framework is most appropriate?

A.FAIR
B.ISO 27005
C.COBIT
D.NIST RMF
AnswerD

Correct. NIST RMF defines a continuous, iterative process for risk management.

Why this answer

The NIST Risk Management Framework (RMF) describes a continuous process that includes steps like categorize, select, implement, assess, authorize, and monitor.

61
Multi-Selecteasy

An organization is implementing a privacy program in accordance with GDPR. Which TWO of the following are data subject rights under GDPR? (Select TWO.)

Select 2 answers
A.Right to transfer
B.Right to data portability
C.Right to rectification
D.Right to be informed
E.Right to be forgotten
AnswersB, E

Data subjects can obtain and reuse their personal data across services.

Why this answer

GDPR grants data subjects rights including the right to erasure (right to be forgotten) and the right to data portability. Right to be informed is also a right but is not listed correctly; right to rectification is a right but not listed. Right to transfer is not a formal GDPR right.

62
MCQmedium

During a vendor risk assessment, a security analyst reviews a SOC 2 Type II report from a cloud provider. What is the primary value of this report?

A.It provides assurance over the design and operating effectiveness of controls over a period.
B.It offers a snapshot of the vendor's security posture at a single point in time.
C.It provides a real-time vulnerability scan of the vendor's network.
D.It verifies the vendor's compliance with PCI DSS.
AnswerA

Type II reports include testing of controls over a period.

Why this answer

A SOC 2 Type II report provides an independent assessment of controls over a period, confirming the vendor's control effectiveness.

63
MCQeasy

Which document in a security policy hierarchy provides specific step-by-step instructions for performing a task?

A.Guideline
B.Procedure
C.Standard
D.Policy
AnswerB

A procedure provides detailed instructions for a specific activity.

Why this answer

A procedure details the exact steps to implement a policy, standard, or guideline.

64
MCQmedium

A healthcare organization is required to comply with HIPAA. During an audit, the auditor requests evidence of access controls for electronic protected health information (ePHI). Which of the following would be the BEST evidence to provide?

A.A report of employee security training completion
B.A signed copy of the access control policy
C.Access review logs showing periodic reviews of user permissions
D.A network diagram of the IT infrastructure
AnswerC

This demonstrates ongoing compliance with access control requirements.

Why this answer

Access review logs demonstrate ongoing monitoring and management of access rights, which is a key HIPAA requirement for administrative safeguards. A signed policy is insufficient without evidence of enforcement. A network diagram shows architecture, not control.

A training completion report addresses workforce training, not access controls.

65
MCQmedium

A healthcare organization subject to HIPAA must ensure that patients can access their medical records. This requirement is an example of which data subject right under privacy regulations?

A.Right to be forgotten
B.Right to data portability
C.Right to rectification
D.Right to access
AnswerD

HIPAA requires covered entities to provide individuals access to their PHI.

Why this answer

HIPAA gives patients the right to access their protected health information (PHI). This aligns with the data subject right of access.

66
MCQhard

An organization is using the FAIR framework to quantify risk. The analyst estimates the probable loss event frequency (LEF) as 4 per year and the probable loss magnitude (LM) as $25,000 per event. What is the annualized loss expectancy (ALE) under FAIR?

A.$6,250
B.$125,000
C.$100,000
D.$25,000
AnswerC

Correct calculation.

Why this answer

In FAIR, ALE = LEF × LM. Here, LEF=4 and LM=$25,000, so ALE = 4 × $25,000 = $100,000.

67
MCQhard

An organization is implementing continuous compliance monitoring. Which of the following metrics would best indicate whether the organization is maintaining compliance with PCI DSS Requirement 10 (log management)?

A.Number of failed login attempts per day
B.Percentage of systems with centralized logging enabled
C.Mean time to detect (MTTD) for security incidents
D.Vulnerability scan pass rate
AnswerB

Correct: This directly measures compliance with logging requirements.

Why this answer

PCI DSS Requirement 10 requires tracking and monitoring access to network resources and cardholder data. Log coverage percentage directly measures whether all necessary systems are logging.

68
MCQmedium

During a vendor risk assessment, a third-party vendor refuses to provide a SOC 2 report but offers a completed security questionnaire. The vendor handles sensitive customer data. Which of the following is the BEST course of action?

A.Immediately terminate the relationship.
B.Lower the data classification to reduce risk.
C.Require a right-to-audit clause to conduct an on-site assessment.
D.Accept the questionnaire as sufficient evidence.
AnswerC

This allows the organization to verify controls directly.

Why this answer

If a vendor refuses to provide independent audit evidence, the organization should consider the risk level. For sensitive data, a SOC 2 report is a strong control. The organization should require a right-to-audit clause to perform its own assessment, as the questionnaire alone may be insufficient.

69
MCQeasy

Which of the following is a key difference between a security guideline and a security procedure?

A.Both are equally enforceable
B.Procedures are high-level; guidelines are detailed
C.Guidelines are recommended; procedures are mandatory
D.Guidelines are mandatory; procedures are optional
AnswerC

This is correct: guidelines provide guidance, procedures must be followed.

Why this answer

A guideline suggests best practices and is not mandatory, while a procedure provides step-by-step instructions that are mandatory.

70
MCQeasy

A security analyst is calculating the annualized loss expectancy (ALE) for a server. The single loss expectancy (SLE) is $5,000 and the annualized rate of occurrence (ARO) is 0.2. What is the ALE?

A.$0
B.$5,200
C.$1,000
D.$25,000
AnswerC

Correct: $5,000 × 0.2 = $1,000.

Why this answer

ALE = SLE × ARO = $5,000 × 0.2 = $1,000.

71
Multi-Selectmedium

A company is conducting a third-party risk assessment of a cloud service provider. Which TWO of the following are appropriate sources of evidence for evaluating the provider's security controls? (Select TWO.)

Select 2 answers
A.SOC 2 Type II report
B.Supply chain bill of materials
C.Penetration test report from a qualified third party
D.Security questionnaire completed by the vendor
E.Right-to-audit clause in the contract
AnswersA, C

Provides independent audit over security controls.

Why this answer

SOC 2 reports provide independent assurance of controls. Penetration test reports demonstrate the effectiveness of security testing. Security questionnaires are self-reported and less reliable.

Right-to-audit clauses are contractual, not evidence. Supply chain documentation may be relevant but is not a direct evidence source for security controls.

72
MCQmedium

A company is adopting the NIST Risk Management Framework (RMF). Which step in the RMF involves selecting security controls based on the risk assessment?

A.Select
B.Categorize
C.Assess
D.Implement
AnswerA

Select is the step where controls are chosen.

Why this answer

In NIST RMF, the 'Select' step involves choosing baseline controls and tailoring them based on the risk assessment results. 'Categorize' determines impact level. 'Implement' executes controls. 'Assess' evaluates effectiveness.

73
Multi-Selecthard

A security manager is developing key risk indicators (KRIs) for the organization's cybersecurity program. Which THREE of the following are examples of KRIs? (Select THREE.)

Select 3 answers
A.Number of failed login attempts per day
B.Total number of security incidents this quarter
C.Mean time to detect (MTTD)
D.Number of unpatched critical vulnerabilities
E.Percentage of users without multifactor authentication
AnswersA, D, E

May indicate brute-force attacks or credential stuffing.

Why this answer

KRIs are leading indicators that signal increasing risk. Number of unpatched critical vulnerabilities, percentage of users without MFA, and number of failed login attempts are KRIs. MTTD is a KPI, not a KRI.

74
MCQhard

Using the FAIR model, which of the following best describes the factor that represents the probable frequency of a threat acting on a vulnerability?

A.Threat event frequency (TEF)
B.Vulnerability
C.Loss event frequency (LEF)
D.Control effectiveness
AnswerA

TEF measures how often a threat acts on a vulnerability.

Why this answer

In FAIR, threat event frequency (TEF) is the probable number of times a threat agent will act on a vulnerability in a given timeframe.

75
Multi-Selectmedium

A security manager is selecting metrics to present to the board. Which two of the following are key risk indicators (KRIs) that would be most relevant for executive oversight? (Choose two.)

Select 2 answers
A.Average time to patch critical vulnerabilities
B.Mean time to detect (MTTD)
C.Number of security incidents per quarter
D.Number of security awareness training completions
E.Percentage of systems with critical vulnerabilities
AnswersC, E

This indicates the level of threat activity.

Why this answer

KRIs provide early warning of increasing risk. Percentage of systems with critical vulnerabilities indicates exposure; number of security incidents indicates threat activity.

Page 1 of 2 · 98 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Casp Grc questions.