CCNA Casp Grc Questions

23 of 98 questions · Page 2/2 · Casp Grc topic · Answers revealed

76
MCQhard

After a risk assessment, a company identifies that the residual risk for a critical application is higher than the risk appetite. The risk owner proposes implementing additional controls to reduce the risk further. Which risk treatment option does this represent?

A.Risk transfer
B.Risk mitigation
C.Risk acceptance
D.Risk avoidance
AnswerB

Correct: adding controls to reduce risk.

Why this answer

Implementing additional controls to reduce risk is an example of risk mitigation. Residual risk is the risk remaining after controls are applied; if it still exceeds appetite, further mitigation is needed.

77
MCQmedium

A security manager is reviewing the organization's security policy hierarchy. Which of the following correctly orders these documents from highest to lowest level of authority?

A.Guideline, Policy, Procedure, Standard
B.Standard, Policy, Procedure, Guideline
C.Policy, Standard, Guideline, Procedure
D.Procedure, Guideline, Standard, Policy
AnswerC

Correct. Policy is top-level, then standard, guideline, procedure.

Why this answer

The typical hierarchy is: policy (high-level, mandatory), standard (specific requirements), guideline (recommendations), procedure (step-by-step instructions).

78
MCQmedium

A healthcare organization must comply with HIPAA. Which of the following is a key requirement for protecting electronic protected health information (ePHI)?

A.Data masking for all patient data
B.Encryption of ePHI at rest and in transit
C.Annual penetration testing
AnswerB

HIPAA Security Rule includes encryption as an addressable specification for ePHI.

Why this answer

HIPAA requires encryption of ePHI both at rest and in transit as an addressable implementation specification to ensure confidentiality.

79
MCQeasy

An organization wants to implement continuous compliance monitoring for PCI DSS. Which of the following tools would be MOST effective for this purpose?

A.Encryption solution
B.Network firewall
C.Vulnerability scanner
D.SIEM system
AnswerD

SIEM provides real-time log analysis and alerting for continuous monitoring.

Why this answer

A security information and event management (SIEM) system can collect and analyze logs in real-time, enabling continuous monitoring of security controls and compliance with PCI DSS requirements. Vulnerability scanners are periodic, not continuous. Firewalls are control devices, not monitoring tools.

Encryption is a protection mechanism.

80
MCQhard

A financial institution is implementing a privacy program based on GDPR principles. Which of the following best describes the concept of 'privacy by design'?

A.Ensuring that data subjects can exercise their rights upon request
B.Appointing a Data Protection Officer to oversee all privacy matters
C.Embedding privacy controls into the design and architecture of systems and processes
D.Conducting a privacy impact assessment after a data breach
AnswerC

This is the essence of privacy by design.

Why this answer

Privacy by design is a proactive approach that integrates privacy into the system development lifecycle, not just a one-time assessment.

81
MCQhard

A security architect is designing a data classification scheme. Which classification level should be used for data that, if disclosed, could cause serious damage to the organization's reputation or financial standing?

A.Confidential
B.Public
C.Internal
D.Restricted
AnswerD

Correct. Restricted data is the most sensitive, causing serious damage if disclosed.

Why this answer

Restricted data is typically the highest level, where unauthorized disclosure could cause severe harm. Confidential is often a lower level.

82
MCQmedium

A company's security policy requires all sensitive data to be encrypted at rest. However, a business unit requests an exception to store certain data unencrypted due to performance constraints. Which document should govern the exception process?

A.Security policy
B.Risk treatment plan
C.Acceptable use policy
D.Data classification standard
AnswerA

The security policy should include an exception management clause.

Why this answer

An exception management process is typically defined within the security policy or a related standard, outlining how to request, approve, and track exceptions.

83
Multi-Selectmedium

A small business is implementing a privacy impact assessment (PIA) for a new application that processes personal data of EU citizens. Which TWO of the following are required under GDPR?

Select 2 answers
A.Obtain approval from a data protection authority before processing
B.Appoint a data protection officer (DPO)
C.Publish the PIA on the company website
D.Describe the processing operations and purposes
E.Assess the necessity and proportionality of the processing
AnswersD, E

Correct: The PIA must include a description of the processing.

Why this answer

GDPR requires a PIA when processing is likely to result in high risk to individuals, and the PIA must describe the processing and assess necessity and proportionality.

84
MCQmedium

A security manager is reviewing the company's security policy hierarchy. Which of the following correctly orders these documents from highest to lowest authority?

A.Standard, Policy, Procedure, Guideline
B.Policy, Standard, Guideline, Procedure
C.Policy, Guideline, Standard, Procedure
D.Procedure, Guideline, Standard, Policy
AnswerB

Correct order: Policy -> Standard -> Guideline -> Procedure.

Why this answer

The policy hierarchy typically follows: Policy (high-level, mandatory) -> Standard (specific requirements) -> Guideline (recommendations) -> Procedure (step-by-step instructions).

85
MCQhard

A security manager is evaluating two risk quantification approaches: Factor Analysis of Information Risk (FAIR) and a qualitative heat map. Which of the following is a key advantage of using FAIR over the qualitative heat map?

A.FAIR is the only framework recognized by NIST
B.FAIR is easier to communicate to non-technical stakeholders
C.FAIR requires less data and expertise to implement
D.FAIR provides a monetary value for risk, enabling ROI calculations
AnswerD

Correct: FAIR produces dollar figures for risk, supporting cost-benefit decisions.

Why this answer

FAIR provides a more rigorous, quantitative analysis that enables cost-benefit analysis, unlike qualitative methods.

86
MCQmedium

A security team is measuring the effectiveness of its incident response process. Which of the following metrics would best indicate how quickly the team can contain an incident after it is detected?

A.Mean time to respond (MTTR)
B.Vulnerabilities by severity
C.Patch compliance percentage
D.Mean time to detect (MTTD)
AnswerA

Correct: MTTR measures the time to respond and contain an incident.

Why this answer

Mean time to respond (MTTR) measures the time from detection to containment, which is directly relevant to incident response effectiveness.

87
MCQhard

A multinational corporation is implementing a data classification scheme. Which of the following data types should be classified as 'restricted'?

A.Internal meeting minutes
B.Customer PII with legal requirements
C.Employee training materials
D.Marketing brochures
AnswerB

PII with regulatory requirements is often classified as restricted.

Why this answer

Restricted data typically includes information that could cause severe damage if disclosed, such as trade secrets, intellectual property, or personally identifiable information (PII) that is heavily regulated. Public data is for public release. Internal data is for internal use only.

Confidential data is sensitive but less critical than restricted.

88
MCQmedium

Which of the following is a key difference between compliance and security?

A.Compliance is voluntary, security is mandatory
B.Compliance is proactive, security is reactive
C.Security only applies to technical controls, compliance to administrative
D.Compliance typically represents a minimum bar, while security seeks best practice
AnswerD

Correct. Compliance is about meeting minimum requirements; security goes beyond.

Why this answer

Compliance focuses on meeting minimum legal or regulatory requirements, while security aims for best practices to protect assets beyond what is required.

89
MCQmedium

A financial institution is required to comply with SOX. Which of the following is a primary focus of this regulation?

A.Privacy of personal data for EU citizens
B.Accuracy of financial reporting and internal controls
C.Security of health information
D.Protection of cardholder data
AnswerB

Correct: SOX mandates controls to ensure financial reporting accuracy.

Why this answer

SOX focuses on financial reporting accuracy and internal controls over financial reporting.

90
Multi-Selecthard

A security manager is selecting key risk indicators (KRIs) for the organization's risk management program. Which THREE of the following are examples of KRIs that can provide early warning of increasing risk?

Select 3 answers
A.Number of failed login attempts per hour
B.Mean time to detect (MTTD) for incidents
C.Percentage of users with privileged access
D.Number of unpatched critical vulnerabilities
E.Percentage of systems with current backups
AnswersA, C, D

Correct: An increase may indicate brute-force attacks, increasing risk.

Why this answer

KRIs measure risk levels and can indicate changes. Unpatched critical vulnerabilities, number of failed login attempts, and percentage of users with privileged access are direct indicators of risk.

91
Multi-Selecthard

An organization is developing a policy exception management process. Which three of the following are essential components of an effective exception process? (Choose three.)

Select 3 answers
A.Documented business justification for the exception
B.An expiration date for the exception
C.Automatic enforcement of policy via technical controls
D.A risk assessment of the exception
E.A copy of the entire policy hierarchy
AnswersA, B, D

Justification ensures the exception is necessary.

Why this answer

An exception process should include documented justification, expiration date, and formal approval by management. Policy hierarchy documentation is separate; automated enforcement may not be required.

92
MCQmedium

An organization is required to comply with PCI DSS. Which of the following is a mandatory requirement for protecting cardholder data?

A.Conducting annual risk assessments
B.Using a dedicated network segment for card processing
C.Implementing multi-factor authentication for all users
D.Encrypting cardholder data at rest
AnswerD

PCI DSS Requirement 3.4 requires rendering PAN unreadable at rest.

Why this answer

PCI DSS Requirement 3 mandates that stored PAN must be rendered unreadable via encryption, truncation, hashing, or tokenization.

93
MCQmedium

A company is evaluating a new cloud service provider. The provider offers a SOC 2 Type II report, a third-party penetration test summary, and a completed security questionnaire. However, the company's procurement team discovers that the provider uses a subcontractor for data storage. Which of the following is the BEST next step for the security team?

A.Require the provider to use only in-house resources.
B.Accept the risk because the provider has a SOC 2 report.
C.Request a right-to-audit clause covering the subcontractor.
D.Immediately terminate the contract due to subcontractor risk.
AnswerC

This allows the company to assess the fourth-party risk.

Why this answer

The presence of a subcontractor introduces fourth-party risk. The company should assess the subcontractor's security through a right-to-audit clause or request equivalent evidence, as the primary provider's controls may not cover the subcontractor.

94
Multi-Selectmedium

An organization is reviewing its supply chain risk management. Which TWO of the following are effective strategies to manage fourth-party risk?

Select 2 answers
A.Use only vendors that are SOC 2 certified
B.Reduce reliance on vendors by bringing services in-house
C.Conduct penetration tests on all fourth parties directly
D.Include a right-to-audit clause that covers subcontractors
E.Require vendors to contractually mandate security controls for their subcontractors
AnswersD, E

Correct: This ensures the ability to audit fourth parties.

Why this answer

To manage fourth-party risk, organizations can require their vendors to flow down security requirements to subcontractors and include right-to-audit clauses that extend to subcontractors.

95
Multi-Selecteasy

A compliance officer is preparing for an audit and needs to collect evidence. Which TWO of the following are considered acceptable forms of audit evidence? (Select TWO.)

Select 2 answers
A.Screenshots of unofficial reports
B.Verbal statements from employees
C.Written security policies
D.Assumptions about system configurations
E.System access logs
AnswersC, E

Policies demonstrate what is required.

Why this answer

Audit evidence includes system logs (factual records) and policy documentation (proof of requirements).

96
MCQmedium

A company is conducting a third-party risk assessment for a SaaS provider. The provider has provided a SOC 2 Type II report, penetration test results, and a completed security questionnaire. Which of these provides the most independent and comprehensive view of the provider's control environment over time?

A.Penetration test report
B.Security questionnaire
C.Vendor's marketing materials
D.SOC 2 Type II report
AnswerD

Provides independent assurance over controls over time.

Why this answer

A SOC 2 Type II report is an independent auditor's opinion on controls over a period, making it the most comprehensive.

97
MCQhard

A company wants to implement continuous compliance monitoring. Which of the following approaches BEST supports this goal?

A.Manual review of compliance reports quarterly
B.Deploying a Security Information and Event Management (SIEM) system
C.Implementing automated compliance auditing tools
D.Annual external audits
AnswerC

Automated tools can provide ongoing monitoring and immediate feedback.

Why this answer

Continuous compliance monitoring requires automated, real-time checks against policies and regulations. Automated auditing tools can continuously assess controls and generate alerts.

98
Multi-Selecthard

A compliance officer is preparing for a GDPR audit. Which THREE of the following are key data subject rights under GDPR that the organization must be able to demonstrate?

Select 3 answers
A.Right to object to processing
B.Right to unlimited data storage
C.Right to erasure (right to be forgotten)
D.Right to data monetization
E.Right to data portability
AnswersA, C, E

Article 21 allows data subjects to object to processing based on legitimate interests.

Why this answer

GDPR grants data subjects several rights, including the right to erasure (right to be forgotten), right to data portability, and right to object to processing. The right to rectification is also a right but is not listed as an option. The right to data monetization and right to unlimited storage are not GDPR rights.

← PreviousPage 2 of 2 · 98 questions total

Ready to test yourself?

Try a timed practice session using only Casp Grc questions.

CCNA Casp Grc Questions — Page 2 of 2 | Courseiva