CAS-004 · topic practice

Governance, Risk and Compliance practice questions

Practise CompTIA SecurityX CAS-004 Governance, Risk and Compliance practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: Governance, Risk and Compliance

What the exam tests

What to know about Governance, Risk and Compliance

Governance, Risk and Compliance questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Watch out for

Common Governance, Risk and Compliance exam traps

  • Answering from memory before reading the full scenario.
  • Missing a constraint such as cost, availability, security, scope or command context.
  • Choosing a broad answer when the question asks for the most specific fix.
  • Ignoring why the wrong options are tempting.

Practice set

Governance, Risk and Compliance questions

20 questions · select your answer, then reveal the explanation

A global financial firm must comply with GDPR and SOX. The CISO wants to consolidate controls across frameworks using a single set of controls. Which approach best addresses this requirement?

Question 2hardmultiple choice
Read the full NAT/PAT explanation →

A healthcare organization is planning to migrate patient data to a cloud provider. The risk assessment identifies that the provider's SOC 2 report does not cover HIPAA controls. What is the BEST course of action?

An organization wants to ensure that its third-party vendors comply with the company's security policies. Which of the following is the MOST effective method?

A company's data classification policy labels all financial data as 'Confidential.' An employee accidentally emails a spreadsheet containing customer payment information to an unauthorized external party. Which type of control failure occurred?

Which of the following is the PRIMARY purpose of a business impact analysis (BIA)?

Question 6hardmultiple choice
Read the full NAT/PAT explanation →

A multinational corporation is implementing a privacy program that must comply with both GDPR and CCPA. Which approach to privacy impact assessments (PIAs) is most appropriate?

An organization's risk appetite is defined as 'low' for data privacy. Which of the following risk treatments is most aligned with this appetite?

A security architect is designing a system that must comply with FedRAMP Moderate controls. The system will use a cloud service provider (CSP) that is already FedRAMP Authorized. What is the primary benefit of using this CSP?

Question 9easymultiple choice
Read the full VPN explanation →

A company's security policy requires that all remote access be conducted via VPN. An employee uses a personal device without VPN to access company email. Which type of policy violation is this?

An organization discovers that a vendor's data breach exposed customer PII. The contract with the vendor does not address breach notification. What is the BEST way to prevent this in the future?

A company's risk register shows a high-likelihood, high-impact risk related to ransomware. The cost to mitigate fully is $2M, while the expected annual loss is $500K. Which risk response is most appropriate?

Which TWO of the following are key components of a governance framework? (Select TWO)

Which THREE of the following are required for a valid Business Associate Agreement (BAA) under HIPAA? (Select THREE)

Which TWO of the following are examples of administrative controls? (Select TWO)

Which THREE of the following are common challenges when implementing a vendor risk management program? (Select THREE)

You are the security architect for a mid-sized e-commerce company that processes credit card payments. The company must comply with PCI DSS. Currently, the cardholder data environment (CDE) includes a web server, an application server, and a database server, all on the same flat network segment. The QSA has identified that the CDE is not properly segmented, and network access controls are insufficient. The company wants to minimize the scope of PCI compliance by reducing the number of systems that handle cardholder data. You propose implementing network segmentation to isolate the CDE. Which of the following is the most effective approach to reduce PCI scope while maintaining business functionality?

You are a security consultant for a law firm that handles highly confidential client data. The firm wants to implement a data loss prevention (DLP) solution to prevent sensitive data from leaving the network via email. The firm's email system is Microsoft 365. The DLP policy must comply with the firm's data classification policy, which identifies 'Legal Strategy' as top secret and 'Client Contact Info' as confidential. The firm also wants to allow attorneys to send confidential information to clients with a business justification. Which of the following DLP rule configurations best meets these requirements?

Question 18mediummultiple choice
Read the full NAT/PAT explanation →

A multinational corporation must comply with GDPR, CCPA, and LGPD. The CISO proposes a unified data classification policy. Which approach best minimizes compliance conflicts?

A security engineer is reviewing firewall logs and finds multiple failed SSH attempts from an internal IP. Which control should be implemented to reduce this risk?

A healthtech startup is developing a mobile app that collects PHI. They plan to use a third-party cloud provider for data storage. What is the most critical compliance requirement before signing the contract?

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Governance, Risk and Compliance sessions

Start a Governance, Risk and Compliance only practice session

Every question in these sessions is drawn from the Governance, Risk and Compliance domain — nothing else.

Related practice questions

Related CAS-004 topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the CAS-004 exam test about Governance, Risk and Compliance?
Governance, Risk and Compliance questions test whether you can apply the concept in context, not just recognise a definition.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Governance, Risk and Compliance questions in a focused session?
Yes — the session launcher on this page draws every question from the Governance, Risk and Compliance domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other CAS-004 topics?
Use the topic links above to move to related areas, or go back to the CAS-004 question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the CAS-004 exam covers. They are not copied from any real exam or dump site.