Question 1

During a system authorization process, the authorizing official is not satisfied with the risk assessment report's level of detail. What should the system owner do in this situation?

Options :

A : Proceed with the authorization process without addressing the concern.

B : Revise the risk assessment report to address the authorizing official-s concerns.

C : Request a third-party assessment of the system-s risks.

D : Consult the information security officer for guidance.

Answer: B

Question 2

Which of the following is true about common controls?

Options :

A : Common controls promote more cost-effective and consistent information security across the organization

B : Common controls are easier to implement

C : Common controls are the same as hybrid controls

D : Common controls cannot be implemented in the cloud

Answer: A

Question 3

What is the purpose of a security control baseline?

Options :

A : To establish a standard set of security controls that can be applied to all federal information systems and organizations

B : To define the criticality of information assets and systems within an organization

C : To establish the requirements for compliance with legal and regulatory frameworks

D : To define the rules for incident response and reporting

Answer: A

Question 4

RydSecure is assessing the security controls of a multinational corporation's complex information system. The corporation has several subsidiaries, and the information system contains sensitive financial and customer data. As an authorization professional, you understand the importance of assessor independence in ensuring an unbiased and objective assessment. You have narrowed down the selection to four potential assessors. Each assessor has their own set of circumstances that could potentially affect their independence. Based on the information provided, which assessor is MOST LIKELY to maintain the highest level of independence during the evaluation of the multinational corporation's information system?

Options :

A : An assessor who recently completed a consulting engagement for one of the corporation-s subsidiaries, during which they reviewed and provided recommendations for improving the subsidiary-s security controls

B : An assessor who is married to a high-ranking executive working for one of the corporation-s main competitors in the same industry

C : An assessor who has a sibling working in the corporation-s IT department, but the sibling is not involved in the development, implementation, or management of the information system-s security controls

D : An assessor who, three years ago, worked as an internal auditor for the corporation and was responsible for auditing the information system-s security controls but left on good terms

Answer: C

Question 5

In the prepare step of the NIST RMF, which of the following should be established to ensure an effective risk management process?

Options :

A : A communication process for risk-related information

B : A continuous monitoring strategy

C : A system security plan

D : An incident response plan

Answer: A

Free CGRC Mock Exam – Practice Online Confidently

Buying Options: