Governance, Risk, and Compliance Questions
Practice questions for Governance, Risk, and Compliance topic in CompTIA SecurityX. 20 questions covering this domain.
A security program manager receives audit findings indicating that security controls are not consistently applied across business units. The root caus...
An organization's security team has completed a quantitative risk assessment. The ALE for a specific threat scenario is $500,000. A proposed control c...
What does a RACI matrix define in a security program?
Which document type in a security program defines the mandatory rules that all employees must follow?
An organization operating in the payment card industry must select a compliance framework to govern cardholder data protection. Which industry-specifi...
Which threat modeling framework categorizes threats using the mnemonic STRIDE?
Which risk assessment method assigns numerical monetary values to assets and potential losses?
During a threat modeling session for a new web application, the team maps all external data flows crossing trust boundaries. Which threat modeling art...
A GRC analyst needs to maintain a record of all hardware and software assets along with their configuration states across the enterprise. Which tool c...
A security architect is reviewing a third-party SaaS provider contract. The provider will process regulated financial data on behalf of the organizati...
A security architect is asked to assess the attack surface of a newly proposed API integration between two business systems. Which artifact should the...
Which compliance framework provides a set of controls and management guidelines specifically aligned to information security management systems (ISMS)...
Which IT governance framework provides a set of principles and practices for governing and managing enterprise IT, including security oversight?
Which component of the MITRE ATT&CK framework describes the specific methods adversaries use to achieve a tactical objective?
A security program manager discovers that the organization relies heavily on a single cloud provider for critical business operations, with no alterna...
An organization subject to ISO/IEC 27001 certification is preparing for its surveillance audit. The auditor will specifically examine whether the orga...
An organization's security team conducts an annual phishing simulation as part of its security awareness program. After the simulation, users who clic...
A GRC analyst is mapping organizational security controls to multiple regulatory frameworks simultaneously. Which GRC tool capability BEST supports th...
A multinational organization must comply with both PCI DSS and ISO/IEC 27001 simultaneously. The security team wants to avoid maintaining two complete...
What is the purpose of a data governance policy that distinguishes between production, development, testing, and QA environments?
Sign in to see all 20 questions
Create a free account to browse all questions — completely free during our launch phase.