Question 1

RydSecure is assessing the security controls of a multinational corporation's complex information system. The corporation has several subsidiaries, and the information system contains sensitive financial and customer data. As an authorization professional, you understand the importance of assessor independence in ensuring an unbiased and objective assessment. You have narrowed down the selection to four potential assessors. Each assessor has their own set of circumstances that could potentially affect their independence. Based on the information provided, which assessor is MOST LIKELY to maintain the highest level of independence during the evaluation of the multinational corporation's information system?

Options :

A : An assessor who recently completed a consulting engagement for one of the corporation-s subsidiaries, during which they reviewed and provided recommendations for improving the subsidiary-s security controls

B : An assessor who is married to a high-ranking executive working for one of the corporation-s main competitors in the same industry

C : An assessor who has a sibling working in the corporation-s IT department, but the sibling is not involved in the development, implementation, or management of the information system-s security controls

D : An assessor who, three years ago, worked as an internal auditor for the corporation and was responsible for auditing the information system-s security controls but left on good terms

Answer: C

Question 2

In the NIST RMF, who is responsible for developing the system security plan and ensuring that the appropriate security controls are selected and implemented?

Options :

A : System owner

B : Information security officer

C : Authorizing official

D : Security control assessor

Answer: A

Question 3

Ratio Corp is in the process of selecting security controls for a new information system. Which of the following is NOT a valid control selection method according to NIST guidelines?

Options :

A : Using a risk-based approach to determine the appropriate controls

B : Selecting controls based solely on cost-effectiveness

C : Implementing controls that are required by law, regulation, or policy

D : Adopting controls that are consistent with industry standards and best practices

Answer: B

Question 4

What NIST special publication provides guidance on continuous monitoring?

Options :

A : NIST SP 800-53

B : NIST SP 800-37

C : NIST SP 800-137

D : NIST SP 800-160

Answer: C

Question 5

Which of the following best describes the benefits of using automation to support control assessments in the context of an information security program?

Options :

A : Automation completely eliminates the need for manual control assessments and human intervention

B : Automation reduces the time and effort required for control assessments by providing continuous monitoring and real-time reporting

C : Automation ensures that all security controls are implemented flawlessly, with no room for error

D : Automation guarantees that all assessed security controls will receive the highest possible effectiveness rating

Answer: B

Higher Test Marks with Free Online CGRC Exam Practice

Buying Options: