search
githubEdit

The GRC approach to cybersecurity management — Quiz

hashtag
The GRC approach to cybersecurity management

1. In the context of the NIST Cybersecurity Framework (CSF) 2.0, which function and category is primarily responsible for establishing, agreeing to, and communicating the organization's cybersecurity risk appetite and tolerance? (Choose one answer) a) GOVERN (GV) - Policy (GV.PO) b) IDENTIFY (ID) - Risk Assessment (ID.RA) c) GOVERN (GV) - Risk Management Strategy (GV.RM) d) GOVERN (GV) - Oversight (GV.OV)

2. According to the section, what is the correct hierarchical relationship between core governance artifacts? (Choose one answer) a) Standards define the step-by-step instructions, which are authorized by high-level Policies b) Procedures state the strategic "what and why," while Policies provide the mandatory "how" c) Policies state management intent, Standards set mandatory rules to comply with policy, and Procedures provide implementation steps d) Guidelines are mandatory baselines, from which flexible Policies are derived

3. An organization is using the NIST Risk Management Framework (RMF) SP 800-37 Rev2. In which step would the activity of formally assessing implemented controls for effectiveness most likely occur? (Choose one answer) a) SELECT b) IMPLEMENT c) ASSESS d) AUTHORIZE

4. Which of the following best describes the relationship between the broader "compliance management lifecycle" and a "compliance audit"? (Choose one answer) a) They are interchangeable terms for the same process b) The audit is a formal evaluation event within the larger, ongoing compliance management lifecycle c) The compliance management lifecycle is a sub-process that occurs after an audit is complete d) The audit defines the scope and rules, which the lifecycle then implements

5. When measuring a GRC program, which type of metric is designed to be forward-looking and serve as an early warning signal for a potential increase in risk exposure? (Choose one answer) a) Key Performance Indicator (KPI) b) Key Risk Indicator (KRI) c) Operational Benchmark d) Compliance Target

PreviousThe GRC approach to cybersecurity managementNextThe information security risk assessment

Last updated