Governance, Risk, and Compliance for CompTIA SecurityX

Sample Practice Questions

1. Question 1

   A global organization is reviewing potential vendors to outsource a critical payroll function. Each vendor's plan includes using local resources in multiple regions to ensure compliance with all regulations. The organization's Chief Information Security Officer is conducting a risk assessment on the potential outsourcing vendors' subprocessors. Which of the following best explains the need for this risk assessment?
   1. A. Risk mitigations must be more comprehensive than the existing payroll provider.
   2. B. Due care must be exercised during all procurement activities.
   3. C. The responsibility of protecting PII remains with the organization.
   4. D. Specific regulatory requirements must be met in each jurisdiction.
   Explanation

   The correct answer is: C. The responsibility of protecting PII remains with the organization..

   Under GDPR and most modern privacy regimes, the data controller remains accountable for protecting personal data even when processing is outsourced, and that accountability flows through processors to any subprocessor the vendor engages, which is why the CISO must independently assess subprocessor risk rather than relying on the primary vendor. NIST SP 800-161 and the shared-responsibility model reinforce that liability for PII protection does not transfer with the function. Saying mitigations must be more comprehensive than the incumbent is not a foundational rationale; baseline equivalence may suffice if it meets policy. Due care is a relevant principle but it is the legal duty that gives rise to the assessment rather than the specific reason subprocessors must be examined. Meeting jurisdictional regulatory requirements is necessary but is the by-product of, not the underlying reason for, retaining responsibility; the controller assesses subprocessors precisely because the data-protection obligation never leaves the controller.

2. Question 2

   An analyst wants to conduct a risk assessment on a new application that is being deployed. Given the following information: Total budget allocation for the new application is unavailable. Recovery time objectives have not been set. Downtime loss calculations cannot be provided. Which of the following statements describes the reason a qualitative assessment is the best option?
   1. A. The analyst has previous work experience in application development.
   2. B. Sufficient metrics are not available to conduct other risk assessment types.
   3. C. An organizational risk register tracks all risks and mitigations across business units.
   4. D. The organization wants to find the monetary value of any outages.
   Explanation

   The correct answer is: B. Sufficient metrics are not available to conduct other risk assessment types..

   A quantitative risk assessment requires monetary inputs such as asset value, single loss expectancy, annualized rate of occurrence, and annualized loss expectancy, plus operational parameters like RTO and downtime cost, and none of those data points are available here. When sufficient metrics are not available, NIST SP 800-30 and ISO/IEC 27005 both direct the assessor to use a qualitative method that scores likelihood and impact on ordinal scales, producing a defensible relative ranking until better data exists. Prior application-development experience does not change which method is appropriate; methodology selection is driven by data availability, not analyst background. The existence of an organizational risk register is a place to record results, not a reason to choose qualitative over quantitative. Wanting to find the monetary value of outages would actually argue for a quantitative or semi-quantitative approach, and is unsupported by the missing inputs, so it cannot be the rationale.

3. Question 3

   An organization's load balancers have reached EOL and are scheduled to be replaced. The organization identified a new, critical vulnerability that affects an unused function of the load balancers. Which of the following are the best ways to address the risk to the organization? (Choose two.)
   1. A. Request a risk acceptance for the vulnerability indefinitely.
   2. B. Request a risk acceptance for the vulnerability for 90 days.
   3. C. Exclude the devices from vulnerability scans.
   4. D. Do not allow any network traffic to or from the hardware.
   5. E. Disable the vulnerable service.
   6. F. Immediately decommission the hardware.
   Explanation

   The correct answers are: B. Request a risk acceptance for the vulnerability for 90 days., E. Disable the vulnerable service..

   Because the vulnerable function is unused and the hardware is already scheduled for retirement, the proportionate response is to disable the vulnerable service and accept the residual risk for a bounded period such as 90 days while decommissioning proceeds. Time-bounded risk acceptance with a defined expiration is the practice prescribed by NIST RMF and ISO 27005, since it forces re-evaluation if the decommission slips. Indefinite risk acceptance is inappropriate because it removes the forcing function that ensures the EOL replacement actually happens and ignores the possibility that the unused function could later be enabled. Excluding the devices from vulnerability scans is a governance anti-pattern that hides risk rather than treating it. Cutting all network traffic would break the production load-balancing function the devices still perform until replacement. Immediately decommissioning the hardware is unrealistic for a load balancer in active production use and would cause an outage that exceeds the original risk.

4. Question 4

   A compliance officer is reviewing the data sovereignty laws in several countries where the organization has no presence. Which of the following is the most likely reason for reviewing these laws?
   1. A. The organization is performing due diligence of potential tax issues.
   2. B. The organization has been subject to legal proceedings in countries where it has a presence.
   3. C. The organization is concerned with new regulatory enforcement in other countries.
   4. D. The organization has suffered brand reputation damage from incorrect media coverage.
   Explanation

   The correct answer is: C. The organization is concerned with new regulatory enforcement in other countries..

   Reviewing data sovereignty laws in countries where the organization has no physical presence is most consistent with monitoring new regulatory enforcement, because modern privacy regimes such as GDPR, the UK GDPR, Brazil's LGPD, China's PIPL, and various U.S. state laws apply extraterritorially whenever an organization processes the personal data of residents of those jurisdictions. A compliance officer therefore tracks these regimes to anticipate notification, lawful basis, transfer, and data-localization obligations even without a local office. Tax due diligence is performed by finance and tax functions and is unrelated to data sovereignty. Existing legal proceedings would already be tied to jurisdictions where the company has presence, so they do not explain a forward-looking review of countries with no presence. Brand reputation harm from media coverage is a communications and PR matter, not a sovereignty compliance issue, so it does not motivate a legal review of foreign privacy statutes.

5. Question 5

   Company A acquired Company B and needs to determine how the acquisition will impact the attack surface of the organization as a whole. Which of the following is the best way to achieve this goal? (Choose two.)
   1. A. Implementing DLP controls preventing sensitive data from leaving Company B's network
   2. B. Documenting third-party connections used by Company B
   3. C. Reviewing the privacy policies currently adopted by Company B
   4. D. Requiring data sensitivity labeling for all files shared with Company B
   5. E. Forcing a password reset requiring more stringent passwords for users on Company B's network
   6. F. Performing an architectural review of Company B's network
   Explanation

   The correct answers are: B. Documenting third-party connections used by Company B, F. Performing an architectural review of Company B's network.

   After an acquisition, the attack surface expands to include everything the acquired entity exposes, so the two highest-value steps are documenting Company B's third-party connections and performing an architectural review of Company B's network. Cataloging third-party connections reveals VPNs, APIs, B2B links, and vendor remote-access paths that now indirectly touch Company A and bring inherited supplier risk under NIST SP 800-161 and TPRM practice. An architectural review identifies internet-facing assets, trust boundaries, identity domains, and segmentation weaknesses, which is exactly the visibility M&A integration playbooks call for during cybersecurity due diligence. Deploying DLP at Company B addresses data exfiltration but does not measure attack surface. Reviewing privacy policies is a compliance step, not an attack-surface analysis. Mandating data sensitivity labels supports classification but is unrelated to enumerating exposure. Forcing password resets is a hygiene action that mitigates one credential-based risk but does not characterize the broader attack surface.

Other CompTIA SecurityX domains

• Security Architecture (26 questions)
• Security Engineering (48 questions)
• Security Operations (26 questions)