Bash, the Crucial Exams Chat Bot
AI Bot
ISC2 CGRC Core Concepts Flashcards
ISC2 Governance, Risk and Compliance (CGRC) Flashcards
| Front | Back |
| What are the six steps of the RMF process? | Categorize, Select, Implement, Assess, Authorize, Monitor |
| What does CGRC stand for? | Certified Governance, Risk and Compliance |
| What does NIST SP 800-53 provide guidance on? | Security and privacy controls for federal information systems and organizations |
| What does risk management aim to achieve? | Identifying, assessing, and addressing risks to meet organizational goals |
| What does segregation of duties (SoD) help prevent? | Fraud and errors by dividing responsibilities among multiple individuals |
| What is a control in risk management? | A measure or mechanism implemented to mitigate or reduce risk |
| What is a Key Risk Indicator (KRI)? | A metric that signals a potential risk event or threshold breach |
| What is a vulnerability assessment? | An evaluation to identify weaknesses in systems and processes that could be exploited |
| What is compliance in the context of GRC? | Adhering to laws, regulations, and organizational policies |
| What is the difference between inherent risk and residual risk? | Inherent risk is the natural risk before controls, while residual risk is the remaining risk after controls |
| What is the difference between qualitative and quantitative risk assessment? | Qualitative uses subjective judgment, while quantitative uses numerical data and analysis |
| What is the function of an authorization official (AO) in the RMF? | To approve the system to operate based on risk assessment and management activities |
| What is the goal of continuous monitoring in the RMF? | To maintain an ongoing awareness of security and risk posture |
| What is the primary focus of governance in GRC? | Establishing policies and ensuring accountability for organizational objectives |
| What is the purpose of a control assessment? | To evaluate the effectiveness of implemented security or privacy controls |
| What is the purpose of a policy in governance? | To provide high-level guidance and principles for decision-making and behavior |
| What is the purpose of a risk assessment? | To identify and prioritize risks for mitigation and decision-making |
| What is the purpose of a risk tolerance statement? | To define the acceptable level of risk an organization is willing to take |
| What is the role of a compliance audit? | To ensure that processes, policies, and controls align with regulations and standards |
| What is the role of the Risk Management Framework (RMF)? | To provide a structured process for managing information system risks |
| What is the significance of a standard in GRC? | Standards define specific requirements and benchmarks to ensure consistency and compliance |
| What is threat modeling? | A process of identifying potential threats to an information system and assessing their impact |
| Who is responsible for overseeing governance in an organization? | The board of directors or senior leadership |
Front
What is the purpose of a policy in governance?
Click the card to flip
Back
To provide high-level guidance and principles for decision-making and behavior
Front
What is the purpose of a risk tolerance statement?
Back
To define the acceptable level of risk an organization is willing to take
Front
What is the purpose of a risk assessment?
Back
To identify and prioritize risks for mitigation and decision-making
Front
What is the goal of continuous monitoring in the RMF?
Back
To maintain an ongoing awareness of security and risk posture
Front
What is the role of a compliance audit?
Back
To ensure that processes, policies, and controls align with regulations and standards
Front
What is a Key Risk Indicator (KRI)?
Back
A metric that signals a potential risk event or threshold breach
Front
What is the primary focus of governance in GRC?
Back
Establishing policies and ensuring accountability for organizational objectives
Front
What is threat modeling?
Back
A process of identifying potential threats to an information system and assessing their impact
Front
What is a vulnerability assessment?
Back
An evaluation to identify weaknesses in systems and processes that could be exploited
Front
What is the purpose of a control assessment?
Back
To evaluate the effectiveness of implemented security or privacy controls
Front
What is compliance in the context of GRC?
Back
Adhering to laws, regulations, and organizational policies
Front
What does CGRC stand for?
Back
Certified Governance, Risk and Compliance
Front
Who is responsible for overseeing governance in an organization?
Back
The board of directors or senior leadership
Front
What is the difference between qualitative and quantitative risk assessment?
Back
Qualitative uses subjective judgment, while quantitative uses numerical data and analysis
Front
What is the function of an authorization official (AO) in the RMF?
Back
To approve the system to operate based on risk assessment and management activities
Front
What is the significance of a standard in GRC?
Back
Standards define specific requirements and benchmarks to ensure consistency and compliance
Front
What does risk management aim to achieve?
Back
Identifying, assessing, and addressing risks to meet organizational goals
Front
What is the role of the Risk Management Framework (RMF)?
Back
To provide a structured process for managing information system risks
Front
What does segregation of duties (SoD) help prevent?
Back
Fraud and errors by dividing responsibilities among multiple individuals
Front
What is the difference between inherent risk and residual risk?
Back
Inherent risk is the natural risk before controls, while residual risk is the remaining risk after controls
Front
What are the six steps of the RMF process?
Back
Categorize, Select, Implement, Assess, Authorize, Monitor
Front
What does NIST SP 800-53 provide guidance on?
Back
Security and privacy controls for federal information systems and organizations
Front
What is a control in risk management?
Back
A measure or mechanism implemented to mitigate or reduce risk
1/23
This deck provides an overview of fundamental concepts, terms, and roles related to governance, risk, and compliance within the context of the CGRC exam.