ISC2 Governance, Risk and Compliance (CGRC) Practice Question
An assessment found missing multi-factor authentication on a critical system. Two weeks later the system owner deploys MFA and reports the issue closed. As lead assessor, what is the most appropriate next step to validate the corrective action?
Perform a focused follow-up assessment to test the new MFA control on the system.
Wait for the next scheduled annual audit to review MFA implementation in the normal cycle.
Document the owner's statement and mark the finding as resolved without additional testing.
Recalculate the residual risk using assumed control effectiveness and update the POA&M.
When stakeholders report that a deficiency has been corrected, the assessor must determine whether the new or revised control is operating as intended before closing the finding. A focused follow-up or supplemental assessment-using examination, interview, and/or testing techniques directed at the specific control-provides objective evidence of effectiveness. Simply accepting the owner's statement, deferring review until the next full audit, or adjusting risk values without verification would leave the organization exposed if the control is misconfigured or ineffective. Therefore, conducting and documenting a targeted reassessment of the implemented MFA control is the correct response.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
Why is multi-factor authentication (MFA) critical for system security?
Open an interactive chat with Bash
What does a focused follow-up assessment involve in validating system controls?
Open an interactive chat with Bash
What is the POA&M and why is it updated only after verification?
Open an interactive chat with Bash
Why is multi-factor authentication (MFA) considered critical for system security?
Open an interactive chat with Bash
What tools or methods are commonly used during focused follow-up assessments for control validation?
Open an interactive chat with Bash
What is a POA&M and why wouldn't updating it without validation be appropriate in this scenario?
Open an interactive chat with Bash
Why is a focused follow-up assessment necessary after deploying MFA?
Open an interactive chat with Bash
What techniques are used in a focused follow-up assessment?
Open an interactive chat with Bash
What is residual risk and how does it relate to control effectiveness?
Open an interactive chat with Bash
ISC2 Governance, Risk and Compliance (CGRC)
Assessment/Audit of Security and Privacy Controls
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .