ISC2 Governance, Risk and Compliance (CGRC) Practice Question

During a compliance assessment of a federal agency's document-management system, you learn that several archived policy files may have been modified after their official approval. The system owner wants a safeguard that will make any future tampering immediately evident and discourage unauthorized changes throughout the documents' long-term retention. Which mechanism best meets this need?

Implement role-based access control so only authorized users can read or write the archives
Encrypt the files with AES-256 during storage and transmission
Apply a digital signature to each archived document and verify the signature on access or during periodic audits
Maintain redundant copies of the archives in geographically separate data centers

Report Issue

Answer Description

A digital signature combines a cryptographic hash of the document with the signer's private key, producing a value that can later be verified with the corresponding public key. Because any change to the document alters the underlying hash, the signature verification will fail, immediately revealing unauthorized modifications and thereby deterring tampering. Role-based access control restricts who can access or change files but cannot prove that content remains unchanged. Encrypting with AES-256 without authentication maintains confidentiality, not integrity. Geographic redundancy focuses on availability and does not detect or deter content alteration. Therefore, applying digital signatures to each stored policy file is the most effective approach for preserving long-term integrity.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.