Crucial Exams

ISC2 Governance, Risk and Compliance (CGRC) Practice Question

During a periodic review of an HR payroll application, you learn that employee Social Security numbers are being sent to an overseas payroll processor-a data transfer that was never documented or approved. Which action should you take first?

  • Notify affected employees and regulators within 72 hours because every undocumented transfer is automatically a breach.

  • Update the data-flow diagram to document the new cross-border path, then schedule a compliance review.

  • Suspend the unapproved transfer at once and initiate a formal investigation and risk assessment.

  • Tokenize all stored Social Security numbers before taking any other action.

ISC2 Governance, Risk and Compliance (CGRC)
Security and Privacy Governance, Risk Management, and Compliance Program
Your Score:
Settings & Objectives
Random Mixed
Questions are selected randomly from all chosen topics, with a preference for those you haven’t seen before. You may see several questions from the same objective or domain in a row.
Rotate by Objective
Questions cycle through each objective or domain in turn, helping you avoid long streaks of questions from the same area. You may see some repeat questions, but the distribution will be more balanced across topics.

Check or uncheck an objective to set which questions you will receive.

Wipe Score
Bash, the Crucial Exams Chat Bot
AI Bot