Crucial Exams

ISC2 Governance, Risk and Compliance (CGRC) Practice Question

During a quarterly continuous-monitoring meeting, the ISSO learns that a CVSS 9.8 privilege-escalation flaw was announced for the system's operating system. A vendor patch has passed internal testing and is available. Organizational policy, aligned with FISMA, requires critical patches be applied within 15 days or formally accepted as risk. Which action BEST maintains compliance?

  • Schedule installation of the patch in the next approved maintenance window within 15 days and document the action in the POA&M.

  • Request a waiver from the Authorizing Official to delay patching until the next major operating-system upgrade in six months.

  • Disable the affected listening port and close the vulnerability ticket as permanently mitigated without installing the patch.

  • Note the vulnerability in meeting minutes and postpone any action until the next quarterly review.

ISC2 Governance, Risk and Compliance (CGRC)
Compliance Maintenance
Your Score:
Settings & Objectives
Random Mixed
Questions are selected randomly from all chosen topics, with a preference for those you haven’t seen before. You may see several questions from the same objective or domain in a row.
Rotate by Objective
Questions cycle through each objective or domain in turn, helping you avoid long streaks of questions from the same area. You may see some repeat questions, but the distribution will be more balanced across topics.

Check or uncheck an objective to set which questions you will receive.

Wipe Score
Bash, the Crucial Exams Chat Bot
AI Bot