Crucial Exams

ISC2 Governance, Risk and Compliance (CGRC) Practice Question

During development of a mission-critical federal payroll system, the security team determines the information type is High for confidentiality, integrity, and availability under FIPS 199. When defining the initial security control baseline in the System Security Plan (SSP) using NIST SP 800-53 Rev. 5, which approach BEST reflects how a high-impact baseline is constructed?

  • Start with the low baseline, incorporate every control from the low and moderate baselines, and then add the additional controls and enhancements designated for high-impact systems.

  • Begin with the moderate baseline and add only those control enhancements the authorizing official deems cost-effective for the project.

  • Replace the security baseline with the NIST privacy overlay, since high-impact systems always process personally identifiable information (PII).

  • Select controls that mitigate confidentiality threats, because availability and integrity are already protected by the organization's common controls.

ISC2 Governance, Risk and Compliance (CGRC)
Selection and Approval of Framework, Security, and Privacy Controls
Your Score:
Settings & Objectives
Random Mixed
Questions are selected randomly from all chosen topics, with a preference for those you haven’t seen before. You may see several questions from the same objective or domain in a row.
Rotate by Objective
Questions cycle through each objective or domain in turn, helping you avoid long streaks of questions from the same area. You may see some repeat questions, but the distribution will be more balanced across topics.

Check or uncheck an objective to set which questions you will receive.

Wipe Score
Bash, the Crucial Exams Chat Bot
AI Bot