ISC2 Governance, Risk and Compliance (CGRC) Practice Question

While drafting the System Security Plan for a new web-based employee benefits portal, which of the following pieces of information best satisfies the requirement to describe the system's overall purpose and functionality from a business and operational perspective?

A narrative explaining how the portal enables employees to enroll in benefits, identifies its primary user groups, and summarizes key functions such as payroll data exchange and HR reporting.
The most recent vulnerability scan results with associated findings and remediation deadlines.
A network topology diagram that maps routers, switch ports, and firewall access control lists protecting the data center.
A detailed inventory of each server's IP address, operating system version, and applied security patches.

Report Issue

Answer Description

NIST SP 800-18 Rev. 1 directs preparers of a System Security Plan to include a high-level description of the system that explains what mission or business processes it supports, who uses it, and the major functions it performs. Providing a concise narrative that links the portal to employee onboarding and open-enrollment activities, identifies its primary users (employees and HR staff), and summarizes key capabilities (benefit selection, payroll data exchange, reporting) addresses exactly that requirement. Detailed technical artifacts-such as IP address inventories, network topology diagrams, or vulnerability scan results-belong in other sections of the SSP or in supporting documents; they do not by themselves convey the system's business purpose and operational function.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.