Crucial Exams

ISC2 Governance, Risk and Compliance (CGRC) Practice Question

While updating the System Security Plan for a moderate-impact information system that processes employee Social Security numbers, you need to demonstrate compliance with federal PII handling requirements. Which tailoring decision best satisfies the data minimization principle during control selection?

  • Configure audit log retention to keep all PII records for seven years to aid potential litigation.

  • Require AES-256 encryption for all databases that contain Social Security numbers at rest.

  • Implement a mandatory two-person approval workflow before any user can view Social Security number records.

  • Replace the stored Social Security number with a system-generated unique employee identifier unless a statute specifically requires the SSN.

ISC2 Governance, Risk and Compliance (CGRC)
Selection and Approval of Framework, Security, and Privacy Controls
Your Score:
Settings & Objectives
Random Mixed
Questions are selected randomly from all chosen topics, with a preference for those you haven’t seen before. You may see several questions from the same objective or domain in a row.
Rotate by Objective
Questions cycle through each objective or domain in turn, helping you avoid long streaks of questions from the same area. You may see some repeat questions, but the distribution will be more balanced across topics.

Check or uncheck an objective to set which questions you will receive.

Wipe Score
Bash, the Crucial Exams Chat Bot
AI Bot