ISC2-CGRC Domain 3: Selection and Approval of Security and Privacy Controls Welcome to your ISC2-CGRC Domain 3: Selection and Approval of Security and Privacy Controls 1. CGRC: Selection and Approval of Security and Privacy Controls Which of the following is the PRIMARY goal of the privacy impact assessment (PI A. in the context of selecting and approving security and privacy controls? A) To evaluate the financial impact of potential data breaches. B. To assess how personal information is collected, used, stored, and disposed of. C. To identify the technical vulnerabilities in an information system. D. To measure the effectiveness of existing security controls. None 2. CGRC: Selection and Approval of Security and Privacy Controls In the selection of security controls for an IT system, which of the following factors should be considered FIRST? A. The cost of implementing the controls. B. The ease of integrating controls with existing systems. C. The impact on system performance. D. The system's risk assessment results. None 3. CGRC: Selection and Approval of Security and Privacy Controls Which of the following BEST describes the purpose of the 'minimum necessary' principle in privacy control selection? A. To limit user access rights to the least privileges required to perform job duties. B. To minimize the number of security controls to reduce costs. C. To ensure the collection of personal data is limited to what is strictly necessary for the intended purpose. D. To reduce the amount of data stored on systems to the minimum required for processing. None 4. CGRC: Selection and Approval of Security and Privacy Controls What is the role of 'data masking' in the context of privacy controls? A. To encrypt data in transit to prevent interception. B. To obscure specific data within a database to protect sensitive information. C. To delete outdated or unnecessary data from systems. D. To monitor data access and alert on unauthorized attempts. None 5. CGRC: Selection and Approval of Security and Privacy Controls What is the PRIMARY purpose of including 'user training and awareness' as part of security control selection? A. To comply with industry best practices and standards. B. To ensure users are capable of using the IT systems efficiently. C. To reduce the risk of security incidents caused by user error or negligence. D. To prepare users for eventual certification in cybersecurity. None 6. CGRC: Selection and Approval of Security and Privacy Controls How does the concept of 'least privilege' influence the selection of access control measures? A. By ensuring that all users have equal access rights to IT resources. B. By granting users only the access rights necessary to perform their job functions. C. By restricting access to IT systems to senior management only. D. By allowing unrestricted access to resources for audit purposes. None 7. CGRC: Selection and Approval of Security and Privacy Controls What is the primary objective of 'continuous monitoring' in the context of security and privacy control approval? A. To provide real-time data on system performance metrics. B. To ensure that controls remain effective over time and adapt to changes in the threat environment. C. To reduce the workload of IT staff by automating compliance reporting. D. To increase the speed of incident response and recovery operations. None 8. CGRC: Selection and Approval of Security and Privacy Controls When determining the applicability of security controls for a multinational organization, which factor is MOST critical to consider due to varying legal jurisdictions? A. The uniformity of IT infrastructure across all regions. B. The differences in data protection laws across countries where the organization operates. C. The centralization of the organization's data processing facilities. D. The global standardization of security control frameworks. None 9. CGRC: Selection and Approval of Security and Privacy Controls In the context of privacy controls, what is the PRIMARY purpose of consent management? A. To track and manage user preferences for marketing communications. B. To ensure that data subjects' consent is obtained, recorded, and managed in compliance with privacy regulations. C. To limit the organization's liability in case of data breaches. D. To automate the deletion of personal data upon request. None 10. CGRC: Selection and Approval of Security and Privacy Controls Which of the following best illustrates the concept of 'privacy by design' in developing new software applications? A. Adding encryption modules to the application after its initial release. B. Incorporating data protection features into the application from the outset of its design. C. Conducting a privacy impact assessment (PIA) once the application is deployed. D. Implementing access controls based on user feedback during the beta testing phase. None 11. CGRC: Selection and Approval of Security and Privacy Controls What is the significance of 'data minimization' in selecting privacy controls? A. It ensures the maximum amount of data is collected for comprehensive analytics. B. It prioritizes the collection of personal data over other types of data. C. It limits the collection, storage, and usage of personal data to what is strictly necessary. D. It focuses on minimizing the cost of data storage solutions. None 12. CGRC: Selection and Approval of Security and Privacy Controls In the approval process of security and privacy controls, which entity is typically responsible for granting the Authorization to Operate (ATO)? A. The Chief Information Security Officer (CISO). B. The system owner. C. The Information Technology department. D. A senior official or executive within the organization. None 13. CGRC: Selection and Approval of Security and Privacy Controls How does the integration of security and privacy controls within an enterprise risk management (ERM) framework benefit an organization? A. It simplifies the audit process by reducing the number of controls to be tested. B. It ensures that all security and privacy risks are addressed independently of business risks. C. It provides a holistic view of organizational risk, incorporating security and privacy risks into the overall risk management process. D. It focuses solely on mitigating financial risks associated with data breaches. None 14. CGRC: Selection and Approval of Security and Privacy Controls What role do 'third-party risk assessments' play in the selection of security and privacy controls for vendor management? A. They determine the financial stability of third-party vendors. B. They assess the alignment of vendors' security and privacy practices with the organization's requirements. C. They evaluate the marketing strategies of third-party vendors. D. They focus on optimizing the cost-effectiveness of third-party services. None 15. CGRC: Selection and Approval of Security and Privacy Controls When selecting security and privacy controls for an information system, the concept of 'security control inheritance' is used to: A. Borrow controls from lower-tier systems to apply to high-tier systems for cost savings. B. Apply a set of standardized controls across all organizational systems uniformly. C. Utilize controls already implemented by other systems or common infrastructure components. D. Ensure that each system develops its unique set of controls without influence from existing systems. None 16. CGRC: Selection and Approval of Security and Privacy Controls In the approval process for new security and privacy controls, what is the PRIMARY purpose of a 'gap analysis'? A. To identify the differences between current control implementations and best practice benchmarks. B. To calculate the financial impact of potential security breaches. C. To determine the effectiveness of the organization's marketing strategies. D. To optimize the performance of the IT infrastructure. None 17. CGRC: Selection and Approval of Security and Privacy Controls How does 'anonymization' of data influence the selection of privacy controls within an organization? A. It eliminates the need for privacy controls by permanently removing all identifying information from data sets. B. It requires the implementation of additional controls to manage the risks associated with data processing. C. It is considered a form of privacy control that reduces the risk to data subjects by making re-identification impossible. D. It increases the complexity of data processing systems, necessitating more sophisticated privacy controls. None 18. CGRC: Selection and Approval of Security and Privacy Controls How does the concept of 'least privilege' influence the selection of access control measures? A. By ensuring that all users have equal access rights to IT resources. B. By granting users only the access rights necessary to perform their job functions. C. By restricting access to IT systems to senior management only. D. By allowing unrestricted access to resources for audit purposes. None 19. CGRC: Selection and Approval of Security and Privacy Controls Which of the following best illustrates the concept of 'privacy by design' in developing new software applications? A. Adding encryption modules to the application after its initial release. B. Incorporating data protection features into the application from the outset of its design. C. Conducting a privacy impact assessment (PIA) once the application is deployed. D. Implementing access controls based on user feedback during the beta testing phase. None 20. CGRC: Selection and Approval of Security and Privacy Controls In the approval process for new security and privacy controls, what is the PRIMARY purpose of a 'gap analysis'? A. To identify the differences between current control implementations and best practice benchmarks. B. To calculate the financial impact of potential security breaches. C. To determine the effectiveness of the organization's marketing strategies. D. To optimize the performance of the IT infrastructure. None 1 out of 20 Time is Up! Time's up
