CompTIA Security+ Governance, Risk, and Compliance MCQs (201–250)
Governance, Risk, and Compliance (GRC) is at the core Domain . It defines how organizations establish security policies, assess risk, ensure compliance with international standards, and maintain overall governance.
201. Which of the following best defines “governance” in information security?
A) Daily IT operations
B) High-level direction and oversight by senior management
C) Implementing technical controls
D) Reviewing audit logs
Correct Answer: B
Explanation: Governance is the responsibility of senior management, focusing on strategy, oversight, and ensuring that security aligns with business objectives.
202. Which international standard is widely used for Information Security Management Systems (ISMS)?
A) ISO/IEC 27001
B) NIST CSF
C) COBIT
D) ITIL
Correct Answer: A
Explanation: ISO/IEC 27001 provides a globally recognized ISMS framework, focusing on risk-based security management and continual improvement.
203. Which of the following is the primary objective of risk management?
A) Eliminate all risks
B) Reduce risk to an acceptable level
C) Increase operational efficiency
D) Eliminate threats completely
Correct Answer: B
Explanation: Risk management aims to identify, assess, and reduce risk to a level acceptable to the organization—not to eliminate all risks.
204. Which type of control is a security policy?
A) Technical control
B) Administrative control
C) Physical control
D) Detective control
Correct Answer: B
Explanation: Security policies fall under administrative controls since they provide guidelines and high-level direction.
205. Which law primarily governs data protection in the European Union?
A) HIPAA
B) SOX
C) GDPR
D) GLBA
Correct Answer: C
Explanation: The General Data Protection Regulation (GDPR) governs personal data protection across the EU and has global impact.
206. What is the main purpose of COBIT in information security?
A) Penetration testing methodology
B) Framework for IT governance and management
C) Data privacy law in the US
D) Cloud-specific security standard
Correct Answer: B
Explanation: COBIT (Control Objectives for Information and Related Technology) provides a framework for IT governance and aligning IT with business goals.
207. The concept of due care refers to:
A) Implementing preventive technical controls
B) Acting responsibly and reasonably to protect assets
C) Documenting all audit logs
D) Outsourcing risk to third parties
Correct Answer: B
Explanation: Due care means acting as a reasonable person would to protect organizational assets and reduce risk.
208. The principle of least privilege helps in:
A) Minimizing insider threats
B) Reducing malware infections
C) Ensuring only administrators access systems
D) Increasing efficiency of IT teams
Correct Answer: A
Explanation: Least privilege ensures users get only the access they need, reducing risk of insider threats or accidental misuse.
209. Which of the following frameworks is NIST’s guide for cybersecurity risk management?
A) NIST CSF
B) ISO 31000
C) COSO ERM
D) HIPAA
Correct Answer: A
Explanation: The NIST Cybersecurity Framework (CSF) provides guidance for risk-based cybersecurity practices, widely used in the USA.
210. In risk analysis, the Annualized Loss Expectancy (ALE) is calculated as:
A) SLE × EF
B) SLE × ARO
C) EF × ARO
D) ARO ÷ SLE
Correct Answer: B
Explanation: ALE = Single Loss Expectancy (SLE) × Annual Rate of Occurrence (ARO). It measures the yearly expected financial impact of a risk.
211. Which of the following is the primary purpose of risk management in cybersecurity?
A) To eliminate all risks
B) To identify, assess, and mitigate risks
C) To transfer risks to regulators
D) To accept all risks without control
✅ Correct Answer: B) To identify, assess, and mitigate risks
Explanation: Risk management is about systematically identifying, analyzing, and applying controls to reduce risks to acceptable levels. Risks cannot be fully eliminated.
212. A company outsources its payroll services to a third-party provider. What type of risk is this?
A) Strategic risk
B) Vendor risk
C) Compliance risk
D) Insider threat
✅ Correct Answer: B) Vendor risk
Explanation: Outsourcing introduces third-party/vendor risk since the organization depends on an external entity to manage sensitive employee data.
213. Which compliance regulation primarily governs healthcare data in the United States?
A) SOX
B) HIPAA
C) GDPR
D) PCI-DSS
✅ Correct Answer: B) HIPAA
Explanation: HIPAA (Health Insurance Portability and Accountability Act) ensures the confidentiality and security of patient healthcare data in the US.
214. PCI-DSS compliance is mandatory for organizations that handle:
A) Employee payroll data
B) Customer credit card information
C) Intellectual property data
D) Government intelligence reports
✅ Correct Answer: B) Customer credit card information
Explanation: The Payment Card Industry Data Security Standard (PCI-DSS) applies to all entities processing, storing, or transmitting credit/debit card data.
215. Which risk response strategy involves purchasing insurance to cover financial losses?
A) Risk avoidance
B) Risk acceptance
C) Risk transfer
D) Risk mitigation
✅ Correct Answer: C) Risk transfer
Explanation: Risk transfer shifts responsibility to a third party, often via insurance or outsourcing, to handle potential financial impact.
216. Which of the following best defines “due diligence” in cybersecurity?
A) Implementing only the cheapest security controls
B) Acting responsibly and taking reasonable precautions to protect assets
C) Avoiding compliance audits
D) Accepting all risks
✅ Correct Answer: B) Acting responsibly and taking reasonable precautions to protect assets
Explanation: Due diligence means demonstrating responsible security practices before issues occur, ensuring compliance and protection.
217. GDPR applies to:
A) Only companies in Europe
B) Any company worldwide handling EU citizens’ personal data
C) Only government agencies in the EU
D) Only financial institutions
✅ Correct Answer: B) Any company worldwide handling EU citizens’ personal data
Explanation: The General Data Protection Regulation (GDPR) has global reach — any organization that collects or processes EU citizens’ personal data must comply.
218. Which principle ensures that only the minimum required data is collected and used for a specific purpose?
A) Integrity principle
B) Least privilege
C) Data minimization
D) Segregation of duties
✅ Correct Answer: C) Data minimization
Explanation: Data minimization limits collection and storage to only what is necessary, reducing risk and ensuring compliance with privacy laws.
219. The process of formally accepting residual risk after mitigation efforts is called:
A) Risk transfer
B) Risk acceptance
C) Risk avoidance
D) Risk exploitation
✅ Correct Answer: B) Risk acceptance
Explanation: If the cost of controls outweighs the benefit, organizations may accept residual risk after assessment.
220. Which law requires publicly traded companies in the US to maintain proper financial reporting controls?
A) PCI-DSS
B) SOX
C) HIPAA
D) FISMA
✅ Correct Answer: B) SOX
Explanation: The Sarbanes-Oxley Act (SOX) mandates financial transparency and strong internal controls for publicly traded companies.
221. Which framework provides cybersecurity best practices and is published by NIST?
A) ISO 27001
B) CIS Controls
C) NIST Cybersecurity Framework (CSF)
D) COBIT
✅ Correct Answer: C) NIST Cybersecurity Framework (CSF)
Explanation: NIST CSF offers guidelines on identifying, protecting, detecting, responding, and recovering from cybersecurity threats. It is widely adopted in the U.S.
222. What does the “principle of least privilege” mean in access management?
A) Users get full access to all systems.
B) Users only get access necessary to perform their job.
C) Users are given temporary admin rights.
D) Access is shared among teams.
✅ Correct Answer: B) Users only get access necessary to perform their job.
Explanation: Least privilege reduces risk by limiting users’ access to only what is required for their role.
223. What type of control is an audit log review?
A) Technical
B) Managerial
C) Operational
D) Detective
✅ Correct Answer: D) Detective
Explanation: Audit logs help detect security incidents after they occur, making them a detective control.
224. Which law focuses on protecting student educational records in the U.S.?
A) FERPA
B) HIPAA
C) FISMA
D) PCI-DSS
✅ Correct Answer: A) FERPA
Explanation: FERPA (Family Educational Rights and Privacy Act) protects the privacy of student education records in the U.S.
225. Which security policy type defines rules for acceptable employee internet use?
A) Access control policy
B) Acceptable use policy (AUP)
C) Data retention policy
D) Business continuity policy
✅ Correct Answer: B) Acceptable use policy (AUP)
Explanation: An AUP defines what employees can and cannot do when using company IT resources.
226. Which of the following is an example of a compensating control?
A) Installing a firewall
B) Requiring multifactor authentication if strong encryption is unavailable
C) Backing up data daily
D) Hiring a cybersecurity consultant
✅ Correct Answer: B) Requiring multifactor authentication if strong encryption is unavailable
Explanation: A compensating control provides an alternative security measure when the primary control cannot be implemented.
227. Which type of audit verifies that an organization complies with legal and regulatory requirements?
A) Operational audit
B) Compliance audit
C) Technical audit
D) Risk audit
✅ Correct Answer: B) Compliance audit
Explanation: Compliance audits ensure organizations follow regulations such as HIPAA, PCI-DSS, or GDPR.
228. Which document defines how an organization will continue operations during a disaster?
A) Security policy
B) Business Continuity Plan (BCP)
C) Incident Response Plan (IRP)
D) Privacy policy
✅ Correct Answer: B) Business Continuity Plan (BCP)
Explanation: BCP outlines procedures to maintain business operations after disruptions like natural disasters or cyberattacks.
229. What is the purpose of a risk register in cybersecurity?
A) To document all identified risks, their impact, and mitigation plans
B) To store encryption keys
C) To track compliance regulations
D) To replace audit logs
✅ Correct Answer: A) To document all identified risks, their impact, and mitigation plans
Explanation: A risk register is a central tool used in risk management to record and monitor risks.
230. Which security standard is commonly required for organizations working with U.S. federal agencies?
A) FISMA
B) GDPR
C) SOX
D) HIPAA
✅ Correct Answer: A) FISMA
Explanation: The Federal Information Security Management Act (FISMA) requires federal agencies and contractors to implement robust security measures.
231. Which framework is widely used for IT governance and management?
A) COBIT
B) NIST CSF
C) ISO 31000
D) PCI-DSS
✅ Correct Answer: A) COBIT
Explanation: COBIT (Control Objectives for Information and Related Technologies) is a framework for IT governance and management, aligning IT goals with business objectives.
232. Which law in the U.S. ensures the protection of patient medical information?
A) HIPAA
B) PCI-DSS
C) GDPR
D) SOX
✅ Correct Answer: A) HIPAA
Explanation: HIPAA (Health Insurance Portability and Accountability Act) sets standards for protecting sensitive patient health information.
233. What is the main purpose of GDPR?
A) To secure credit card transactions
B) To protect the personal data of EU citizens
C) To regulate healthcare privacy in the U.S.
D) To enforce IT governance in businesses
✅ Correct Answer: B) To protect the personal data of EU citizens
Explanation: The General Data Protection Regulation (GDPR) is an EU law that safeguards data privacy and regulates how organizations process personal data.
234. Which security document assigns responsibilities to system owners, users, and administrators?
A) Incident response plan
B) Security policy
C) Risk register
D) Data retention plan
✅ Correct Answer: B) Security policy
Explanation: Security policies clearly define roles, responsibilities, and acceptable practices for employees and IT staff.
235. Which term describes the process of ranking risks based on their likelihood and impact?
A) Risk treatment
B) Risk assessment
C) Risk mitigation
D) Risk monitoring
✅ Correct Answer: B) Risk assessment
Explanation: Risk assessment evaluates risks by analyzing their probability and potential business impact.
236. Which compliance standard applies specifically to handling credit card data?
A) HIPAA
B) PCI-DSS
C) SOX
D) ISO 27001
✅ Correct Answer: B) PCI-DSS
Explanation: The Payment Card Industry Data Security Standard (PCI-DSS) is mandatory for organizations processing credit card transactions.
237. What is the first step in the incident response lifecycle?
A) Containment
B) Eradication
C) Identification
D) Recovery
✅ Correct Answer: C) Identification
Explanation: Identification is the first step—security teams must recognize that an incident has occurred before responding.
238. Which law enforces financial reporting accuracy and security in U.S. corporations?
A) SOX
B) GDPR
C) HIPAA
D) FISMA
✅ Correct Answer: A) SOX
Explanation: The Sarbanes-Oxley Act (SOX) requires accurate financial reporting and mandates internal controls for publicly traded companies.
239. Which security control type is a security guard at a data center?
A) Technical
B) Physical
C) Detective
D) Preventive
✅ Correct Answer: B) Physical
Explanation: Security guards are physical controls that help prevent unauthorized physical access to facilities.
240. Which standard is an international framework for Information Security Management Systems (ISMS)?
A) ISO 27001
B) NIST CSF
C) COBIT
D) PCI-DSS
✅ Correct Answer: A) ISO 27001
Explanation: ISO 27001 provides globally recognized requirements for establishing, implementing, and maintaining an ISMS.
241. What does the principle of least privilege mean?
A) Giving users unlimited access to resources
B) Allowing users access only to what they need to perform their job
C) Granting all permissions during initial setup
D) Restricting access based on time zones
✅ Correct Answer: B) Allowing users access only to what they need to perform their job
Explanation: Least privilege limits user permissions to only the tasks required, reducing the risk of insider threats.
242. Which risk strategy involves transferring risk to another party, such as through insurance?
A) Risk avoidance
B) Risk acceptance
C) Risk transference
D) Risk mitigation
✅ Correct Answer: C) Risk transference
Explanation: Organizations transfer risks by outsourcing or using insurance, shifting responsibility to a third party.
243. Which document outlines how a company will continue operations during a major disruption?
A) Disaster recovery plan
B) Business continuity plan
C) Security awareness plan
D) Risk register
✅ Correct Answer: B) Business continuity plan
Explanation: A BCP ensures essential business functions continue during disruptions such as cyberattacks, natural disasters, or power outages.
244. Which control is a CCTV surveillance system?
A) Detective
B) Preventive
C) Compensating
D) Physical
✅ Correct Answer: A) Detective
Explanation: CCTV cameras are detective controls—they don’t stop threats but help identify and monitor suspicious activity.
245. What is a major benefit of security awareness training for employees?
A) Reduces phishing and social engineering attacks
B) Increases network bandwidth
C) Improves encryption performance
D) Reduces power consumption
✅ Correct Answer: A) Reduces phishing and social engineering attacks
Explanation: Trained employees can recognize phishing emails, suspicious links, and social engineering attempts.
246. Which regulation applies to securing government information systems in the U.S.?
A) FISMA
B) HIPAA
C) GDPR
D) SOX
✅ Correct Answer: A) FISMA
Explanation: The Federal Information Security Management Act (FISMA) establishes security requirements for U.S. federal agencies.
247. What is the purpose of a risk register?
A) To record all identified risks, their likelihood, and mitigation plans
B) To list all system administrators
C) To store user access logs
D) To manage financial reporting
✅ Correct Answer: A) To record all identified risks, their likelihood, and mitigation plans
Explanation: A risk register documents risks, their severity, and how they will be managed or mitigated.
248. What type of law governs intellectual property such as software code?
A) Contract law
B) Copyright law
C) Tort law
D) Criminal law
✅ Correct Answer: B) Copyright law
Explanation: Copyright law protects intellectual property, including books, music, and software code.
249. Which type of control is an antivirus system?
A) Administrative
B) Detective
C) Technical
D) Physical
✅ Correct Answer: C) Technical
Explanation: Antivirus software is a technical control that prevents and detects malware infections.
250. Which compliance framework is designed specifically for cybersecurity in critical infrastructure sectors?
A) NIST Cybersecurity Framework
B) HIPAA
C) SOX
D) COBIT
✅ Correct Answer: A) NIST Cybersecurity Framework
Explanation: The NIST CSF provides a structured approach for managing cybersecurity risks in industries like energy, finance, and healthcare.