CompTIA SecurityX (CAS-005) · Domain 1 · 20% of exam

Governance, Risk, and Compliance

Drill 20 practice questions focused entirely on Governance, Risk, and Compliance for the CompTIA CAS-005 exam. Tap an answer for instant feedback and a full explanation — no sign-up, always free.

Verified answer20 questions
Question 1 of 20

A multinational manufacturer must simultaneously demonstrate compliance with ISO 27001, PCI DSS, and a new regional privacy law. The CISO notices the compliance team is running three separate audits, duplicating evidence collection, and producing conflicting control statements that confuse the board. The CISO wants to reduce audit fatigue and cost while maintaining assurance across all three regimes. Which approach best addresses this problem?

Reviewed for accuracy · Report an issue
Question 2 of 20

A multinational retailer's SOC confirms that attackers exfiltrated a database containing EU residents' personal data and U.S. customers' payment card information. The CISO convenes a response meeting to determine notification obligations. Legal confirms the breach involves both personal data protected under GDPR and cardholder data governed by PCI DSS agreements with the acquiring bank. Which action correctly reflects the organization's regulatory and contractual notification obligations?

Reviewed for accuracy · Report an issue
Question 3 of 20

A multinational manufacturer is establishing a formal data governance program after an audit found that no one could authoritatively decide who may approve access to sensitive engineering design files. The CISO wants to assign accountability for the business value, classification level, and acceptable use of these datasets, while separating that responsibility from the team that manages storage, backups, and technical access controls. Which role assignment best satisfies this requirement?

Reviewed for accuracy · Report an issue
Question 4 of 20

A retailer wants to use existing customer purchase history to send targeted product recommendations via email. The DPO must document the appropriate GDPR lawful basis before the marketing team launches the campaign. The customers were not asked for marketing consent at signup, and the retailer believes the processing is reasonably expected by customers but wants to avoid over-relying on consent. Which action should the DPO take to establish a defensible lawful basis for this processing?

Reviewed for accuracy · Report an issue
Question 5 of 20

A business unit at a financial services firm needs to deploy a legacy application that cannot support the company's mandatory 15-character password standard; the vendor confirms the platform is limited to 8 characters and will not be updated for 18 months. The business unit wants to proceed to meet a regulatory reporting deadline. As the security governance lead, what is the MOST appropriate way to handle this deviation from the established standard?

Reviewed for accuracy · Report an issue
Question 6 of 20

A multinational retailer headquartered in the EU is expanding its customer analytics platform by contracting a cloud-based marketing processor located in a country that does not have a European Commission adequacy decision. The retailer's Data Protection Officer must ensure that personal data of EU customers can lawfully be transferred to this processor while providing enforceable rights and effective legal remedies for data subjects. Which mechanism is the MOST appropriate to authorize this international data transfer under the GDPR?

Reviewed for accuracy · Report an issue
Question 7 of 20

A multinational retailer operating in the EU receives a GDPR Article 17 (right to erasure) request from a former customer. However, the company's legal team has placed a litigation hold on all records related to a pending class-action lawsuit, and this customer's transaction records are within the scope of that hold. The Data Protection Officer (DPO) must respond within the regulatory timeframe. What is the MOST appropriate action?

Reviewed for accuracy · Report an issue
Question 8 of 20

A retail organization processes credit card payments through an in-house web application that stores full cardholder data in its database. During a PCI DSS assessment, the QSA notes the entire corporate network is currently in scope because the payment application shares network segments with general business systems. The CISO wants to reduce the cost and complexity of maintaining compliance for the next assessment cycle. Which approach would MOST effectively reduce the PCI DSS scope while maintaining the ability to accept card payments?

Reviewed for accuracy · Report an issue
Question 9 of 20

A retail company processes credit card payments through a legacy point-of-sale application that cannot support the multi-factor authentication required by PCI DSS for administrative access to the cardholder data environment. The application vendor will not release a compliant version for 14 months. The security manager wants to remain compliant with the standard during this period. Which approach correctly satisfies PCI DSS requirements for this situation?

Reviewed for accuracy · Report an issue
Question 10 of 20

A newly hired security governance manager is reviewing the organization's documentation. Executive leadership has approved a high-level directive stating that all sensitive data 'must be protected using encryption both in transit and at rest.' The manager now needs to create a document that mandates AES-256 for data at rest and TLS 1.3 for data in transit, so that all teams have a consistent, mandatory technical baseline to follow. Which type of governance document should the manager create to capture these specific mandatory technical requirements?

Reviewed for accuracy · Report an issue
Question 11 of 20

A retail company plans to deploy a new marketing platform that will use AI-driven behavioral profiling to score customers based on browsing history, purchase patterns, and inferred demographic data. The profiling will influence automated decisions about pricing offers shown to individual EU customers. The privacy officer must determine the first required governance action before the platform goes live. Which action should be taken?

Reviewed for accuracy · Report an issue
Question 12 of 20

A financial services firm's board has formally set the enterprise risk appetite statement at a maximum of $2 million in annual aggregate operational-security losses. The CISO defines a risk tolerance of ±10% around individual control thresholds to allow operational flexibility. During Q3, the security operations team detects that projected annual losses from a recurring fraud pattern will reach $2.3 million if left unaddressed, and a specific control's residual risk has drifted 18% above its defined threshold. Which action best aligns with proper governance of risk appetite and tolerance?

Reviewed for accuracy · Report an issue
Question 13 of 20

A newly hired CISO at a mid-size manufacturing firm is establishing an enterprise risk program. The board has requested a risk assessment of a proposed cloud migration, but the firm lacks historical loss data for cloud-related incidents and has limited time before the next board meeting. The CISO must produce a prioritized view of risks that stakeholders across engineering, legal, and finance can quickly understand and validate. Which risk assessment approach is MOST appropriate given these constraints?

Reviewed for accuracy · Report an issue
Question 14 of 20

A financial services firm operates a customer-facing web application. A quantitative risk assessment estimates the application's asset value at $2,000,000. A successful web-based attack is expected to destroy 25% of that value (exposure factor), and threat intelligence indicates such a compromise is likely to occur twice per year. The security team proposes a web application firewall and monitoring solution costing $180,000 annually, which is expected to reduce the frequency of successful attacks to once every two years. Using quantitative risk analysis, which statement best justifies the investment decision?

Reviewed for accuracy · Report an issue
Question 15 of 20

A financial services firm identifies a risk that a legacy claims-processing application, which cannot be patched due to vendor end-of-life, is vulnerable to a known exploit. The application generates $2M in annual revenue and would cost $1.5M to fully replace within the year. The estimated annualized loss expectancy (ALE) from the vulnerability is $180,000. Management decides to isolate the application on a segmented network, deploy a virtual patch via WAF, and purchase a cyber insurance rider covering losses above $50,000. Which combination of risk treatment strategies has management applied?

Reviewed for accuracy · Report an issue
Question 16 of 20

A large enterprise has run mandatory annual security awareness training for three years, yet the incident response team reports that credential-harvesting phishing remains the leading cause of account compromise. Executive leadership asks the CISO to demonstrate whether the awareness program is actually reducing risk and to justify continued investment. Which approach BEST enables the CISO to measure and improve the program's effectiveness?

Reviewed for accuracy · Report an issue
Question 17 of 20

A CISO is preparing a quarterly report for the board of directors. The board has complained that previous reports were too technical and did not help them understand whether the security program is trending toward or away from acceptable risk levels. The CISO wants to include a metric that predicts increasing exposure before an incident occurs, allowing leadership to authorize additional investment proactively. Which type of metric BEST satisfies this requirement?

Reviewed for accuracy · Report an issue
Question 18 of 20

A financial services company relies on three critical SaaS vendors for payment processing, fraud detection, and customer identity verification. During an annual third-party risk review, the risk manager discovers that all three vendors host their production workloads with the same single cloud infrastructure provider in the same geographic region. Each individual vendor has strong SOC 2 Type II reports and acceptable individual risk scores. Which risk should the risk manager escalate as the MOST significant finding?

Reviewed for accuracy · Report an issue
Question 19 of 20

A financial services firm is finalizing its enterprise information security program. The CISO has drafted a set of security policies, but the board's audit committee returns them with feedback that the documents fail to demonstrate how security priorities support the organization's three-year strategic plan to expand into digital lending. The CISO must revise the governance approach. Which action BEST addresses the committee's concern about aligning security to business objectives?

Reviewed for accuracy · Report an issue
Question 20 of 20

A financial services company is onboarding a third-party software vendor whose product will be integrated into a payment processing pipeline. The security architect wants to reduce supply-chain risk by ensuring the company can independently verify the components within the vendor's software, detect known vulnerabilities in embedded open-source libraries, and validate that delivered binaries match the vendor's build artifacts. Which combination of contractual and technical requirements BEST addresses these goals?

Reviewed for accuracy · Report an issue

More CAS-005 practice

Keep going with the other CompTIA SecurityX (CAS-005) domains, or take a full timed mock exam.

← Back to CAS-005 overview