CISM 2022: Governance, Risk, and Compliance (GRC) Competency (Intermediate Level)

  • 30m
  • 30 questions
The Governance, Risk, and Compliance (GRC) Competency (Intermediate Level) benchmark measures your understanding of necessary information security regulations and laws. You will be evaluated on your ability to manage risks effectively and maintain a compliant environment for an organization. A learner who scores high on this benchmark demonstrates competency in many areas of this domain with the knowledge and insights needed to understand the creation and implementation of policies, procedures, and controls that align with the organization's goals and objectives.

Topics covered

  • configure a Microsoft Azure storage account with a customer-managed key
  • consider factors that influence where data physically resides
  • describe how FedRAMP standards are used to secure U.S. government information
  • describe how GDPR assures data privacy
  • describe how HIPAA protected sensitive medical information
  • describe how PCI DSS standards protect cardholder information
  • determine how risk avoidance fits into the corporate risk appetite
  • determine the ALE value using an online ALE calculator
  • determine when DLP solutions should be used for data privacy
  • determine when residual risk is acceptable
  • discover and classify sensitive data in Amazon Web Services
  • discuss how the COBIT framework applies to IT governance
  • discuss personnel security issues related to hiring, background checks, and exit interviews
  • discuss various types of security policies including acceptable use, and their constituents as well as management buy-in
  • discuss when risk should be outsourced to other parties
  • enable data classification in the Azure cloud
  • focus on the most relevant risks and record them in a risk register
  • identify and classify assets for proper data governance based on value to the business
  • provide examples of personally identifiable information and how this can affect privacy impact statements
  • recall how risk cannot always entirely be eliminated
  • recognize components constituting an effective program including balanced scorecards
  • recognize how gap analysis results serve as input for information security strategies
  • recognize how ISO/IEC standards can result in proper IT governance
  • recognize how penetration testing provides value to the security program
  • recognize how the business model for information security encompasses information security planning, implementation and management
  • recognize how vulnerability assessments can be used to assess risk
  • recognize the role that the CCM plays in establishing cloud security controls
  • use Azure Policy to view cloud resource compliance
  • use OWASP ZAP to scan a web site for vulnerabilities
  • use the free Nessus tool to execute a vulnerability scan