Try 10 focused CompTIA SecurityX CAS-005 questions on Governance, Risk, and Compliance, with explanations, then continue with IT Mastery.
Open the matching IT Mastery practice page for timed mocks, topic drills, progress tracking, explanations, and full practice.
Try CompTIA SecurityX CAS-005 on Web View full CompTIA SecurityX CAS-005 practice page
| Field | Detail |
|---|---|
| Exam route | CompTIA SecurityX CAS-005 |
| Topic area | Governance, Risk, and Compliance |
| Blueprint weight | 20% |
| Page purpose | Focused sample questions before returning to mixed practice |
Use this page to isolate Governance, Risk, and Compliance for CompTIA SecurityX CAS-005. Work through the 10 questions first, then review the explanations and return to mixed practice in IT Mastery.
| Pass | What to do | What to record |
|---|---|---|
| First attempt | Answer without checking the explanation first. | The fact, rule, calculation, or judgment point that controlled your answer. |
| Review | Read the explanation even when you were correct. | Why the best answer is stronger than the closest distractor. |
| Repair | Repeat only missed or uncertain items after a short break. | The pattern behind misses, not the answer letter. |
| Transfer | Return to mixed practice once the topic feels stable. | Whether the same skill holds up when the topic is no longer obvious. |
Blueprint context: 20% of the practice outline. A focused topic score can overstate readiness if you recognize the pattern too quickly, so use it as repair work before timed mixed sets.
These original IT Mastery practice questions are aligned to this topic area. Use them for self-assessment, scope review, and deciding what to drill next.
Topic: Governance, Risk, and Compliance
A healthcare payer relies on a third-party cloud claims processor. A breach-response requirement states that covered-data access and privileged actions must remain independently verifiable if a provider administrator account is compromised. Local journals can be altered by the same administrators, and the payer needs near-real-time detection of missing or modified events. Which control design is the BEST professional decision?
Options:
A. Require daily provider-generated log exports with SHA-256 checksums
B. Use independent, append-only, hash-chained remote journaling with gap alerts
C. Replicate the provider audit database to the payer environment
D. Encrypt local provider journals using keys stored in the provider tenant
Best answer: B
Explanation: The core risk is integrity interference by an administrator inside the provider trust boundary. The best design sends events to an independently controlled, append-only remote journal as they occur, then protects ordering and content with hash chaining or signed batches. Sequence numbers and gap alerts help detect suppression, while immutability prevents later deletion or rewriting from silently changing evidence. This aligns with breach response and third-party risk needs because the payer can validate records without relying solely on the provider’s mutable local logs. Encryption alone protects confidentiality, and replication alone improves availability, but neither proves that events were not omitted or altered before or during compromise.
Topic: Governance, Risk, and Compliance
A financial services company is acquiring a regional payments processor. The integration plan keeps the processor’s cloud-hosted API platform online, federates its workforce identities into the parent IdP, and connects an on-prem settlement system to the parent fraud analytics platform within 60 days. Regulators require evidence that material risks introduced by the acquisition were assessed before production connectivity. What is the BEST professional decision for updating the threat model?
Options:
A. Block all federation until a full enterprise threat model is rebuilt
B. Run a delta threat model focused on new data flows and trust boundaries
C. Accept the processor’s existing threat model until integration is complete
D. Replace threat modeling with a vulnerability scan of connected systems
Best answer: B
Explanation: Organizational changes such as mergers and acquisitions can materially change the threat model even when individual systems remain unchanged. New identity federation, cloud-to-on-prem connectivity, data sharing, ownership, staffing, and operational responsibility can create new trust boundaries and abuse cases. The best approach is to perform a targeted delta threat model aligned to the integration plan, documenting changed data flows, subject-object relationships, inherited risks, control gaps, and compensating controls before production connectivity. This satisfies the regulatory evidence requirement without waiting for a complete enterprise-wide rebuild or reducing the activity to technical scanning only. The key is to model what changed because of the acquisition and validate controls before the new boundary becomes operational.
Topic: Governance, Risk, and Compliance
A financial services company wants to let employees use an approved generative AI assistant for drafting internal reports. Requirements include disclosing AI-assisted content when reports are shared externally, preventing customer PII from being submitted, monitoring prompts and outputs for policy violations, and retaining audit evidence for compliance review. Which approach best maps to these requirements?
Options:
A. Disable prompt retention and rely on provider confidentiality terms
B. Implement an AI gateway with DLP, usage logging, output review, and disclosure workflow
C. Allow only a private model and prohibit external report publication
D. Publish an acceptable-use policy and require annual user attestation
Best answer: B
Explanation: Enterprise AI adoption needs both governance expectations and enforceable technical guardrails. In this scenario, the company must disclose AI-assisted content externally, stop customer PII from entering prompts, monitor usage and outputs, and retain evidence. An AI gateway or brokered access pattern can centralize policy enforcement: inspect prompts with DLP, log approved usage, apply output checks, route high-risk use for review, and trigger disclosure steps before external release. A policy alone is necessary but insufficient because it does not create monitoring evidence or prevent data exposure. The key takeaway is to pair AI usage policy with technical control points and auditability.
Topic: Governance, Risk, and Compliance
A global enterprise is adding biometric step-up authentication for privileged administrators. Privacy requirements state that raw biometric samples must not leave the employee’s country, biometric templates must be treated as sensitive data, EU and Brazil employees must be able to exercise access and deletion rights, and the third-party service must not gain unrestricted reuse rights. Which approach BEST maps to these requirements?
Options:
A. Centralize all templates globally and encrypt the database.
B. Use in-region matching with minimized templates and DSAR workflows.
C. Rely on employee consent and the vendor’s default retention policy.
D. Send hashed raw samples to the vendor’s global matching service.
Best answer: B
Explanation: Biometric data requires privacy-by-design controls because it is sensitive, difficult to replace, and often subject to enhanced legal protections. The requirements point to a regional processing architecture: capture and match biometrics in the employee’s country or approved region, retain only minimized templates rather than raw samples, apply strong contractual limits on vendor reuse, and integrate access/deletion workflows for data subject rights. Encryption is useful but does not by itself solve sovereignty or lifecycle obligations. Consent and vendor defaults are also insufficient when the organization must prove control over retention, processing purpose, and deletion.
Topic: Governance, Risk, and Compliance
A global engineering firm wants to allow employees to use generative AI for document summarization and code assistance. Requirements are: prevent customer PII and secrets from being submitted to unsanctioned AI tools, retain audit evidence of AI use, and avoid a blanket ban that would slow approved workflows. Which response best maps to these requirements?
Options:
A. Route approved AI access through an enterprise AI gateway with DLP, logging, and usage policy enforcement
B. Require annual AI awareness training and allow employees to choose any AI service
C. Deploy an internal model and disable prompt and response logging to protect employee privacy
D. Block all external AI services at the proxy until legal completes a policy review
Best answer: A
Explanation: The best response is a risk-based AI governance control that enables legitimate use while constraining misuse. An enterprise AI gateway, CASB/SSE control, or similar broker can steer users to sanctioned AI services, inspect prompts for PII, secrets, or regulated data, apply acceptable-use policy, and preserve logs for audit and incident response. This addresses both governance and technical enforcement without treating all AI use as prohibited. Training and policy are useful, but by themselves they do not prevent data exposure or create reliable audit evidence. A private model may reduce some third-party disclosure risk, but disabling logging removes accountability and weakens governance.
Topic: Governance, Risk, and Compliance
A multinational retailer is preparing an audit strategy for a new customer portal. The security architect must map each requirement to the most appropriate external framework or report request.
Exhibit: Compliance planning notes
| Requirement | Audit or assurance need |
|---|---|
| Portal stores and transmits PANs for purchases | Validate cardholder data controls |
| Board wants a common cyber-risk communication model | Align outcomes and maturity reporting |
| SaaS vendor processes customer support data | Obtain independent control assurance |
| Cloud team needs cloud-specific control mappings | Map shared-responsibility controls |
Which mapping best fits the exhibit?
Options:
A. ISO/IEC 27001, CIS Controls, DMA, SOC 2 Type I
B. DMA, ISO/IEC 27002, CIS Benchmarks, PCI DSS
C. NIST CSF, PCI DSS, CSA STAR, ISO/IEC 27701
D. PCI DSS, NIST CSF, SOC 2 Type II, CSA CCM
Best answer: D
Explanation: Framework selection should follow the business requirement and evidence need. PCI DSS is appropriate when an environment stores, processes, or transmits payment card account data. NIST CSF is commonly used to communicate cybersecurity outcomes, risk posture, and improvement targets to leadership. SOC 2 Type II provides independent assurance over a service organization’s controls over a period of time, which fits SaaS vendor due diligence. CSA Cloud Controls Matrix helps map cloud security controls and shared-responsibility expectations. ISO/IEC 27001 or CIS may be useful in other contexts, but they do not replace the more specific mappings shown in the exhibit.
Topic: Governance, Risk, and Compliance
A healthcare company is piloting an AI triage assistant for regulated patient messages. The assistant uses RAG over approved clinical procedures, runs in a cloud AI service, and sends structured task recommendations to an on-prem workflow engine that enforces an allowlist before creating tasks. Red-team testing shows that malicious instructions embedded in a patient message caused the model to ignore its system guidance and generate a forbidden routing command, which the workflow engine rejected. No retraining occurred, traffic volume was normal, and model weights were not exposed. Which classification and response is BEST for the AI risk register?
Options:
A. Model theft; rotate provider credentials and watermark outputs
B. Prompt injection; isolate untrusted content and gate tool use
C. Model DoS; add rate limiting and autoscaling controls
D. Training data poisoning; rebuild the corpus and retrain the model
Best answer: B
Explanation: This scenario shows prompt injection: untrusted input inside the model context attempted to override higher-priority instructions and influence a downstream action. The on-prem allowlist prevented execution, but the AI risk register should still record the threat and require guardrails such as context separation, instruction hierarchy enforcement, tool-call authorization, output validation, and monitoring for suspicious prompts. The facts rule out data poisoning because the training or RAG corpus was not altered, and they rule out DoS or theft because there was no abnormal load or model-weight exposure. The key takeaway is to classify the model behavior separately from the downstream control that contained it.
Topic: Governance, Risk, and Compliance
A multinational company is automating its enterprise security program. The board wants near-real-time evidence that required controls are operating, auditors need immutable evidence packages mapped to policy requirements, and engineering teams must remain responsible for changing firewall, IAM, and endpoint configurations. Which approach best maps to these requirements?
Options:
A. Deploy GRC evidence connectors with read-only control mappings
B. Centralize all control enforcement in the SIEM correlation layer
C. Use SOAR playbooks to auto-remediate noncompliant configurations
D. Replace policy attestations with quarterly vulnerability scans
Best answer: A
Explanation: Governance automation should collect, normalize, retain, and map evidence to control objectives without becoming the system that implements every technical control. In this scenario, the key boundary is responsibility: auditors and the board need assurance evidence, while engineering teams still own configuration changes in firewall, IAM, and endpoint platforms. Read-only GRC connectors can gather logs, configuration snapshots, attestations, exceptions, and test results, then link them to policies and audit requirements. This supports continuous monitoring and audit readiness without creating unauthorized change paths or blurring operational ownership. Auto-remediation may be useful in a separate engineering workflow, but it is not the primary governance evidence requirement here.
Topic: Governance, Risk, and Compliance
A security steering committee must decide whether to fund a resilience control for a third-party payment processor integration. Which risk analysis approach is best supported by the available information?
Exhibit: Decision package
| Decision factor | Available information |
|---|---|
| Business question | Is a $1.2 million control justified? |
| Loss data | Outage cost: $180,000 per hour |
| Frequency data | 4 years of incident history and insurer probability estimates |
| Control estimate | Expected outage reduction: 70% |
Options:
A. Qualitative analysis using expert judgment only
B. Quantitative analysis for cost-benefit comparison
C. Quantitative analysis is inappropriate for third-party risk
D. Qualitative analysis using high-medium-low ratings
Best answer: B
Explanation: Quantitative risk analysis is appropriate when the decision requires a financial comparison and the team has credible inputs such as loss amounts, event frequency or probability, and control cost. Here, the committee is deciding whether a $1.2 million resilience control is justified, and the exhibit provides outage cost, historical/probability data, and an estimated reduction in outage exposure. Those facts support estimating expected loss before and after the control. Qualitative analysis is better when data is incomplete or the goal is relative prioritization, such as ranking risks as high, medium, or low. The key distinction is whether the available evidence can support numeric financial modeling for the decision being made.
Topic: Governance, Risk, and Compliance
A financial services company plans to pilot a generative AI SaaS copilot that summarizes CRM tickets containing regulated customer data. The enterprise AI standard allows external AI tools only after contractual data-use restrictions and DLP enforcement are validated. The sales operations VP requests a 30-day exception because manual review is affecting service levels. Which governance assignment is the BEST professional decision before allowing the pilot?
Options:
A. AI governance sets policy; security validates controls; the data owner approves any exception.
B. Security operations approves the exception after enabling additional logging.
C. The vendor approves the pilot after confirming its default AI terms.
D. The sales operations VP validates DLP and privacy compliance.
Best answer: A
Explanation: AI adoption governance should separate policy authority, control validation, and risk acceptance. An AI governance or similar enterprise risk body owns the AI usage standard and disclosure requirements. Security validates whether required controls, such as DLP enforcement and SaaS data-use restrictions, are operating as intended. The accountable business data owner or risk owner should approve a documented, time-bound exception because that stakeholder owns the business process and residual data risk. Legal and privacy may advise on regulatory exposure, but they do not replace technical validation or business risk acceptance. The key is to avoid letting the requesting team or vendor self-approve a control gap.
Use the CompTIA SecurityX CAS-005 Practice Test page for the full IT Mastery practice bank, mixed-topic practice, timed mock exams, explanations, and web/mobile app access.
Try CompTIA SecurityX CAS-005 on Web View CompTIA SecurityX CAS-005 Practice Test
Read the CompTIA SecurityX CAS-005 Cheat Sheet on Tech Exam Lexicon, then return to IT Mastery for timed practice.