CIS-RC Topic 2
Question #: 17
Topic #: 1
Which table stored the links from Entity to Entity Types?
A. [sn_compliance_m2m_profile_profile_type] B. [sn_risk_m2m_risk_profile] C. [sn_compliance_m2m_policy_profile] D. [sn_grc_m2m_profile_profile_type]
Selected Answer: D
Question #: 13
Topic #: 1
What table extends from Document Table?
A. Risk
B. Risk Framework
C. Risk Response Task
D. Risk Statement
Selected Answer: B
Question #: 1
Topic #: 1
Which of the following tables exist within the GRC: Profiles application scope? (Choose three.)
A. Document
B. Policy
C. Risk
D. Content
E. Indicator
Selected Answer: ADE
Question #: 113
Topic #: 1
Setting up entity classes is required when using which GRC features? (Choose two.)
A. Setting up an object-based risk assessment
B. Adding to the policy exception integration registry
C. Assessing the impact of a regulatory feed
D. Leveraging classic risk assessments
E. Leveraging advanced risk assessments
Selected Answer: AE
Question #: 15
Topic #: 1
Which tables extend the Content (sn_grc_content) table? (Choose two.)
A. sn_compliance_citation
B. sn_grc_issue
C. sn_compliance_policy_statement
D. sn_risk_risk
Selected Answer: AC
Question #: 61
Topic #: 1
Which feature would you use to track completion of certain tasks?
A. Related Lists
B. SLAs
C. Workflow Editor
D. Notifications
Selected Answer: B
Question #: 163
Topic #: 1
Why would a company need to comply with the General Data Protection Regulation?
A. It stores credit card information
B. It faces the most pervasive cyber-threats
C. It processes data from individuals in the European Union
D. It is publicly traded in the United States
Selected Answer: C
Question #: 160
Topic #: 1
How can a user respond to consolidated (grouped) attestations? (Choose two.)
A. Create subgroups for responding with same or different responses
B. Provide response using a baseline template for grouped attestations
C. Provide different responses for each assessment
D. Provide same response for all assessments
E. Provide entity class responses within the same grouping
Selected Answer: CD
Question #: 129
Topic #: 1
An Observation can also be commonly known as what during an audit?
A. Evidence
B. Engagement
C. Problem
D. Finding
Selected Answer: D
Question #: 103
Topic #: 1
What are some of the drivers for customers to get the GRC suite of applications? (Choose four.)
A. They would like efficiency
B. They would like integrated reporting
C. They would like transparency
D. They would like automated customer service
E. They would like custom websites
F. They would like workflow driven processes
Selected Answer: AB
Question #: 88
Topic #: 1
Which collection of tables extend the Item (sn_grc_item) table? (Choose two.)
A. Risk
B. Citation
C. Policy
D. Control
Selected Answer: AD
Question #: 81
Topic #: 1
Which of the following records does not have a lifecycle?
A. Control Objective
B. Policy
C. Policy Exception
D. Control
Selected Answer: A
Question #: 79
Topic #: 1
Praveen is a Risk Manager. Why would he want to utilize Entity Types and Entities? (Choose three.)
A. To monitor risk exposure
B. To remediate vulnerabilities
C. To perform risk assessments
D. To perform policy exceptions
E. To perform risk reporting
Selected Answer: D
Question #: 114
Topic #: 1
Which GRC tables serve as primary parent tables for the GRC applications? (Choose three.)
A. Content
B. Item
C. Asset
D. Task
E. Document
Selected Answer: ABE
Question #: 89
Topic #: 1
Who should be directly involved in GRC implementations? (Choose four.)
A. Board of directors
B. Chief Executive
C. ServiceNow platform experts
D. Business Analyst
E. Risk and compliance experts
F. CMDB process owner
Selected Answer: CDEF
Question #: 145
Topic #: 1
Who should be directly involved in GRC implementations? (Choose three.)
A. Board of directors
B. Chief Executive
C. ServiceNow platform experts
D. HR analysts
E. Risk and compliance experts
F. CMDB process owner
Selected Answer: CEF
Question #: 93
Topic #: 1
The Entity Type table has a many-to-many relationship with which tables? (Choose two.)
A. Risk Statement
B. Policy
C. Control
D. Risk
Selected Answer: CD
Question #: 102
Topic #: 1
Which tables extend from the Task table? (Choose two.)
A. Risk Framework
B. Risk Response Task
C. Risk Statement
D. Risk Event
E. Risk
Selected Answer: BD
Question #: 12
Topic #: 1
Jim is an Audit Manager. In addition to Audit Manager, which roles should be assigned to ensure he can manage the audit process as well as other GRC functions related to audit? (Choose two.)
A. sn_grc.manager
B. sn_audit.user
C. sn_grc.user
D. sn_grc.reader
E. sn_grc.developer
Selected Answer: AB
Question #: 54
Topic #: 1
What is the minimum role required for creating a policy acknowledgement campaign?
A. sn_risk.user
B. sn_compliance.user
C. sn_compliance.admin
D. sn_compliance.manager
E. sn_control.owner
Selected Answer: B
Question #: 53
Topic #: 1
The overall goal of Entity Classes is to:
A. To enable reporting and to support advanced risk assessment
B. Show relationships between Entities and policies and map them directly to Citations
C. Associate Control Objectives and Risk Statements with Risks and Controls
D. To provide specific information about an Entity, such as who owns the Entity
Selected Answer: A
Question #: 51
Topic #: 1
Policies can be automatically published after which of the following occurs?
A. Related control objectives are marked active
B. Policy exception is closed
C. Policy is approved by all approvers
D. Policy is approved by one approver
Selected Answer: C
Question #: 75
Topic #: 1
What ensures that every time you create an Entity from a specific table, the Class of the Entity is set according to the rule?
A. Entity class rules
B. Entity business rules
C. Entity class assignment
D. Entity type rules
Selected Answer: A
Question #: 45
Topic #: 1
UCF has a collection of what? Select all UCF terms.
(Choose three.)
A. Control Indicators
B. Authority Documents
C. Policies
D. Citations
E. Controls
Selected Answer: BDE
Question #: 43
Topic #: 1
Entity scoping is used for what?
A. Make sure that all of your Entities have the right visibility
B. Create and assign controls to the correct users
C. Create, assign, and manage controls and risks across an enterprise
D. Scope out the different users and roles that have access to the platform
Selected Answer: C
Question #: 41
Topic #: 1
Control indicators may be triggered or scheduled in which state?
A. Retired
B. Monitor
C. Review
D. Attest
E. Draft
Selected Answer: B
Question #: 40
Topic #: 1
For Control records, who can modify the Control in the Draft state?
A. All compliance users
B. Only the Compliance Manager
C. Only the person assigned the Attestation
D. Only Control Owners
Selected Answer: A
Question #: 72
Topic #: 1
On which records is the entity a required field? (Choose two.)
A. Risk
B. Control
C. Policy
D. Control objective
E. Risk statement
Selected Answer: AB
Question #: 62
Topic #: 1
Which GRC application would you use to determine where the organization is the most vulnerable or has the most exposure?
A. Vendor Risk Management
B. Audit Management
C. Policy and Compliance Management
D. Risk Management
Selected Answer: D
Question #: 52
Topic #: 1
To allow other applications to request a policy exception, you must complete the integration registry form. In addition to providing the name of the registry entry, what additional information is needed to complete the form?
A. You must indicate the audience for requesting policy exceptions
B. You must indicate the intended Service Portal
C. You must indicate the policy exception target table
D. You must indicate the allowed policy acknowledgement campaigns
Selected Answer: C
Question #: 47
Topic #: 1
Which scheduled jobs in the GRC: Profiles scope help manage the population of Entity records? (Choose two.)
A. GRC indicator nightly run
B. GRC Entity and Risk Statement Data Collection
C. GRC Profile Generation
D. GRC Refresh Risk Scores
Selected Answer: AC
Question #: 36
Topic #: 1
What are the four values leveraged for the Inherent and Residual Risk Score Types?
A. Impact, Probability, SLE, ARO
B. Impact, Likelihood, SLE, ALE
C. Impact, Likelihood, SLE, Score
D. Impact, Likelihood, SLE, ARO
Selected Answer: D
Question #: 35
Topic #: 1
The ‘Add to Update Set’ utility is available for download via:
A. ServiceNow Developer site
B. ServiceNow store
C. ServiceNow Community
D. ServiceNow HI support
Selected Answer: A
Question #: 27
Topic #: 1
Control Failure Factor represents the impact of Control Failures on what score?
A. Inherent
B. Residual
C. Total
D. Calculated
Selected Answer: D
Question #: 23
Topic #: 1
What are the Risk Scoring methods available in ServiceNow? (Choose two.)
A. Quantitative
B. Qualitative
C. Inherent
D. Residual
E. Calculated
Selected Answer: AB
Question #: 130
Topic #: 1
What mapping capability in the Classic UI allows customers to relate specific Entities to each other within an Entity Class?
A. Entity Class Mapper
B. Entity Workbench
C. GRC Workbench Dependency Map
D. GRC Entity Mapper
Selected Answer: C
Question #: 122
Topic #: 1
What are some of the features of scoped applications for GRC? (Choose three.)
A. Requires an entitlement for all environments
B. All components have a namespace prefix for identification
C. Provides access to all global data
D. Ability to view all components from the sys_metadata table
E. Ability to restrict access to available data
Selected Answer: ABE
Question #: 121
Topic #: 1
How does GRC: Policy and Compliance Management track compliance to Authority Documents?
A. Citations are mapped to entity-scoped controls, which are tested as compliant or non-compliant.
B. Authority Documents are mapped to individual policies, which are either marked compliant or non-compliant.
C. Authority Documents are mapped to control objectives and compliance is checked when controls are tested as compliant or non-compliant.
D. Citations are mapped to control objectives, and compliance is checked when controls are tested as compliant or non-compliant.
Selected Answer: D
Question #: 116
Topic #: 1
For a particular risk assessment methodology (RAM), the control effectiveness score is calculated based on an individual assessment of controls. What are options for control identification? (Choose three.)
A. Controls are identified from library and ad-hoc
B. Controls are identified from indicator results
C. Controls are identified from library
D. Controls are identified ad-hoc
E. Controls are identified from related issues
Selected Answer: ACD
Question #: 115
Topic #: 1
Annualized Loss Expectancy is a feature of which risk score method?
A. Residual
B. Quantitative
C. Qualitative
D. Inherent
Selected Answer: B
Question #: 110
Topic #: 1
Service Level Agreements can be used for the which of the following? (Choose two.)
A. Risk Issues
B. Risk
C. Risk Statement
D. Risk Response Task
E. Risk Framework
Selected Answer: AD
Question #: 101
Topic #: 1
Which of the following extends from Content Table? (Choose two.)
A. Citation
B. Policy
C. Control Objective
D. Authority Document
Selected Answer: AC
Question #: 97
Topic #: 1
Which of the following roles can create a policy? (Choose two.)
A. Audit User
B. Compliance User
C. Compliance Manager
D. Risk User
E. Compliance Reader
Selected Answer: BC
Question #: 92
Topic #: 1
Which is not a type of key compliance indicator?
A. Performance Analytics
B. Manual
C. Scripted
D. Reference
E. Basic
Selected Answer: A
Question #: 68
Topic #: 1
An Entity can belong to one or multiple of which of the following?
A. Entity Types
B. Information Objects
C. Departments
D. Entity Classes
Selected Answer: A
Question #: 67
Topic #: 1
Common controls from UCF import into which table in ServiceNow?
A. sn_compliance_policy
B. sn_compliance_policy_statement
C. sn_compliance_policy_exception
D. sn_complilance_authority_document
Selected Answer: B
Question #: 57
Topic #: 1
Which of the following extends from Document Table? (Choose two.)
A. Citation
B. Policy
C. Control Objective
D. Authority Document
Selected Answer: BD
Question #: 143
Topic #: 1
What options are available when configuring the assessment context for a risk assessment methodology RAM)? (Choose two.)
A. Risk Statement
B. Application Risk
C. Risk
D. Object
E. Project Risk
Selected Answer: CD
Question #: 99
Topic #: 1
What three records need to be set-up when integrating with a provider RSS feed? (Choose three.)
A. Feed sources record
B. Provider record
C. Regulatory Feed record
D. Connection and Credentials record
E. Regulatory Change Task record
Selected Answer: AD
Question #: 90
Topic #: 1
Which of the following are triggers for automatic creation of an issue? (Choose two.)
A. Attestation result is Not Implemented
B. Indicator result is Failed or Not Passed
C. Policy Exception Not approved
D. Control tests have been assigned but not tested
Selected Answer: AB
Question #: 19
Topic #: 1
What GRC module would you access in order to update Entity Types?
A. Risk > Entities
B. Scoping > Profiles
C. Scoping > Entity Types
D. CMDB
Selected Answer: C
Question #: 6
Topic #: 1
Why would you create Entity classes?
A. To show relationships between tables or objects you are tracking that doesn’t otherwise exist anywhere in ServiceNow
B. To be assigned to risk statements, which generate risks for every Entity listed in the Entity Class
C. To be assigned to Control Objectives, which generate Controls for every Entity listed in the Entity class
D. To show relationships between Entities and Policies and map them directory to Citations
Selected Answer: A
Question #: 5
Topic #: 1
What table, along with the Policy table, is linked to the Control Objective table by a many-to-many relationship?
A. Entity Class
B. Citation
C. Authority Documents
D. Risk Framework
Selected Answer: B
Question #: 77
Topic #: 1
Which table stores the links from the Entity Type to Risk Statement?
A. [sn_risk_m2m_statement_profile_type] B. [sn_risk_m2m_framework_profile_type] C. [sn_risk_m2m_risk_definition_profile_type] D. [sn_risk_m2m_policy_profile_type]
Selected Answer: C
Question #: 73
Topic #: 1
Entity Types are applied to which types of records? (Choose three.)
A. Risk Statement
B. Issue
C. Risk
D. Control Objective
E. Policy
F. Control
Selected Answer: ADE
