WGU IT D486 Performance Assessment
2026 – Governance, Risk & Compliance
(GRC) Task Solution Guide + Ready-to-
Submit Template
A. Based on the Security Assessment Report for Fielder Medical Center, the
current gaps that exist in their security framework are:
Lack of Security Controls and Policies: There is a need for
comprehensive security controls and policies, including access control
policies and procedures, account management, least privilege, and
security attributes.
Outdated Systems Design: The current system’s design is outdated and
does not meet the compliance requirements. There is a need to update
the Systems Security Plan (SSP) to remediate these gaps.
Need for Updated Security and Privacy Plans: The current security and
privacy plans do not reflect the organizational needs and requirements.
There is a need for an updated information security program plan, and
system inventory/asset list. And a risk assessment that reflects the new
controls within the network and information systems.
Lack of Multifactor Authentication (MFA): There is a need to implement
Multi-Factor Authentication to identify and authenticate organizational
users requiring access to network and information systems.
B. The 5 Security Controls and Ratings.
1. AC - 6 Moderate
CA - 5 Moderate
CA - 7 High
RA - 3 Low
RA - 7 Moderate
This study source was downloaded by 100000888633538 from CourseHero.com on 01-17-2026 11:40:51 GMT -06:00
https://www.coursehero.com/file/222525106/Governance-Risk-and-Compliance-Performance-Assessmentdocx/
, 2. FMC’s decision to remediate the risk associated with the identified controls
instead of accepting the risk based on compliance and industry guidelines
and support the justification with industry-respected sources can be justified
by:
Industry Standards: The NIST Risk Management Framework provides a
comprehensive process for managing information security and privacy risk.
It recommends implementing controls and continuously monitoring them,
which would be in alignment with the identified controls listed previously.
Regulatory Compliance: Compliance with industry regulations often
requires risk remediation. For instance, the Cybersecurity and Infrastructure
Security Agency (CISA) recommends remediation of vulnerabilities for
internet-accessible systems. Not remediating these risks could lead to non-
compliance penalties.
Risk Exposure: Accepting a risk means that the organization is willing to
bear the consequences if the risk event occurs. Given the potential impact of
security breaches, including financial loss and reputational damage, it’s
often more cost-effective to remediate the risk.
Best Practices: Industry-respected sources suggest that risk remediation
should be a priority. An example of this is that RiskXchange recommends
ensuring your security team is using an industry-standard risk scoring
system, and BitSight suggests setting acceptable risk thresholds.
In conclusion. Remediating the risk associated with the identified controls is
a strategic decision that aligns with the industry standards, ensures
regulatory compliance, minimizes risk exposure, and follows best practices.
This study source was downloaded by 100000888633538 from CourseHero.com on 01-17-2026 11:40:51 GMT -06:00
https://www.coursehero.com/file/222525106/Governance-Risk-and-Compliance-Performance-Assessmentdocx/
2026 – Governance, Risk & Compliance
(GRC) Task Solution Guide + Ready-to-
Submit Template
A. Based on the Security Assessment Report for Fielder Medical Center, the
current gaps that exist in their security framework are:
Lack of Security Controls and Policies: There is a need for
comprehensive security controls and policies, including access control
policies and procedures, account management, least privilege, and
security attributes.
Outdated Systems Design: The current system’s design is outdated and
does not meet the compliance requirements. There is a need to update
the Systems Security Plan (SSP) to remediate these gaps.
Need for Updated Security and Privacy Plans: The current security and
privacy plans do not reflect the organizational needs and requirements.
There is a need for an updated information security program plan, and
system inventory/asset list. And a risk assessment that reflects the new
controls within the network and information systems.
Lack of Multifactor Authentication (MFA): There is a need to implement
Multi-Factor Authentication to identify and authenticate organizational
users requiring access to network and information systems.
B. The 5 Security Controls and Ratings.
1. AC - 6 Moderate
CA - 5 Moderate
CA - 7 High
RA - 3 Low
RA - 7 Moderate
This study source was downloaded by 100000888633538 from CourseHero.com on 01-17-2026 11:40:51 GMT -06:00
https://www.coursehero.com/file/222525106/Governance-Risk-and-Compliance-Performance-Assessmentdocx/
, 2. FMC’s decision to remediate the risk associated with the identified controls
instead of accepting the risk based on compliance and industry guidelines
and support the justification with industry-respected sources can be justified
by:
Industry Standards: The NIST Risk Management Framework provides a
comprehensive process for managing information security and privacy risk.
It recommends implementing controls and continuously monitoring them,
which would be in alignment with the identified controls listed previously.
Regulatory Compliance: Compliance with industry regulations often
requires risk remediation. For instance, the Cybersecurity and Infrastructure
Security Agency (CISA) recommends remediation of vulnerabilities for
internet-accessible systems. Not remediating these risks could lead to non-
compliance penalties.
Risk Exposure: Accepting a risk means that the organization is willing to
bear the consequences if the risk event occurs. Given the potential impact of
security breaches, including financial loss and reputational damage, it’s
often more cost-effective to remediate the risk.
Best Practices: Industry-respected sources suggest that risk remediation
should be a priority. An example of this is that RiskXchange recommends
ensuring your security team is using an industry-standard risk scoring
system, and BitSight suggests setting acceptable risk thresholds.
In conclusion. Remediating the risk associated with the identified controls is
a strategic decision that aligns with the industry standards, ensures
regulatory compliance, minimizes risk exposure, and follows best practices.
This study source was downloaded by 100000888633538 from CourseHero.com on 01-17-2026 11:40:51 GMT -06:00
https://www.coursehero.com/file/222525106/Governance-Risk-and-Compliance-Performance-Assessmentdocx/
