Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Free Resources

Difficulty IndexLearn — Free ChaptersIT GlossaryFree Tools & LabsStudy GuidesCareer RoadmapsBrowse by VendorCisco Command ReferenceCCNA Scenarios

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertifications200-201DomainsSecurity Policies and Procedures
200-201Free — No Signup

Security Policies and Procedures

Practice 200-201 Security Policies and Procedures questions with full explanations on every answer.

74questions

Start practicing

Security Policies and Procedures — choose a session length

10 questions~10 min20 questions~20 min30 questions~30 min50 questions~50 min

Free · No account required

200-201 Domains

Security MonitoringNetwork Intrusion AnalysisSecurity Policies and ProceduresHost-Based AnalysisSecurity Concepts

Practice Security Policies and Procedures questions

10Q20Q30Q50Q

All 200-201 Security Policies and Procedures questions (74)

Start session

Click any question to see the full explanation and answer options, or start a focused practice session above.

1

During which phase of the NIST SP 800-61 Rev 2 incident response process should an organization develop and exercise the incident response plan?

2

A security analyst receives an alert from the SIEM indicating a large number of failed login attempts from an external IP address targeting a user account. According to the incident response process, what should be the analyst's first action?

3

An organization's incident response team has identified a malware infection on a critical server. They need to collect evidence for potential legal action. Which of the following is the most important step to ensure the admissibility of the evidence?

4

Which role in the incident response process is primarily responsible for determining the business impact of an incident and making strategic decisions?

5

An employee is suspected of using company resources to access inappropriate websites. Which security policy most directly addresses this behavior?

6

During a risk assessment, a company identifies that the annualized loss expectancy (ALE) for a specific threat is $50,000. The cost to implement a mitigation control is $30,000 with an annual maintenance cost of $5,000. According to risk management principles, what is the most appropriate risk treatment option?

7

A SOC analyst at Tier 1 receives an alert for a known malware signature. After initial investigation, the analyst finds that the alert is a false positive caused by an outdated signature. What should the analyst do next?

8

Which threat intelligence sharing standard defines a language and format for representing structured threat information, such as indicators and campaigns?

9

During the containment phase of an incident, the IR team decides to power off a compromised server to prevent further damage. However, they later realize that this action may have destroyed volatile evidence. According to best practices, what should the team have done instead?

10

A company's security policy requires that all data classified as 'Confidential' must be encrypted at rest and in transit. This requirement is part of which policy?

11

Which SOC tier is responsible for threat hunting and advanced forensic analysis?

12

An incident handler needs to preserve a hard drive from a compromised system. Which two actions are essential to maintain the integrity of the evidence?

13

Which of the following are responsibilities of the legal counsel role during incident response? (Choose two.)

14

An organization is implementing a threat intelligence sharing program. They want to exchange both structured indicators and full reports with other members of their ISAC. Which combination of standards/protocols should they choose? (Choose two.)

15

After resolving a security incident, the IR team conducts a lessons learned meeting. Which of the following are typical outputs of this post-incident activity? (Choose three.)

16

During the Detection and Analysis phase of incident response, a SOC Tier 1 analyst identifies a potential malware infection on a critical server. What is the FIRST action the analyst should take according to NIST SP 800-61 Rev 2?

17

An organization is implementing an AUP that prohibits personal use of corporate resources. However, an employee uses a company laptop to access personal email, which leads to a malware infection. Which policy violation is most directly implicated?

18

In the NIST SP 800-61 Rev 2 incident response process, which phase involves documenting lessons learned and updating the incident response plan?

19

A SOC analyst is investigating a suspected data exfiltration. The analyst needs to preserve evidence from a compromised workstation. Which of the following is the CORRECT procedure to ensure evidence integrity?

20

During a security incident, the CISO decides to contain a compromised server by isolating it from the network. Which role is primarily responsible for making this containment decision based on business impact?

21

Which of the following is the CORRECT order of the NIST SP 800-61 Rev 2 incident response lifecycle phases?

22

An organization is conducting a risk assessment and assigns a monetary value to potential losses. Which risk assessment method is being used?

23

A SOC Tier 2 analyst is investigating an alert that was escalated by Tier 1. The analyst needs to perform deeper correlation and malware analysis. Which of the following actions is most appropriate for Tier 2?

24

Which organization facilitates threat intelligence sharing among members in a specific sector, such as finance or healthcare?

25

During the Containment, Eradication, and Recovery phase, the incident response team collects evidence from a compromised system. Which document is used to record the chain of custody?

26

Which risk treatment option involves taking actions to reduce the likelihood or impact of a risk?

27

An organization is required to preserve data that may be relevant to a lawsuit. Which legal process is invoked to prevent destruction of this data?

28

A SOC Tier 3 analyst is performing advanced threat analysis. Which TWO activities are typical for this tier?

29

In the context of risk management, which THREE are valid risk treatment options?

30

Which TWO standards/protocols are directly associated with threat intelligence sharing as defined by the CyberOps Associate curriculum?

31

During which phase of the NIST SP 800-61 Rev 2 incident response process would the incident response team conduct initial triage and determine whether an event qualifies as an incident?

32

A security analyst at a SOC Tier 1 receives an alert about a potential malware infection on a user's workstation. What is the primary responsibility of the Tier 1 analyst in this scenario?

33

An organization is implementing a new remote access policy. Which of the following is a key component that should be included in this policy?

34

During an incident, a forensic analyst needs to preserve evidence from a compromised hard drive. Which of the following steps is essential to maintain the chain of custody?

35

In the context of risk management, which term describes the risk that remains after implementing security controls?

36

An organization is developing an Acceptable Use Policy (AUP). Which of the following topics is typically covered in an AUP?

37

A security analyst needs to share threat intelligence with other organizations in a standardized, machine-readable format. Which combination of standards should the analyst use?

38

During a security incident, the incident handler identifies that the breach involves personally identifiable information (PII) of customers. Which role is primarily responsible for determining if legal notification requirements apply?

39

Which risk treatment option involves implementing security controls to reduce the likelihood or impact of a risk?

40

A SOC Tier 2 analyst is investigating an alert that was escalated from Tier 1. The analyst suspects the malware is using a new variant of ransomware. What is the most appropriate next step for the Tier 2 analyst?

41

An organization is conducting a risk assessment and wants to assign numerical values to the likelihood and impact of risks. Which type of risk assessment is being performed?

42

In the NIST SP 800-61 Rev 2 incident response process, which phase involves activities such as performing lessons learned and updating the incident response plan?

43

A security analyst is collecting evidence from a compromised system for legal proceedings. Which TWO actions are critical to preserve the integrity of the evidence?

44

An organization is implementing a threat intelligence sharing program. Which THREE elements are commonly used standards or platforms for sharing threat intelligence?

45

During a security incident involving an insider threat, which TWO roles are most likely to be directly involved in the response?

46

A security analyst is triaging an alert about a user downloading a suspicious file. According to the NIST SP 800-61 Rev 2 incident response process, in which phase does initial triage occur?

47

During an incident investigation, a forensic analyst needs to preserve the integrity of a hard drive. Which two actions should the analyst take before imaging the drive?

48

A SOC Tier 1 analyst receives an alert for a potential malware infection. What is the primary responsibility of the Tier 1 analyst?

49

An organization has implemented a new password policy requiring 12-character passwords with complexity. Which risk treatment option is this an example of?

50

After containing a security incident, the incident response team eradicates the malware and restores systems from clean backups. Which phase of the NIST SP 800-61 Rev 2 process does this represent?

51

An organization uses STIX and TAXII to share threat intelligence with an ISAC. What is the purpose of TAXII in this scenario?

52

A company's legal counsel is involved in an incident response due to a data breach. What is the primary role of legal counsel during the incident?

53

A SOC analyst is investigating a possible insider threat. Which team member should be consulted due to the nature of the incident?

54

An organization is reviewing its risk management process and identifies a risk with a high probability and high impact. Management decides to stop the activity causing the risk. Which risk treatment option is being applied?

55

During an incident investigation, the IR team collects evidence from a compromised server. The evidence must be admissible in court. Which documentation is essential to maintain the chain of custody?

56

A SOC Tier 3 analyst is performing threat hunting. Which activity best describes the primary focus of a Tier 3 analyst?

57

An organization uses a qualitative risk assessment to evaluate a new vendor. Which characteristic is typical of qualitative risk assessments?

58

A security analyst is establishing a data classification policy. Which TWO categories are commonly included in a data classification policy?

59

After a security incident, the IR team holds a lessons learned meeting. Which THREE activities are part of the Post-Incident Activity phase?

60

A security team is implementing a remote access policy. Which TWO controls should be included to ensure secure remote access?

61

During which phase of the NIST SP 800-61 Rev 2 incident response process does an organization develop an incident response plan and assemble a team?

62

A security analyst is investigating a potential data breach. They need to preserve evidence for legal proceedings. Which action should the analyst take to ensure the integrity of the data?

63

A SOC Tier 2 analyst receives an escalated alert about a potential command-and-control (C2) communication. The analyst needs to correlate network logs with threat intelligence. Which data format and transport protocol pair is specifically designed for standardized threat intelligence sharing?

64

Which security policy defines acceptable use of an organization's IT resources, including internet browsing and email?

65

During an incident, a SOC Tier 1 analyst identifies a series of failed login attempts from an internal IP address. The analyst escalates the alert. What is the primary role of a Tier 2 analyst in this scenario?

66

A financial institution is evaluating risk treatment options for a newly identified vulnerability in its online banking platform. The vulnerability has a high likelihood of exploitation but low business impact. Which risk treatment option is most appropriate?

67

An incident handler collects a hard drive from a compromised server. To maintain chain of custody, which information must be documented?

68

Which TWO roles are typically responsible for making decisions regarding business impact and external communication during an incident? (Select two.)

69

A SOC analyst is investigating a potential malware outbreak. Which THREE actions should the analyst take to preserve evidence? (Select three.)

70

Which TWO are components of the NIST SP 800-61 Rev 2 Preparation phase? (Select two.)

71

A company is implementing threat intelligence sharing. Which THREE standards or platforms are used for this purpose? (Select three.)

72

Which TWO are examples of risk treatment options? (Select two.)

73

During the Containment, Eradication, and Recovery phase, which TWO actions are typically performed? (Select two.)

74

A SOC Tier 1 analyst is processing alerts. Which THREE tasks are typical for a Tier 1 analyst? (Select three.)

Practice all 74 Security Policies and Procedures questions

Other 200-201 exam domains

Security MonitoringNetwork Intrusion AnalysisHost-Based AnalysisSecurity Concepts

Frequently asked questions

What does the Security Policies and Procedures domain cover on the 200-201 exam?

The Security Policies and Procedures domain covers the key concepts tested in this area of the 200-201 exam blueprint published by Cisco. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all 200-201 domains — no account required.

How many Security Policies and Procedures questions are in the 200-201 question bank?

The Courseiva 200-201 question bank contains 74 questions in the Security Policies and Procedures domain. Click any question to see the full explanation and answer breakdown.

What is the best way to practice Security Policies and Procedures for 200-201?

Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.

Can I practice only Security Policies and Procedures questions for 200-201?

Yes — the session launcher on this page draws questions exclusively from the Security Policies and Procedures domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.

Free forever · No credit card required

Track your 200-201 domain progress

Save your results, see per-domain analytics, and get readiness scores — free, for every certification.

Sign Up Free

Free forever · Every certification included

Practice Session

10 questions20 questions30 questions50 questions

Study Resources

All DomainsPractice TestMock ExamFlashcardsStudy Guide

Related Exams

200-301SY0-701CS0-003CEH