Practice 200-201 Security Policies and Procedures questions with full explanations on every answer.
Start practicing
Security Policies and Procedures — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
During which phase of the NIST SP 800-61 Rev 2 incident response process should an organization develop and exercise the incident response plan?
2A security analyst receives an alert from the SIEM indicating a large number of failed login attempts from an external IP address targeting a user account. According to the incident response process, what should be the analyst's first action?
3An organization's incident response team has identified a malware infection on a critical server. They need to collect evidence for potential legal action. Which of the following is the most important step to ensure the admissibility of the evidence?
4Which role in the incident response process is primarily responsible for determining the business impact of an incident and making strategic decisions?
5An employee is suspected of using company resources to access inappropriate websites. Which security policy most directly addresses this behavior?
6During a risk assessment, a company identifies that the annualized loss expectancy (ALE) for a specific threat is $50,000. The cost to implement a mitigation control is $30,000 with an annual maintenance cost of $5,000. According to risk management principles, what is the most appropriate risk treatment option?
7A SOC analyst at Tier 1 receives an alert for a known malware signature. After initial investigation, the analyst finds that the alert is a false positive caused by an outdated signature. What should the analyst do next?
8Which threat intelligence sharing standard defines a language and format for representing structured threat information, such as indicators and campaigns?
9During the containment phase of an incident, the IR team decides to power off a compromised server to prevent further damage. However, they later realize that this action may have destroyed volatile evidence. According to best practices, what should the team have done instead?
10A company's security policy requires that all data classified as 'Confidential' must be encrypted at rest and in transit. This requirement is part of which policy?
11Which SOC tier is responsible for threat hunting and advanced forensic analysis?
12An incident handler needs to preserve a hard drive from a compromised system. Which two actions are essential to maintain the integrity of the evidence?
13Which of the following are responsibilities of the legal counsel role during incident response? (Choose two.)
14An organization is implementing a threat intelligence sharing program. They want to exchange both structured indicators and full reports with other members of their ISAC. Which combination of standards/protocols should they choose? (Choose two.)
15After resolving a security incident, the IR team conducts a lessons learned meeting. Which of the following are typical outputs of this post-incident activity? (Choose three.)
16During the Detection and Analysis phase of incident response, a SOC Tier 1 analyst identifies a potential malware infection on a critical server. What is the FIRST action the analyst should take according to NIST SP 800-61 Rev 2?
17An organization is implementing an AUP that prohibits personal use of corporate resources. However, an employee uses a company laptop to access personal email, which leads to a malware infection. Which policy violation is most directly implicated?
18In the NIST SP 800-61 Rev 2 incident response process, which phase involves documenting lessons learned and updating the incident response plan?
19A SOC analyst is investigating a suspected data exfiltration. The analyst needs to preserve evidence from a compromised workstation. Which of the following is the CORRECT procedure to ensure evidence integrity?
20During a security incident, the CISO decides to contain a compromised server by isolating it from the network. Which role is primarily responsible for making this containment decision based on business impact?
21Which of the following is the CORRECT order of the NIST SP 800-61 Rev 2 incident response lifecycle phases?
22An organization is conducting a risk assessment and assigns a monetary value to potential losses. Which risk assessment method is being used?
23A SOC Tier 2 analyst is investigating an alert that was escalated by Tier 1. The analyst needs to perform deeper correlation and malware analysis. Which of the following actions is most appropriate for Tier 2?
24Which organization facilitates threat intelligence sharing among members in a specific sector, such as finance or healthcare?
25During the Containment, Eradication, and Recovery phase, the incident response team collects evidence from a compromised system. Which document is used to record the chain of custody?
26Which risk treatment option involves taking actions to reduce the likelihood or impact of a risk?
27An organization is required to preserve data that may be relevant to a lawsuit. Which legal process is invoked to prevent destruction of this data?
28A SOC Tier 3 analyst is performing advanced threat analysis. Which TWO activities are typical for this tier?
29In the context of risk management, which THREE are valid risk treatment options?
30Which TWO standards/protocols are directly associated with threat intelligence sharing as defined by the CyberOps Associate curriculum?
31During which phase of the NIST SP 800-61 Rev 2 incident response process would the incident response team conduct initial triage and determine whether an event qualifies as an incident?
32A security analyst at a SOC Tier 1 receives an alert about a potential malware infection on a user's workstation. What is the primary responsibility of the Tier 1 analyst in this scenario?
33An organization is implementing a new remote access policy. Which of the following is a key component that should be included in this policy?
34During an incident, a forensic analyst needs to preserve evidence from a compromised hard drive. Which of the following steps is essential to maintain the chain of custody?
35In the context of risk management, which term describes the risk that remains after implementing security controls?
36An organization is developing an Acceptable Use Policy (AUP). Which of the following topics is typically covered in an AUP?
37A security analyst needs to share threat intelligence with other organizations in a standardized, machine-readable format. Which combination of standards should the analyst use?
38During a security incident, the incident handler identifies that the breach involves personally identifiable information (PII) of customers. Which role is primarily responsible for determining if legal notification requirements apply?
39Which risk treatment option involves implementing security controls to reduce the likelihood or impact of a risk?
40A SOC Tier 2 analyst is investigating an alert that was escalated from Tier 1. The analyst suspects the malware is using a new variant of ransomware. What is the most appropriate next step for the Tier 2 analyst?
41An organization is conducting a risk assessment and wants to assign numerical values to the likelihood and impact of risks. Which type of risk assessment is being performed?
42In the NIST SP 800-61 Rev 2 incident response process, which phase involves activities such as performing lessons learned and updating the incident response plan?
43A security analyst is collecting evidence from a compromised system for legal proceedings. Which TWO actions are critical to preserve the integrity of the evidence?
44An organization is implementing a threat intelligence sharing program. Which THREE elements are commonly used standards or platforms for sharing threat intelligence?
45During a security incident involving an insider threat, which TWO roles are most likely to be directly involved in the response?
46A security analyst is triaging an alert about a user downloading a suspicious file. According to the NIST SP 800-61 Rev 2 incident response process, in which phase does initial triage occur?
47During an incident investigation, a forensic analyst needs to preserve the integrity of a hard drive. Which two actions should the analyst take before imaging the drive?
48A SOC Tier 1 analyst receives an alert for a potential malware infection. What is the primary responsibility of the Tier 1 analyst?
49An organization has implemented a new password policy requiring 12-character passwords with complexity. Which risk treatment option is this an example of?
50After containing a security incident, the incident response team eradicates the malware and restores systems from clean backups. Which phase of the NIST SP 800-61 Rev 2 process does this represent?
51An organization uses STIX and TAXII to share threat intelligence with an ISAC. What is the purpose of TAXII in this scenario?
52A company's legal counsel is involved in an incident response due to a data breach. What is the primary role of legal counsel during the incident?
53A SOC analyst is investigating a possible insider threat. Which team member should be consulted due to the nature of the incident?
54An organization is reviewing its risk management process and identifies a risk with a high probability and high impact. Management decides to stop the activity causing the risk. Which risk treatment option is being applied?
55During an incident investigation, the IR team collects evidence from a compromised server. The evidence must be admissible in court. Which documentation is essential to maintain the chain of custody?
56A SOC Tier 3 analyst is performing threat hunting. Which activity best describes the primary focus of a Tier 3 analyst?
57An organization uses a qualitative risk assessment to evaluate a new vendor. Which characteristic is typical of qualitative risk assessments?
58A security analyst is establishing a data classification policy. Which TWO categories are commonly included in a data classification policy?
59After a security incident, the IR team holds a lessons learned meeting. Which THREE activities are part of the Post-Incident Activity phase?
60A security team is implementing a remote access policy. Which TWO controls should be included to ensure secure remote access?
61During which phase of the NIST SP 800-61 Rev 2 incident response process does an organization develop an incident response plan and assemble a team?
62A security analyst is investigating a potential data breach. They need to preserve evidence for legal proceedings. Which action should the analyst take to ensure the integrity of the data?
63A SOC Tier 2 analyst receives an escalated alert about a potential command-and-control (C2) communication. The analyst needs to correlate network logs with threat intelligence. Which data format and transport protocol pair is specifically designed for standardized threat intelligence sharing?
64Which security policy defines acceptable use of an organization's IT resources, including internet browsing and email?
65During an incident, a SOC Tier 1 analyst identifies a series of failed login attempts from an internal IP address. The analyst escalates the alert. What is the primary role of a Tier 2 analyst in this scenario?
66A financial institution is evaluating risk treatment options for a newly identified vulnerability in its online banking platform. The vulnerability has a high likelihood of exploitation but low business impact. Which risk treatment option is most appropriate?
67An incident handler collects a hard drive from a compromised server. To maintain chain of custody, which information must be documented?
68Which TWO roles are typically responsible for making decisions regarding business impact and external communication during an incident? (Select two.)
69A SOC analyst is investigating a potential malware outbreak. Which THREE actions should the analyst take to preserve evidence? (Select three.)
70Which TWO are components of the NIST SP 800-61 Rev 2 Preparation phase? (Select two.)
71A company is implementing threat intelligence sharing. Which THREE standards or platforms are used for this purpose? (Select three.)
72Which TWO are examples of risk treatment options? (Select two.)
73During the Containment, Eradication, and Recovery phase, which TWO actions are typically performed? (Select two.)
74A SOC Tier 1 analyst is processing alerts. Which THREE tasks are typical for a Tier 1 analyst? (Select three.)
The Security Policies and Procedures domain covers the key concepts tested in this area of the 200-201 exam blueprint published by Cisco. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all 200-201 domains — no account required.
The Courseiva 200-201 question bank contains 74 questions in the Security Policies and Procedures domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Security Policies and Procedures domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included