Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertifications200-201DomainsSecurity Policies and Procedures
200-201Free — No Signup

Security Policies and Procedures

Practice 200-201 Security Policies and Procedures questions with full explanations on every answer.

145questions

Start practicing

Security Policies and Procedures — choose a session length

10 questions~10 min20 questions~20 min30 questions~30 min50 questions~50 min

Free · No account required

200-201 Domains

Security Policies and ProceduresSecurity ConceptsSecurity MonitoringHost-Based AnalysisNetwork Intrusion Analysis

Practice Security Policies and Procedures questions

10Q20Q30Q50Q

All 200-201 Security Policies and Procedures questions (145)

Start session

Click any question to see the full explanation and answer options, or start a focused practice session above.

1

A security analyst discovers that an employee has been sharing login credentials with coworkers. Which policy violation is this?

2

A company wants to ensure that employees report security incidents immediately. Which policy element is most important to include?

3

An organization's security policy requires that all network traffic be inspected by an intrusion prevention system. However, encrypted traffic is bypassing inspection. Which change to the policy would best address this issue?

4

A security policy states that user activity logs must be retained for at least one year. What is the primary purpose of this requirement?

5

A security analyst notices that an employee is accessing the corporate network from an unauthorized device. According to the security policy, which action should the analyst take first?

6

A security policy requires that all changes to firewall rules be approved by two administrators. This is an example of which security principle?

7

An organization's security policy states that all external connections must be authenticated using multi-factor authentication. Which type of policy is this?

8

A company's security policy includes a clause that all software installed on company devices must be approved by the IT department. An employee installs an unapproved application that later causes a malware infection. Which policy was violated?

9

Which TWO of the following are typically included in a security policy's scope statement?

10

Which THREE of the following are common elements of an incident response policy?

11

Which TWO of the following are best practices for implementing a security policy?

12

A security analyst reviews the firewall log. What is the most likely reason for the denied connection?

13

A security auditor reviews the SNMP configuration. Which security concern should be reported?

14

You are a security analyst at a financial services company. The company's security policy mandates that all sensitive data must be encrypted at rest and in transit. A recent internal audit reveals that a database containing customer personally identifiable information (PII) is stored on a server that uses unencrypted storage volumes. The database is accessed by internal applications via unencrypted connections. The policy also requires quarterly vulnerability scans, and the latest scan shows that the server has a critical vulnerability in the database software. Additionally, the server's firewall rules permit inbound traffic from the entire corporate network to the database port. The company's incident response policy requires that any violation of data protection policies be escalated within 24 hours. The IT manager asks you to prioritize actions. What should you do first?

15

You are a security operations analyst for a medium-sized enterprise. The company's security policy requires that all endpoint devices have antivirus software installed and updated. During a routine check, you find that a group of 50 laptops used by the sales team have not received antivirus updates for over three months. The policy also states that any non-compliant devices must be quarantined from the network until they are remediated. The sales team manager argues that quarantining the laptops will disrupt critical sales activities. The company's incident response policy has a clause that allows for temporary exceptions in business-critical situations, but requires approval from the CISO. What is the best course of action?

16

A company's security policy requires that all laptops accessing the corporate network must have full-disk encryption enabled. During a routine audit, an analyst discovers that a manager's laptop does not have encryption enabled. What is the most appropriate first step according to standard security incident response procedures?

17

A network administrator is implementing a new security policy that requires all employees to use multi-factor authentication (MFA) when accessing email from external networks. However, several employees report that they cannot receive SMS codes while traveling internationally. Which design change best balances security and usability?

18

A security analyst is reviewing a series of failed login attempts on a critical server. The logs show that the source IP addresses are from multiple geographic regions and the usernames tried are all valid employees. The attempts occur every 5 minutes for the past hour. According to the company's security policy, which type of attack is most likely occurring, and what is the best immediate response?

19

During a security audit, an analyst discovers that several employees have shared their login credentials with colleagues to expedite work. Which policy enforcement mechanism would be most effective in preventing this behavior?

20

A company's security policy states that all remote access must be through a VPN. An employee complains that the VPN is too slow and asks for an exception to access a specific internal server directly over the internet. What should the security analyst recommend?

21

A security analyst is reviewing the company's incident response plan. The plan states that 'all incidents must be contained within 30 minutes.' During a recent ransomware incident, the analyst identified the affected systems but could not contain them because the containment procedures required manual steps that took over an hour. What is the most likely gap in the plan?

22

A company is developing a new security policy for cloud storage. Which principle should be the foundation of the policy to ensure data confidentiality and integrity?

23

Which TWO of the following are key components of a security policy? (Choose two.)

24

Which THREE of the following are best practices for creating and maintaining security policies? (Choose three.)

25

Which TWO of the following are valid reasons to create an exception to a security policy? (Choose two.)

26

Refer to the exhibit. A network administrator is configuring TACACS+ on a switch. Based on the configuration snippet, what is the expected behavior if the TACACS+ server becomes unreachable?

27

Refer to the exhibit. A security analyst observes a SIEM alert and a firewall log. The firewall allowed the traffic. According to the company's security policy, which action should the analyst take first?

28

You are a security analyst at a mid-sized company that uses a mix of on-premises servers and cloud services. The company's security policy requires all sensitive data to be encrypted at rest and in transit, and all access to be logged and monitored. Recently, the company experienced a data breach where an attacker exfiltrated a database containing customer PII. The investigation revealed that the attacker gained access using a compromised VPN account that had been inactive for 6 months. The account belonged to a former employee who left the company but the account was never disabled. The VPN logs show that the account was used from an unusual IP address, but no alert was triggered because the account was not on any watchlist. The breach occurred over a weekend when the security team was not monitoring. Which of the following would have most effectively prevented this breach?

29

A security analyst is reviewing the incident response plan for a small business. The plan states that after an incident is contained, the next step is to preserve evidence. The CISO wants to ensure that the plan follows NIST guidelines. Which step should be added between containment and evidence preservation according to NIST?

30

An organization is implementing a security policy that requires all remote access to the corporate network to be authenticated using multi-factor authentication (MFA). Which TWO of the following are valid MFA factors?

31

A security analyst receives an alert that an employee's workstation is generating outbound traffic to a known malware command-and-control IP address at 3:00 AM. According to the company's incident response policy, what is the FIRST action the analyst should take?

32

Which TWO of the following are essential components of an effective security policy framework according to Cisco best practices?

33

Refer to the exhibit. A network administrator notices that remote SSH logins to the router succeed, but the router is not sending accounting records. Based on the configuration, what is the most likely cause?

34

Drag and drop the steps for initial configuration of a Cisco IOS device after booting into the correct order.

35

Drag and drop the steps for the DHCP DORA process (dynamic host configuration) into the correct order.

36

Match each network protocol to its well-known port number.

37

Match each network attack type to its description.

38

A security analyst detects a host infected with ransomware on the corporate network. According to incident response procedures, what should be the first action?

39

A company's acceptable use policy (AUP) prohibits personal devices on the corporate network. An employee is found connecting a personal tablet to access internal resources. What should the security team do?

40

A critical security patch for a widely exploited vulnerability is released. The patch requires a system reboot during business hours. According to change management policy, what is the best procedure?

41

An analyst is handling a data breach involving sensitive customer information (PII) stored in a database. According to data classification policy, what is the most critical step to take first?

42

A security administrator is implementing a privileged access management (PAM) solution. Which practice best enforces the principle of least privilege for administrators?

43

A company operating in the EU experiences a data breach involving personal data of EU citizens. Under GDPR, what is the maximum timeframe to notify the supervisory authority?

44

During a security awareness training session, an employee reports they clicked a link in a phishing email but did not enter credentials. Which policy violation is most likely involved?

45

An investigator seizes a laptop as evidence from a crime scene. At the scene, the laptop is turned on and a log file is open. What should the investigator do to preserve evidence according to chain of custody procedures?

46

A company's remote access policy requires VPN connections to use two-factor authentication (2FA). An employee reports they cannot connect because their token is not syncing. What is the best course of action?

47

Which TWO components are essential in a well-written security policy?

48

Which TWO incident types must be reported within 1 hour under the company's incident response policy?

49

Which THREE actions are mandatory in the evidence handling process according to standard forensic procedures?

50

Refer to the exhibit. An ASA security policy is configured as shown. A user from the internet tries to access 192.168.1.5 via HTTP. What will happen?

51

Refer to the exhibit. A security analyst sees this syslog message from the ASA. Which statement best describes what is occurring?

52

Refer to the exhibit. A Cisco router is configured with the shown access list applied inbound on the external interface. An external attacker sends a packet with source IP 10.0.0.1, destination IP 192.168.1.100, destination port 22. What will the router do?

53

A security policy mandates that all administrative access to network devices must be encrypted. Which of the following protocols should be used to comply with this policy?

54

An organization's security policy requires that all security incidents be reported within one hour of discovery. A junior analyst notices an unauthorized login attempt but is unsure if it qualifies as an incident. What should the analyst do first?

55

A company's data classification policy defines "Confidential" data. Which of the following is an example of Confidential data?

56

During a security audit, it is discovered that several users have passwords set to never expire. According to the security policy, passwords must be changed every 90 days. What is the best course of action?

57

An incident response plan specifies that containment must be completed before eradication. A security analyst identifies a malware infection on a critical server. What should be done first?

58

A company's security policy prohibits the use of shared accounts. However, a legacy application requires a shared administrative account to run. What is the best approach?

59

An organization's security policy requires that all traffic between the corporate network and the internet be inspected by an IPS. However, encrypted traffic (HTTPS) cannot be inspected without breaking encryption. Which solution best meets the policy requirement?

60

A security policy states that all portable media must be encrypted. An employee loses a USB drive containing customer data. The drive was encrypted with AES-256. Which of the following is true regarding policy compliance?

61

During a merger, two companies have different security policies. Company A uses a discretionary access control (DAC) model, while Company B uses a mandatory access control (MAC) model. The merged entity must adopt a single policy. Which approach is most likely to be adopted and why?

62

A security policy requires multifactor authentication for all administrative access. Which TWO of the following are examples of factors used in MFA? (Choose two.)

63

A company's security policy mandates data encryption at rest. Which TWO of the following are acceptable methods to meet this requirement? (Choose two.)

64

According to the principles of least privilege, which THREE of the following access controls should be implemented for a typical user account? (Choose three.)

65

Refer to the exhibit. A security policy states that all remote desktop (RDP) and Telnet access from external networks must be blocked. Does the above access-list comply with the policy?

66

Refer to the exhibit. This syslog message is generated from a Cisco firewall. According to the security policy, all traffic from the 10.10.10.0/24 network to the internal 192.168.1.0/24 network must be denied except for HTTP traffic from specific IPs. Which of the following should be investigated?

67

Refer to the exhibit. A security policy requires that network traffic be classified and prioritized to ensure critical applications get bandwidth. A network engineer implements this QoS policy. However, after deployment, a security scanner reports that SSH traffic is starved. Which of the following is the most likely cause?

68

A company's security policy requires that all employees change their passwords every 90 days. Which type of security control does this policy enforce?

69

An analyst discovers that an employee has been using company-issued laptops to run a personal cryptocurrency mining software. Which policy violation has occurred?

70

During a security audit, an analyst finds that a third-party vendor has access to sensitive customer data beyond what is necessary for their services. Which principle of least privilege should the policy enforce?

71

A company's security policy states that all employees must use multi-factor authentication (MFA) when accessing the corporate network remotely. Which policy is being applied?

72

During a change management process, a security administrator approves a firewall rule change. After implementation, a critical application becomes unreachable. Which step in the change process was likely missed?

73

An organization's security policy requires data classification labels to be applied to all documents. A manager sends a spreadsheet containing employee PII (personally identifiable information) to the entire company without labeling. Which policy has been violated?

74

Which security policy defines the process for reporting discovered security vulnerabilities to the organization?

75

A security analyst is creating a policy for handling sensitive customer data. The policy must ensure data is encrypted at rest and in transit. Which type of policy most directly addresses this requirement?

76

During an incident, a first responder pulls the network cable of a compromised server. Later, the incident response team is unable to collect volatile data such as running processes. Which policy or procedure was violated?

77

Which TWO of the following are key components of a security policy framework according to Cisco? (Choose two.)

78

Which THREE are required steps in a proper incident response procedure? (Choose three.)

79

Which TWO activities are typically part of a security policy review cycle? (Choose two.)

80

Refer to the exhibit. An administrator configured AAA on a Cisco router. What is the expected outcome when a user tries to access privileged EXEC mode (enable) with the username 'admin' and password 'cisco123'?

81

Refer to the exhibit. A network administrator applied this ACL inbound on the external interface of a firewall. An attacker sends a TCP SYN packet with source IP 192.0.2.1 to destination 10.1.1.100 port 80. Which statement accurately describes the packet's treatment?

82

Refer to the exhibit. A security analyst views these log entries from a Cisco router. What conclusion can be drawn about ACL 101?

83

A company's security policy states that employees must not use corporate laptops for personal web browsing. An employee is found to have streamed video during work hours, consuming significant bandwidth. What is the best course of action?

84

During a security incident, a security analyst isolates an affected host and collects a memory dump. According to incident response procedures, what is the next step the analyst should take?

85

A security auditor reviews a company's security policies and finds that the password policy requires a minimum length of 8 characters and complexity including uppercase, lowercase, digit, and special character. However, the policy does not mandate password expiration. Which of the following is the most significant risk due to this omission?

86

An organization's data classification policy defines four levels: Public, Internal, Confidential, and Restricted. An employee accidentally sends an email containing customer payment card information (PCI) to the entire company mailing list. The data should have been classified as which level?

87

A company has implemented a role-based access control (RBAC) policy for its network devices. A network engineer needs temporary access to configure a router in a different region. According to the RBAC policy, what is the appropriate procedure?

88

A business impact analysis (BIA) for a critical enterprise application reveals a maximum tolerable downtime (MTD) of 4 hours and a recovery time objective (RTO) of 2 hours. The current backup solution can restore the application in 3 hours under optimal conditions. Which of the following is the most appropriate action from a policy perspective?

89

A security policy mandates that all employees complete annual security awareness training. Which of the following metrics best demonstrates the effectiveness of this training?

90

A change management policy requires that all network configuration changes be approved by a change advisory board (CAB) before implementation. An urgent security vulnerability requires an immediate firewall rule change to block an active exploit. What should the network administrator do?

91

A vendor security policy requires that all third-party remote access be limited to specific IP addresses and use multi-factor authentication. During an audit, it is discovered that a vendor's entire office subnet is allowed instead of individual IPs. The vendor argues that the broader range is necessary for redundancy. What is the best way to handle this from a policy perspective?

92

Which TWO of the following are key elements that should be included in an incident response plan?

93

Which THREE of the following are common types of security policies that organizations typically implement?

94

Which TWO of the following are essential requirements for a security policy to be effective?

95

Refer to the exhibit. A network administrator applies this ACL to the WAN interface. What is the effect on BitTorrent traffic (which typically uses ports 6881-6889)?

96

Refer to the exhibit. A security analyst observes these syslog messages from an ASA firewall. Based on the messages, which type of activity is most likely occurring?

97

Refer to the exhibit. A security analyst reviews the access list. Senior management has authorized SSH access (port 22) to external servers only from the 10.1.1.0/24 and 10.1.2.0/24 subnets. What is the most significant security flaw in this ACL?

98

A security policy requires that all email attachments be scanned for malware. An employee receives a legitimate PDF from a customer that is flagged as malicious. What should the analyst do first?

99

A security analyst notices repeated failed login attempts from an external IP. The company has a policy for account lockout after 5 failed attempts. However, the lockout is not triggering. What is the most likely cause?

100

An organization's security policy specifies that all configuration changes must be approved through a change management process. An analyst discovers that a firewall rule was added without approval. What is the appropriate action?

101

A company's security policy requires that all network devices be managed using SSHv2. An auditor finds that some older switches are still using Telnet. The network team claims they cannot upgrade due to budget constraints. What is the best immediate action to mitigate risk?

102

A security policy requires that all privileged access be logged and monitored. A junior admin uses a shared service account to perform maintenance. The logs show the account logged in from multiple IPs at the same time. What does this indicate?

103

A security policy requires that all remote access be through a VPN using strong authentication. A user calls the help desk saying they cannot connect to the VPN. The analyst checks and sees that the user's token is not synchronized. What should the analyst do?

104

A company's security policy states that all network traffic must be inspected by an IPS. However, encrypted traffic (SSL/TLS) is bypassing inspection. The network team wants to implement SSL decryption. What is the primary policy consideration before implementing?

105

A company's incident response policy defines four phases: Preparation, Detection & Analysis, Containment Eradication & Recovery, and Post-Incident Activity. During an active ransomware outbreak, the IR team is unable to contain the spread because the containment plan did not account for the malware's use of PowerShell for lateral movement. Which phase had a deficiency?

106

A security policy requires that all endpoints have host-based firewalls enabled. A user reports that an application stopped working after a recent update. What should the analyst do?

107

An analyst is reviewing this configuration. What is the most significant security concern?

108

An analyst sees these logs. What should be the immediate course of action?

109

An analyst is verifying a VPN configuration. Which of the following is true about this configuration?

110

A security policy requires that all data at rest be encrypted. Which TWO of the following are considered best practices for implementing encryption?

111

An organization's security policy requires that all security incidents be reported within 1 hour. A system administrator discovers a potential data breach but delays reporting by 3 hours because they were trying to contain it. Which TWO are the most likely consequences of this delay?

112

An organization's security policy defines acceptable use of corporate email. Which THREE of the following actions are typically prohibited?

113

An organization's security policy requires that all data at rest on laptops be encrypted. An employee reports that their laptop was stolen. Which control would most likely prevent data exposure?

114

An security auditor finds that the company's backup policy does not include offsite storage. The security policy requires that backups be stored in a geographically separate location. What should the company do?

115

A company is implementing a new data classification policy. The policy defines three levels: Public, Internal, and Confidential. An employee accidentally emails a spreadsheet marked 'Confidential' to an external partner. The email system automatically encrypts all outbound emails containing 'Confidential' classification. Which security control is being demonstrated?

116

A company's security policy requires that all system logs be retained for at least one year. A security analyst discovers that log files are being overwritten after 30 days. What is the most likely cause?

117

A security policy requires that all remote access be authenticated using a one-time password (OTP) token. Which technology should be implemented?

118

During a security incident, the incident response team isolates a compromised workstation from the network. The security policy requires that all actions taken during the incident be documented and approved. However, the team lead isolates the workstation without waiting for formal approval. Which principle of incident response is being prioritized?

119

A user reports that they cannot access a file server. The security policy requires that all access be logged and monitored. What is the most likely reason for the access failure?

120

A company's security policy requires that all firewall rule changes be approved through a change management process. An engineer notices an unauthorized rule that allows RDP from any external IP. What is the first step the engineer should take?

121

An organization is developing a new cloud-based application. The security policy requires that all data be encrypted in transit and at rest. Which combination of controls meets this requirement?

122

A security policy requires that employees use strong passwords. Which TWO of the following are characteristics of a strong password? (Select two.)

123

An incident response plan includes steps to contain a ransomware outbreak. Which TWO actions are typically performed during the containment phase? (Select two.)

124

A security policy mandates that all network devices must be hardened. Which THREE of the following are common hardening best practices for routers and switches? (Select three.)

125

Refer to the exhibit. A security analyst reviews the configuration of a router and notices the access list applied to the internal interface. Which traffic from the source network 10.0.0.0/8 will be permitted? (Assume typical web traffic.)

126

GreenTech Inc. is a mid-sized company with 500 employees. The company uses Microsoft Exchange Online for email and has implemented a security policy that requires all employees to report suspicious emails to the security team. The security team uses a phishing simulation tool to train employees. In the past month, several employees have reported receiving emails that appear to be from the CEO requesting urgent wire transfers. The security team has blocked the sender domains and updated the email filters. However, one employee fell for the latest scam and transferred $50,000 to an account before reporting it. The security incident response plan states that any monetary loss must be reported to the board within 24 hours. The security analyst receives the report on Monday morning. What should the analyst do first based on the policy and best practices?

127

MedSecure is a healthcare organization with a security policy that requires all security incidents to be handled following the NIST framework. A system administrator discovers that an unauthorized user has accessed a database containing patient records. The administrator immediately disconnects the server from the network. The security analyst is called to investigate. The analyst finds that the server was not part of the centralized logging system, and the only logs available are the database audit logs. The security policy mandates preservation of evidence and chain of custody. The analyst needs to collect the database audit logs. Which action should the analyst take to ensure proper evidence collection?

128

A security analyst at a medium-sized enterprise notices that an employee's workstation has been sending outbound traffic to a known malicious IP address at irregular intervals. The analyst runs a scan and finds no malware signatures. What should the analyst do next?

129

A company is implementing a security policy that requires all employees to use multi-factor authentication (MFA) when accessing corporate resources remotely. However, during a recent security audit, it was found that several employees have been using app passwords for legacy applications that do not support MFA. What is the best practice under this policy?

130

A network administrator is tasked with creating a security policy for handling sensitive data. Which of the following is the most critical element to include?

131

A security policy mandates that all network devices must have logging enabled and that logs must be reviewed regularly. Which TWO practices are essential for effective log review?

132

A security analyst is creating a procedure for responding to a phishing email reported by a user. Which TWO steps should be included?

133

A company's security policy requires that all changes to firewall rules must be approved by the change advisory board (CAB). Which THREE of the following are valid reasons to bypass this process?

134

You are a security analyst at a multinational corporation. The company has implemented a security policy that requires all employees to use company-issued laptops with full disk encryption. During a routine audit, you discover that a senior executive's laptop is not encrypted. The executive claims that IT support had disabled encryption because the laptop was running slowly. The current policy does not allow exceptions without management approval. The executive's laptop contains sensitive client data. What should you do?

135

You are the cybersecurity analyst for a small business that has a security policy requiring all network traffic to pass through a proxy server for content filtering. Recently, employees have been complaining that some websites are not loading correctly. You check the proxy logs and see that the proxy is blocking traffic that appears to be from non-standard ports. However, upon investigation, you find that the blocked sites are legitimate business tools that use custom ports. Which action aligns with the security policy?

136

A healthcare organization has a security policy that mandates immediate reporting of any potential data breach to the privacy officer. An analyst notices that an employee accidentally emailed a patient list to the wrong recipient. The recipient is known to be a trusted partner, but the email contained PHI. The analyst contacts the recipient who acknowledges receipt and agrees to delete the email. What should the analyst do next?

137

A financial services company has a security policy that all remote access must be through VPN with two-factor authentication. An employee on a business trip uses a hotel Wi-Fi to connect to the corporate network but claims the VPN client was not working, so they used RDP directly over the internet to access their desktop. The employee's manager approved this as a temporary measure. The security team discovers this during a log review. The policy has no provision for temporary exceptions. What should be the security team's first action?

138

A company's security policy requires that all servers have host-based intrusion detection (HIDS) installed and configured to send alerts to the SIEM. During a routine check, you find that a critical database server has HIDS installed but is not sending alerts because the agent service is stopped. The server administrator says he stopped the service because it was using too much CPU. The policy requires that any deviation from baseline must be approved by the security team. What should you do?

139

A small retail company has a security policy that requires all point-of-sale (POS) systems to be isolated on a separate network segment with strict firewall rules. During a network audit, you discover that the POS system is connected to the same network as the office workstations, violating policy. The store manager says it was done for convenience because the network cable was too short. What is the best course of action?

140

A multinational company has a security policy that all data at rest in cloud storage must be encrypted using company-managed keys. The cloud administrator, due to performance concerns, configured server-side encryption with AWS managed keys instead. The security team discovers this during an audit. The policy does not differentiate between encryption types. The data stored includes financial records. What should the security team do?

141

A security policy requires that all mobile devices connecting to corporate email must have a screen lock and be able to be remotely wiped. An employee's personal phone is lost. The employee reports the loss immediately. The phone is enrolled in MDM with remote wipe capability. However, the employee has not set a screen lock, violating policy. The phone contains synced email and contacts. What should the security team do?

142

An organization's security policy mandates that all external media (USB drives, external hard drives) must be scanned for malware before use. An employee inserts a USB drive to transfer a presentation for a meeting. The employee runs the antivirus scan, but it fails to complete because the USB drive has a hardware write-protect switch. The employee is in a hurry. What should the employee do?

143

A company is creating an incident response policy. Which TWO elements should be included to ensure proper handling of security incidents?

144

Refer to the exhibit. A security analyst notices repeated login failures. According to the company's security policy, what action should be taken?

145

A large enterprise has a security policy that mandates data classification and strict access controls. An IT administrator, John, has been granted temporary administrative privileges to resolve a server issue. During the maintenance window, John accesses a file server and downloads a spreadsheet containing customer PII (Personally Identifiable Information) classified as 'Confidential'. John then emails the spreadsheet to his personal email account to work from home. The security team receives an alert from the DLP system indicating the email transmission. According to the company's incident response policy, which of the following is the FIRST action the security team should take?

Practice all 145 Security Policies and Procedures questions

Other 200-201 exam domains

Security ConceptsSecurity MonitoringHost-Based AnalysisNetwork Intrusion Analysis

Frequently asked questions

What does the Security Policies and Procedures domain cover on the 200-201 exam?

The Security Policies and Procedures domain covers the key concepts tested in this area of the 200-201 exam blueprint published by Cisco. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all 200-201 domains — no account required.

How many Security Policies and Procedures questions are in the 200-201 question bank?

The Courseiva 200-201 question bank contains 145 questions in the Security Policies and Procedures domain. Click any question to see the full explanation and answer breakdown.

What is the best way to practice Security Policies and Procedures for 200-201?

Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.

Can I practice only Security Policies and Procedures questions for 200-201?

Yes — the session launcher on this page draws questions exclusively from the Security Policies and Procedures domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.

Free forever · No credit card required

Track your 200-201 domain progress

Save your results, see per-domain analytics, and get readiness scores — free, for every certification.

Sign Up Free

Free forever · Every certification included

Practice Session

10 questions20 questions30 questions50 questions

Study Resources

All DomainsPractice TestMock ExamFlashcardsStudy Guide

Related Exams

200-301SY0-701CS0-003CEH