Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Free Resources

Difficulty IndexLearn — Free ChaptersIT GlossaryFree Tools & LabsStudy GuidesCareer RoadmapsBrowse by VendorCisco Command ReferenceCCNA Scenarios

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Security Policies and Procedures practice sets

200-201 Security Policies and Procedures • Complete Question Bank

200-201 Security Policies and Procedures — All Questions With Answers

Complete 200-201 Security Policies and Procedures question bank — all 0 questions with answers and detailed explanations.

74
Questions
Free
No signup
Certifications/200-201/Practice Test/Security Policies and Procedures/All Questions
Question 1easymultiple choice
Read the full Security Policies and Procedures explanation →

During which phase of the NIST SP 800-61 Rev 2 incident response process should an organization develop and exercise the incident response plan?

Question 2mediummultiple choice
Read the full Security Policies and Procedures explanation →

A security analyst receives an alert from the SIEM indicating a large number of failed login attempts from an external IP address targeting a user account. According to the incident response process, what should be the analyst's first action?

Question 3hardmultiple choice
Read the full Security Policies and Procedures explanation →

An organization's incident response team has identified a malware infection on a critical server. They need to collect evidence for potential legal action. Which of the following is the most important step to ensure the admissibility of the evidence?

Question 4mediummultiple choice
Read the full Security Policies and Procedures explanation →

Which role in the incident response process is primarily responsible for determining the business impact of an incident and making strategic decisions?

Question 5easymultiple choice
Read the full Security Policies and Procedures explanation →

An employee is suspected of using company resources to access inappropriate websites. Which security policy most directly addresses this behavior?

Question 6hardmultiple choice
Read the full Security Policies and Procedures explanation →

During a risk assessment, a company identifies that the annualized loss expectancy (ALE) for a specific threat is $50,000. The cost to implement a mitigation control is $30,000 with an annual maintenance cost of $5,000. According to risk management principles, what is the most appropriate risk treatment option?

Question 7mediummultiple choice
Read the full Security Policies and Procedures explanation →

A SOC analyst at Tier 1 receives an alert for a known malware signature. After initial investigation, the analyst finds that the alert is a false positive caused by an outdated signature. What should the analyst do next?

Question 8mediummultiple choice
Read the full Security Policies and Procedures explanation →

Which threat intelligence sharing standard defines a language and format for representing structured threat information, such as indicators and campaigns?

Question 9hardmultiple choice
Read the full Security Policies and Procedures explanation →

During the containment phase of an incident, the IR team decides to power off a compromised server to prevent further damage. However, they later realize that this action may have destroyed volatile evidence. According to best practices, what should the team have done instead?

Question 10mediummultiple choice
Read the full Security Policies and Procedures explanation →

A company's security policy requires that all data classified as 'Confidential' must be encrypted at rest and in transit. This requirement is part of which policy?

Question 11easymultiple choice
Read the full Security Policies and Procedures explanation →

Which SOC tier is responsible for threat hunting and advanced forensic analysis?

Question 12mediummultiple choice
Read the full Security Policies and Procedures explanation →

An incident handler needs to preserve a hard drive from a compromised system. Which two actions are essential to maintain the integrity of the evidence?

Question 13mediummultiple choice
Read the full Security Policies and Procedures explanation →

Which of the following are responsibilities of the legal counsel role during incident response? (Choose two.)

Question 14hardmultiple choice
Read the full Security Policies and Procedures explanation →

An organization is implementing a threat intelligence sharing program. They want to exchange both structured indicators and full reports with other members of their ISAC. Which combination of standards/protocols should they choose? (Choose two.)

Question 15mediummultiple choice
Read the full Security Policies and Procedures explanation →

After resolving a security incident, the IR team conducts a lessons learned meeting. Which of the following are typical outputs of this post-incident activity? (Choose three.)

Question 16mediummultiple choice
Read the full Security Policies and Procedures explanation →

During the Detection and Analysis phase of incident response, a SOC Tier 1 analyst identifies a potential malware infection on a critical server. What is the FIRST action the analyst should take according to NIST SP 800-61 Rev 2?

Question 17hardmultiple choice
Read the full Security Policies and Procedures explanation →

An organization is implementing an AUP that prohibits personal use of corporate resources. However, an employee uses a company laptop to access personal email, which leads to a malware infection. Which policy violation is most directly implicated?

Question 18easymultiple choice
Read the full Security Policies and Procedures explanation →

In the NIST SP 800-61 Rev 2 incident response process, which phase involves documenting lessons learned and updating the incident response plan?

Question 19mediummultiple choice
Read the full Security Policies and Procedures explanation →

A SOC analyst is investigating a suspected data exfiltration. The analyst needs to preserve evidence from a compromised workstation. Which of the following is the CORRECT procedure to ensure evidence integrity?

Question 20hardmultiple choice
Read the full Security Policies and Procedures explanation →

During a security incident, the CISO decides to contain a compromised server by isolating it from the network. Which role is primarily responsible for making this containment decision based on business impact?

Question 21easymultiple choice
Read the full Security Policies and Procedures explanation →

Which of the following is the CORRECT order of the NIST SP 800-61 Rev 2 incident response lifecycle phases?

Question 22mediummultiple choice
Read the full Security Policies and Procedures explanation →

An organization is conducting a risk assessment and assigns a monetary value to potential losses. Which risk assessment method is being used?

Question 23hardmultiple choice
Read the full Security Policies and Procedures explanation →

A SOC Tier 2 analyst is investigating an alert that was escalated by Tier 1. The analyst needs to perform deeper correlation and malware analysis. Which of the following actions is most appropriate for Tier 2?

Question 24easymultiple choice
Read the full Security Policies and Procedures explanation →

Which organization facilitates threat intelligence sharing among members in a specific sector, such as finance or healthcare?

Question 25mediummultiple choice
Read the full Security Policies and Procedures explanation →

During the Containment, Eradication, and Recovery phase, the incident response team collects evidence from a compromised system. Which document is used to record the chain of custody?

Question 26easymultiple choice
Read the full Security Policies and Procedures explanation →

Which risk treatment option involves taking actions to reduce the likelihood or impact of a risk?

Question 27hardmultiple choice
Read the full Security Policies and Procedures explanation →

An organization is required to preserve data that may be relevant to a lawsuit. Which legal process is invoked to prevent destruction of this data?

Question 28mediummulti select
Read the full Security Policies and Procedures explanation →

A SOC Tier 3 analyst is performing advanced threat analysis. Which TWO activities are typical for this tier?

Question 29mediummulti select
Read the full Security Policies and Procedures explanation →

In the context of risk management, which THREE are valid risk treatment options?

Question 30hardmulti select
Read the full Security Policies and Procedures explanation →

Which TWO standards/protocols are directly associated with threat intelligence sharing as defined by the CyberOps Associate curriculum?

Question 31easymultiple choice
Read the full Security Policies and Procedures explanation →

During which phase of the NIST SP 800-61 Rev 2 incident response process would the incident response team conduct initial triage and determine whether an event qualifies as an incident?

Question 32mediummultiple choice
Read the full Security Policies and Procedures explanation →

A security analyst at a SOC Tier 1 receives an alert about a potential malware infection on a user's workstation. What is the primary responsibility of the Tier 1 analyst in this scenario?

Question 33mediummultiple choice
Read the full Security Policies and Procedures explanation →

An organization is implementing a new remote access policy. Which of the following is a key component that should be included in this policy?

Question 34hardmultiple choice
Read the full Security Policies and Procedures explanation →

During an incident, a forensic analyst needs to preserve evidence from a compromised hard drive. Which of the following steps is essential to maintain the chain of custody?

Question 35easymultiple choice
Read the full Security Policies and Procedures explanation →

In the context of risk management, which term describes the risk that remains after implementing security controls?

Question 36mediummultiple choice
Read the full Security Policies and Procedures explanation →

An organization is developing an Acceptable Use Policy (AUP). Which of the following topics is typically covered in an AUP?

Question 37hardmultiple choice
Read the full Security Policies and Procedures explanation →

A security analyst needs to share threat intelligence with other organizations in a standardized, machine-readable format. Which combination of standards should the analyst use?

Question 38mediummultiple choice
Read the full Security Policies and Procedures explanation →

During a security incident, the incident handler identifies that the breach involves personally identifiable information (PII) of customers. Which role is primarily responsible for determining if legal notification requirements apply?

Question 39easymultiple choice
Read the full Security Policies and Procedures explanation →

Which risk treatment option involves implementing security controls to reduce the likelihood or impact of a risk?

Question 40mediummultiple choice
Read the full Security Policies and Procedures explanation →

A SOC Tier 2 analyst is investigating an alert that was escalated from Tier 1. The analyst suspects the malware is using a new variant of ransomware. What is the most appropriate next step for the Tier 2 analyst?

Question 41hardmultiple choice
Read the full Security Policies and Procedures explanation →

An organization is conducting a risk assessment and wants to assign numerical values to the likelihood and impact of risks. Which type of risk assessment is being performed?

Question 42easymultiple choice
Read the full Security Policies and Procedures explanation →

In the NIST SP 800-61 Rev 2 incident response process, which phase involves activities such as performing lessons learned and updating the incident response plan?

Question 43mediummulti select
Read the full Security Policies and Procedures explanation →

A security analyst is collecting evidence from a compromised system for legal proceedings. Which TWO actions are critical to preserve the integrity of the evidence?

Question 44hardmulti select
Read the full Security Policies and Procedures explanation →

An organization is implementing a threat intelligence sharing program. Which THREE elements are commonly used standards or platforms for sharing threat intelligence?

Question 45mediummulti select
Read the full Security Policies and Procedures explanation →

During a security incident involving an insider threat, which TWO roles are most likely to be directly involved in the response?

Question 46easymultiple choice
Read the full Security Policies and Procedures explanation →

A security analyst is triaging an alert about a user downloading a suspicious file. According to the NIST SP 800-61 Rev 2 incident response process, in which phase does initial triage occur?

Question 47easymultiple choice
Read the full Security Policies and Procedures explanation →

During an incident investigation, a forensic analyst needs to preserve the integrity of a hard drive. Which two actions should the analyst take before imaging the drive?

Question 48easymultiple choice
Read the full Security Policies and Procedures explanation →

A SOC Tier 1 analyst receives an alert for a potential malware infection. What is the primary responsibility of the Tier 1 analyst?

Question 49mediummultiple choice
Read the full Security Policies and Procedures explanation →

An organization has implemented a new password policy requiring 12-character passwords with complexity. Which risk treatment option is this an example of?

Question 50mediummultiple choice
Read the full Security Policies and Procedures explanation →

After containing a security incident, the incident response team eradicates the malware and restores systems from clean backups. Which phase of the NIST SP 800-61 Rev 2 process does this represent?

Question 51mediummultiple choice
Read the full Security Policies and Procedures explanation →

An organization uses STIX and TAXII to share threat intelligence with an ISAC. What is the purpose of TAXII in this scenario?

Question 52mediummultiple choice
Read the full Security Policies and Procedures explanation →

A company's legal counsel is involved in an incident response due to a data breach. What is the primary role of legal counsel during the incident?

Question 53mediummultiple choice
Read the full Security Policies and Procedures explanation →

A SOC analyst is investigating a possible insider threat. Which team member should be consulted due to the nature of the incident?

Question 54mediummultiple choice
Read the full Security Policies and Procedures explanation →

An organization is reviewing its risk management process and identifies a risk with a high probability and high impact. Management decides to stop the activity causing the risk. Which risk treatment option is being applied?

Question 55hardmultiple choice
Read the full Security Policies and Procedures explanation →

During an incident investigation, the IR team collects evidence from a compromised server. The evidence must be admissible in court. Which documentation is essential to maintain the chain of custody?

Question 56hardmultiple choice
Read the full Security Policies and Procedures explanation →

A SOC Tier 3 analyst is performing threat hunting. Which activity best describes the primary focus of a Tier 3 analyst?

Question 57hardmultiple choice
Read the full Security Policies and Procedures explanation →

An organization uses a qualitative risk assessment to evaluate a new vendor. Which characteristic is typical of qualitative risk assessments?

Question 58easymulti select
Read the full Security Policies and Procedures explanation →

A security analyst is establishing a data classification policy. Which TWO categories are commonly included in a data classification policy?

Question 59mediummulti select
Read the full Security Policies and Procedures explanation →

After a security incident, the IR team holds a lessons learned meeting. Which THREE activities are part of the Post-Incident Activity phase?

Question 60hardmulti select
Read the full Security Policies and Procedures explanation →

A security team is implementing a remote access policy. Which TWO controls should be included to ensure secure remote access?

Question 61easymultiple choice
Read the full Security Policies and Procedures explanation →

During which phase of the NIST SP 800-61 Rev 2 incident response process does an organization develop an incident response plan and assemble a team?

Question 62mediummultiple choice
Read the full Security Policies and Procedures explanation →

A security analyst is investigating a potential data breach. They need to preserve evidence for legal proceedings. Which action should the analyst take to ensure the integrity of the data?

Question 63hardmultiple choice
Read the full Security Policies and Procedures explanation →

A SOC Tier 2 analyst receives an escalated alert about a potential command-and-control (C2) communication. The analyst needs to correlate network logs with threat intelligence. Which data format and transport protocol pair is specifically designed for standardized threat intelligence sharing?

Question 64easymultiple choice
Read the full Security Policies and Procedures explanation →

Which security policy defines acceptable use of an organization's IT resources, including internet browsing and email?

Question 65mediummultiple choice
Read the full Security Policies and Procedures explanation →

During an incident, a SOC Tier 1 analyst identifies a series of failed login attempts from an internal IP address. The analyst escalates the alert. What is the primary role of a Tier 2 analyst in this scenario?

Question 66hardmultiple choice
Read the full Security Policies and Procedures explanation →

A financial institution is evaluating risk treatment options for a newly identified vulnerability in its online banking platform. The vulnerability has a high likelihood of exploitation but low business impact. Which risk treatment option is most appropriate?

Question 67mediummultiple choice
Read the full Security Policies and Procedures explanation →

An incident handler collects a hard drive from a compromised server. To maintain chain of custody, which information must be documented?

Question 68easymulti select
Read the full Security Policies and Procedures explanation →

Which TWO roles are typically responsible for making decisions regarding business impact and external communication during an incident? (Select two.)

Question 69mediummulti select
Read the full Security Policies and Procedures explanation →

A SOC analyst is investigating a potential malware outbreak. Which THREE actions should the analyst take to preserve evidence? (Select three.)

Question 70mediummulti select
Read the full Security Policies and Procedures explanation →

Which TWO are components of the NIST SP 800-61 Rev 2 Preparation phase? (Select two.)

Question 71hardmulti select
Read the full Security Policies and Procedures explanation →

A company is implementing threat intelligence sharing. Which THREE standards or platforms are used for this purpose? (Select three.)

Question 72easymulti select
Read the full Security Policies and Procedures explanation →

Which TWO are examples of risk treatment options? (Select two.)

Question 73mediummulti select
Read the full Security Policies and Procedures explanation →

During the Containment, Eradication, and Recovery phase, which TWO actions are typically performed? (Select two.)

Question 74hardmulti select
Read the full Security Policies and Procedures explanation →

A SOC Tier 1 analyst is processing alerts. Which THREE tasks are typical for a Tier 1 analyst? (Select three.)

Practice tests

Scored 10-question sessions with instant feedback and explanations.

200-201 Practice Test 1 — 25 Questions→200-201 Practice Test 2 — 25 Questions→200-201 Practice Test 3 — 25 Questions→200-201 Practice Test 4 — 25 Questions→200-201 Practice Test 5 — 25 Questions→200-201 Practice Exam 1 — 20 Questions→200-201 Practice Exam 2 — 20 Questions→200-201 Practice Exam 3 — 20 Questions→200-201 Practice Exam 4 — 20 Questions→Free 200-201 Practice Test 1 — 30 Questions→Free 200-201 Practice Test 2 — 30 Questions→Free 200-201 Practice Test 3 — 30 Questions→200-201 Practice Questions 1 — 50 Questions→200-201 Practice Questions 2 — 50 Questions→200-201 Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Security MonitoringNetwork Intrusion AnalysisSecurity Policies and ProceduresHost-Based AnalysisSecurity Concepts

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Security Policies and Procedures setsAll Security Policies and Procedures questions200-201 Practice Hub