Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Security Policies and Procedures practice sets

200-201 Security Policies and Procedures • Complete Question Bank

200-201 Security Policies and Procedures — All Questions With Answers

Complete 200-201 Security Policies and Procedures question bank — all 0 questions with answers and detailed explanations.

145
Questions
Free
No signup
Certifications/200-201/Practice Test/Security Policies and Procedures/All Questions
Question 1mediummultiple choice
Read the full Security Policies and Procedures explanation →

A security analyst discovers that an employee has been sharing login credentials with coworkers. Which policy violation is this?

Question 2easymultiple choice
Read the full Security Policies and Procedures explanation →

A company wants to ensure that employees report security incidents immediately. Which policy element is most important to include?

Question 3hardmultiple choice
Read the full Security Policies and Procedures explanation →

An organization's security policy requires that all network traffic be inspected by an intrusion prevention system. However, encrypted traffic is bypassing inspection. Which change to the policy would best address this issue?

Question 4easymultiple choice
Read the full Security Policies and Procedures explanation →

A security policy states that user activity logs must be retained for at least one year. What is the primary purpose of this requirement?

Question 5hardmultiple choice
Read the full Security Policies and Procedures explanation →

A security analyst notices that an employee is accessing the corporate network from an unauthorized device. According to the security policy, which action should the analyst take first?

Question 6mediummultiple choice
Read the full Security Policies and Procedures explanation →

A security policy requires that all changes to firewall rules be approved by two administrators. This is an example of which security principle?

Question 7mediummultiple choice
Read the full Security Policies and Procedures explanation →

An organization's security policy states that all external connections must be authenticated using multi-factor authentication. Which type of policy is this?

Question 8hardmultiple choice
Read the full Security Policies and Procedures explanation →

A company's security policy includes a clause that all software installed on company devices must be approved by the IT department. An employee installs an unapproved application that later causes a malware infection. Which policy was violated?

Question 9mediummulti select
Read the full Security Policies and Procedures explanation →

Which TWO of the following are typically included in a security policy's scope statement?

Question 10hardmulti select
Read the full Security Policies and Procedures explanation →

Which THREE of the following are common elements of an incident response policy?

Question 11mediummulti select
Read the full Security Policies and Procedures explanation →

Which TWO of the following are best practices for implementing a security policy?

Question 12easymultiple choice
Read the full Security Policies and Procedures explanation →

A security analyst reviews the firewall log. What is the most likely reason for the denied connection?

Network Topology
Firewall log entry!End of log entryRefer to the exhibit.
Question 13hardmultiple choice
Read the full network assurance explanation →

A security auditor reviews the SNMP configuration. Which security concern should be reported?

Network Topology
!End of configurationRefer to the exhibit.snmp-server community public ROsnmp-server community private RWsnmp-server location Building_Asnmp-server contact admin@company.com
Question 14hardmultiple choice
Read the full Security Policies and Procedures explanation →

You are a security analyst at a financial services company. The company's security policy mandates that all sensitive data must be encrypted at rest and in transit. A recent internal audit reveals that a database containing customer personally identifiable information (PII) is stored on a server that uses unencrypted storage volumes. The database is accessed by internal applications via unencrypted connections. The policy also requires quarterly vulnerability scans, and the latest scan shows that the server has a critical vulnerability in the database software. Additionally, the server's firewall rules permit inbound traffic from the entire corporate network to the database port. The company's incident response policy requires that any violation of data protection policies be escalated within 24 hours. The IT manager asks you to prioritize actions. What should you do first?

Question 15mediummultiple choice
Read the full Security Policies and Procedures explanation →

You are a security operations analyst for a medium-sized enterprise. The company's security policy requires that all endpoint devices have antivirus software installed and updated. During a routine check, you find that a group of 50 laptops used by the sales team have not received antivirus updates for over three months. The policy also states that any non-compliant devices must be quarantined from the network until they are remediated. The sales team manager argues that quarantining the laptops will disrupt critical sales activities. The company's incident response policy has a clause that allows for temporary exceptions in business-critical situations, but requires approval from the CISO. What is the best course of action?

Question 16easymultiple choice
Read the full Security Policies and Procedures explanation →

A company's security policy requires that all laptops accessing the corporate network must have full-disk encryption enabled. During a routine audit, an analyst discovers that a manager's laptop does not have encryption enabled. What is the most appropriate first step according to standard security incident response procedures?

Question 17mediummultiple choice
Read the full NAT/PAT explanation →

A network administrator is implementing a new security policy that requires all employees to use multi-factor authentication (MFA) when accessing email from external networks. However, several employees report that they cannot receive SMS codes while traveling internationally. Which design change best balances security and usability?

Question 18hardmultiple choice
Read the full Security Policies and Procedures explanation →

A security analyst is reviewing a series of failed login attempts on a critical server. The logs show that the source IP addresses are from multiple geographic regions and the usernames tried are all valid employees. The attempts occur every 5 minutes for the past hour. According to the company's security policy, which type of attack is most likely occurring, and what is the best immediate response?

Question 19easymultiple choice
Read the full Security Policies and Procedures explanation →

During a security audit, an analyst discovers that several employees have shared their login credentials with colleagues to expedite work. Which policy enforcement mechanism would be most effective in preventing this behavior?

Question 20mediummultiple choice
Read the full VPN explanation →

A company's security policy states that all remote access must be through a VPN. An employee complains that the VPN is too slow and asks for an exception to access a specific internal server directly over the internet. What should the security analyst recommend?

Question 21hardmultiple choice
Read the full Security Policies and Procedures explanation →

A security analyst is reviewing the company's incident response plan. The plan states that 'all incidents must be contained within 30 minutes.' During a recent ransomware incident, the analyst identified the affected systems but could not contain them because the containment procedures required manual steps that took over an hour. What is the most likely gap in the plan?

Question 22mediummultiple choice
Read the full Security Policies and Procedures explanation →

A company is developing a new security policy for cloud storage. Which principle should be the foundation of the policy to ensure data confidentiality and integrity?

Question 23easymulti select
Read the full Security Policies and Procedures explanation →

Which TWO of the following are key components of a security policy? (Choose two.)

Question 24mediummulti select
Read the full Security Policies and Procedures explanation →

Which THREE of the following are best practices for creating and maintaining security policies? (Choose three.)

Question 25hardmulti select
Read the full Security Policies and Procedures explanation →

Which TWO of the following are valid reasons to create an exception to a security policy? (Choose two.)

Question 26easymultiple choice
Study the full AAA explanation →

Refer to the exhibit. A network administrator is configuring TACACS+ on a switch. Based on the configuration snippet, what is the expected behavior if the TACACS+ server becomes unreachable?

Exhibit

Refer to the exhibit.
```
switch# show running-config | include aaa
 aaa new-model
 aaa authentication login default local
 aaa authorization exec default local
 aaa accounting exec default start-stop group tacacs+
```
Question 27mediummultiple choice
Read the full Security Policies and Procedures explanation →

Refer to the exhibit. A security analyst observes a SIEM alert and a firewall log. The firewall allowed the traffic. According to the company's security policy, which action should the analyst take first?

Exhibit

Refer to the exhibit.
```
! Threat Alert from SIEM
Event: Multiple failed logins from IP 10.0.0.5
Time: 2025-03-15 14:32:00
User: admin
Source IP: 10.0.0.5
Destination: 192.168.1.100 (SSH)
Count: 50 in 5 minutes

! Firewall Log
2025-03-15 14:35:00, ALLOW, TCP, 10.0.0.5:54321, 192.168.1.100:22, 100 bytes
```
Question 28hardmultiple choice
Read the full VPN explanation →

You are a security analyst at a mid-sized company that uses a mix of on-premises servers and cloud services. The company's security policy requires all sensitive data to be encrypted at rest and in transit, and all access to be logged and monitored. Recently, the company experienced a data breach where an attacker exfiltrated a database containing customer PII. The investigation revealed that the attacker gained access using a compromised VPN account that had been inactive for 6 months. The account belonged to a former employee who left the company but the account was never disabled. The VPN logs show that the account was used from an unusual IP address, but no alert was triggered because the account was not on any watchlist. The breach occurred over a weekend when the security team was not monitoring. Which of the following would have most effectively prevented this breach?

Question 29easymultiple choice
Read the full Security Policies and Procedures explanation →

A security analyst is reviewing the incident response plan for a small business. The plan states that after an incident is contained, the next step is to preserve evidence. The CISO wants to ensure that the plan follows NIST guidelines. Which step should be added between containment and evidence preservation according to NIST?

Question 30mediummulti select
Read the full Security Policies and Procedures explanation →

An organization is implementing a security policy that requires all remote access to the corporate network to be authenticated using multi-factor authentication (MFA). Which TWO of the following are valid MFA factors?

Question 31easymultiple choice
Read the full Security Policies and Procedures explanation →

A security analyst receives an alert that an employee's workstation is generating outbound traffic to a known malware command-and-control IP address at 3:00 AM. According to the company's incident response policy, what is the FIRST action the analyst should take?

Question 32mediummulti select
Read the full Security Policies and Procedures explanation →

Which TWO of the following are essential components of an effective security policy framework according to Cisco best practices?

Question 33hardmultiple choice
Review the full routing breakdown →

Refer to the exhibit. A network administrator notices that remote SSH logins to the router succeed, but the router is not sending accounting records. Based on the configuration, what is the most likely cause?

Exhibit

Refer to the exhibit.

! Output from show running-config | include aaa
! on a Cisco router
aaa new-model
aaa authentication login default local
aaa authentication login CONSOLE none
aaa authorization exec default local
aaa accounting exec default start-stop group tacacs+
! 
! Output from show running-config | include tacacs
! on the same router
tacacs server TACACS1
 address ipv4 192.168.1.100
 key cisco123
!
Question 34mediumdrag order
Read the full Security Policies and Procedures explanation →

Drag and drop the steps for initial configuration of a Cisco IOS device after booting into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 35mediumdrag order
Read the full DHCP explanation →

Drag and drop the steps for the DHCP DORA process (dynamic host configuration) into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 36mediummatching
Read the full Security Policies and Procedures explanation →

Match each network protocol to its well-known port number.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

22

443

53

25

3389

Question 37mediummatching
Read the full Security Policies and Procedures explanation →

Match each network attack type to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Social engineering via email to steal credentials

Overwhelming a target with traffic from multiple sources

Intercepting communications between two parties

Injecting malicious SQL queries into input fields

Associating attacker's MAC with victim's IP

Question 38easymultiple choice
Read the full Security Policies and Procedures explanation →

A security analyst detects a host infected with ransomware on the corporate network. According to incident response procedures, what should be the first action?

Question 39easymultiple choice
Read the full Security Policies and Procedures explanation →

A company's acceptable use policy (AUP) prohibits personal devices on the corporate network. An employee is found connecting a personal tablet to access internal resources. What should the security team do?

Question 40mediummultiple choice
Read the full NAT/PAT explanation →

A critical security patch for a widely exploited vulnerability is released. The patch requires a system reboot during business hours. According to change management policy, what is the best procedure?

Question 41mediummultiple choice
Read the full Security Policies and Procedures explanation →

An analyst is handling a data breach involving sensitive customer information (PII) stored in a database. According to data classification policy, what is the most critical step to take first?

Question 42mediummultiple choice
Read the full Security Policies and Procedures explanation →

A security administrator is implementing a privileged access management (PAM) solution. Which practice best enforces the principle of least privilege for administrators?

Question 43hardmultiple choice
Read the full Security Policies and Procedures explanation →

A company operating in the EU experiences a data breach involving personal data of EU citizens. Under GDPR, what is the maximum timeframe to notify the supervisory authority?

Question 44hardmultiple choice
Read the full Security Policies and Procedures explanation →

During a security awareness training session, an employee reports they clicked a link in a phishing email but did not enter credentials. Which policy violation is most likely involved?

Question 45hardmultiple choice
Read the full Security Policies and Procedures explanation →

An investigator seizes a laptop as evidence from a crime scene. At the scene, the laptop is turned on and a log file is open. What should the investigator do to preserve evidence according to chain of custody procedures?

Question 46mediummultiple choice
Read the full VPN explanation →

A company's remote access policy requires VPN connections to use two-factor authentication (2FA). An employee reports they cannot connect because their token is not syncing. What is the best course of action?

Question 47easymulti select
Read the full Security Policies and Procedures explanation →

Which TWO components are essential in a well-written security policy?

Question 48mediummulti select
Read the full Security Policies and Procedures explanation →

Which TWO incident types must be reported within 1 hour under the company's incident response policy?

Question 49hardmulti select
Read the full Security Policies and Procedures explanation →

Which THREE actions are mandatory in the evidence handling process according to standard forensic procedures?

Question 50easymultiple choice
Read the full Security Policies and Procedures explanation →

Refer to the exhibit. An ASA security policy is configured as shown. A user from the internet tries to access 192.168.1.5 via HTTP. What will happen?

Exhibit

Refer to the exhibit.
```
object network INSIDE_SUBNET
 subnet 192.168.1.0 255.255.255.0
object network WEB_SERVER
 host 10.0.0.10
access-list OUTSIDE_IN extended permit tcp any object WEB_SERVER eq 80
access-list OUTSIDE_IN extended deny ip any any
```
Question 51mediummultiple choice
Read the full network assurance explanation →

Refer to the exhibit. A security analyst sees this syslog message from the ASA. Which statement best describes what is occurring?

Exhibit

Refer to the exhibit.
```
%ASA-6-302013: Built outbound TCP connection 1234 for outside:203.0.113.1/80 (203.0.113.1/80) to inside:192.168.1.100/54832
```
Question 52hardmultiple choice
Read the full NAT/PAT explanation →

Refer to the exhibit. A Cisco router is configured with the shown access list applied inbound on the external interface. An external attacker sends a packet with source IP 10.0.0.1, destination IP 192.168.1.100, destination port 22. What will the router do?

Exhibit

Refer to the exhibit.
```
interface GigabitEthernet0/0
 ip address 192.168.1.1 255.255.255.0
 ip access-group INBOUND in
!
access-list INBOUND deny tcp any host 192.168.1.100 eq 22
access-list INBOUND permit ip any any
```
Question 53easymultiple choice
Read the full Security Policies and Procedures explanation →

A security policy mandates that all administrative access to network devices must be encrypted. Which of the following protocols should be used to comply with this policy?

Question 54easymultiple choice
Read the full Security Policies and Procedures explanation →

An organization's security policy requires that all security incidents be reported within one hour of discovery. A junior analyst notices an unauthorized login attempt but is unsure if it qualifies as an incident. What should the analyst do first?

Question 55easymultiple choice
Read the full Security Policies and Procedures explanation →

A company's data classification policy defines "Confidential" data. Which of the following is an example of Confidential data?

Question 56mediummultiple choice
Read the full Security Policies and Procedures explanation →

During a security audit, it is discovered that several users have passwords set to never expire. According to the security policy, passwords must be changed every 90 days. What is the best course of action?

Question 57mediummultiple choice
Read the full Security Policies and Procedures explanation →

An incident response plan specifies that containment must be completed before eradication. A security analyst identifies a malware infection on a critical server. What should be done first?

Question 58mediummultiple choice
Read the full Security Policies and Procedures explanation →

A company's security policy prohibits the use of shared accounts. However, a legacy application requires a shared administrative account to run. What is the best approach?

Question 59hardmultiple choice
Read the full Security Policies and Procedures explanation →

An organization's security policy requires that all traffic between the corporate network and the internet be inspected by an IPS. However, encrypted traffic (HTTPS) cannot be inspected without breaking encryption. Which solution best meets the policy requirement?

Question 60hardmultiple choice
Read the full Security Policies and Procedures explanation →

A security policy states that all portable media must be encrypted. An employee loses a USB drive containing customer data. The drive was encrypted with AES-256. Which of the following is true regarding policy compliance?

Question 61hardmultiple choice
Read the full Security Policies and Procedures explanation →

During a merger, two companies have different security policies. Company A uses a discretionary access control (DAC) model, while Company B uses a mandatory access control (MAC) model. The merged entity must adopt a single policy. Which approach is most likely to be adopted and why?

Question 62easymulti select
Read the full Security Policies and Procedures explanation →

A security policy requires multifactor authentication for all administrative access. Which TWO of the following are examples of factors used in MFA? (Choose two.)

Question 63mediummulti select
Read the full Security Policies and Procedures explanation →

A company's security policy mandates data encryption at rest. Which TWO of the following are acceptable methods to meet this requirement? (Choose two.)

Question 64hardmulti select
Read the full Security Policies and Procedures explanation →

According to the principles of least privilege, which THREE of the following access controls should be implemented for a typical user account? (Choose three.)

Question 65easymultiple choice
Read the full Security Policies and Procedures explanation →

Refer to the exhibit. A security policy states that all remote desktop (RDP) and Telnet access from external networks must be blocked. Does the above access-list comply with the policy?

Exhibit

Refer to the exhibit.
ip access-list extended BLOCK_CRITICAL
 deny tcp any any eq 3389
 deny tcp any any eq 23
 permit ip any any
Question 66mediummultiple choice
Read the full network assurance explanation →

Refer to the exhibit. This syslog message is generated from a Cisco firewall. According to the security policy, all traffic from the 10.10.10.0/24 network to the internal 192.168.1.0/24 network must be denied except for HTTP traffic from specific IPs. Which of the following should be investigated?

Exhibit

Refer to the exhibit.
%SEC-6-IPACCESSLOGP: list OUTSIDE denied tcp 10.10.10.5(80) -> 192.168.1.10(49152) 1 packet
Question 67hardmultiple choice
Study the full QoS explanation →

Refer to the exhibit. A security policy requires that network traffic be classified and prioritized to ensure critical applications get bandwidth. A network engineer implements this QoS policy. However, after deployment, a security scanner reports that SSH traffic is starved. Which of the following is the most likely cause?

Exhibit

Refer to the exhibit.
policy-map QOS_POLICY
 class VOIP
  priority percent 30
 class CRITICAL_DATA
  bandwidth remaining percent 50
 class class-default
  fair-queue
Question 68easymultiple choice
Read the full Security Policies and Procedures explanation →

A company's security policy requires that all employees change their passwords every 90 days. Which type of security control does this policy enforce?

Question 69mediummultiple choice
Read the full Security Policies and Procedures explanation →

An analyst discovers that an employee has been using company-issued laptops to run a personal cryptocurrency mining software. Which policy violation has occurred?

Question 70hardmultiple choice
Read the full Security Policies and Procedures explanation →

During a security audit, an analyst finds that a third-party vendor has access to sensitive customer data beyond what is necessary for their services. Which principle of least privilege should the policy enforce?

Question 71easymultiple choice
Read the full Security Policies and Procedures explanation →

A company's security policy states that all employees must use multi-factor authentication (MFA) when accessing the corporate network remotely. Which policy is being applied?

Question 72mediummultiple choice
Read the full Security Policies and Procedures explanation →

During a change management process, a security administrator approves a firewall rule change. After implementation, a critical application becomes unreachable. Which step in the change process was likely missed?

Question 73hardmultiple choice
Read the full Security Policies and Procedures explanation →

An organization's security policy requires data classification labels to be applied to all documents. A manager sends a spreadsheet containing employee PII (personally identifiable information) to the entire company without labeling. Which policy has been violated?

Question 74easymultiple choice
Read the full Security Policies and Procedures explanation →

Which security policy defines the process for reporting discovered security vulnerabilities to the organization?

Question 75mediummultiple choice
Read the full Security Policies and Procedures explanation →

A security analyst is creating a policy for handling sensitive customer data. The policy must ensure data is encrypted at rest and in transit. Which type of policy most directly addresses this requirement?

Question 76hardmultiple choice
Read the full Security Policies and Procedures explanation →

During an incident, a first responder pulls the network cable of a compromised server. Later, the incident response team is unable to collect volatile data such as running processes. Which policy or procedure was violated?

Question 77mediummulti select
Read the full Security Policies and Procedures explanation →

Which TWO of the following are key components of a security policy framework according to Cisco? (Choose two.)

Question 78hardmulti select
Read the full Security Policies and Procedures explanation →

Which THREE are required steps in a proper incident response procedure? (Choose three.)

Question 79easymulti select
Read the full Security Policies and Procedures explanation →

Which TWO activities are typically part of a security policy review cycle? (Choose two.)

Question 80mediummultiple choice
Study the full AAA explanation →

Refer to the exhibit. An administrator configured AAA on a Cisco router. What is the expected outcome when a user tries to access privileged EXEC mode (enable) with the username 'admin' and password 'cisco123'?

Exhibit

aaa new-model
aaa authentication login default local-case
aaa authentication enable default enable
aaa authorization exec default local
username admin secret cisco123
Question 81hardmultiple choice
Study the full ACL explanation →

Refer to the exhibit. A network administrator applied this ACL inbound on the external interface of a firewall. An attacker sends a TCP SYN packet with source IP 192.0.2.1 to destination 10.1.1.100 port 80. Which statement accurately describes the packet's treatment?

Exhibit

access-list 101 permit tcp any host 10.1.1.100 eq 80
access-list 101 permit tcp any host 10.1.1.100 eq 443
access-list 101 deny ip any any
interface GigabitEthernet0/0
 ip access-group 101 in
Question 82easymultiple choice
Study the full ACL explanation →

Refer to the exhibit. A security analyst views these log entries from a Cisco router. What conclusion can be drawn about ACL 101?

Exhibit

%SEC-6-IPACCESSLOGS: list 101 denied tcp 192.0.2.5(12345) -> 10.1.1.100(23), 1 packet
%SEC-6-IPACCESSLOGS: list 101 permitted tcp 192.0.2.5(12345) -> 10.1.1.100(80), 1 packet
Question 83easymultiple choice
Read the full Security Policies and Procedures explanation →

A company's security policy states that employees must not use corporate laptops for personal web browsing. An employee is found to have streamed video during work hours, consuming significant bandwidth. What is the best course of action?

Question 84mediummultiple choice
Read the full Security Policies and Procedures explanation →

During a security incident, a security analyst isolates an affected host and collects a memory dump. According to incident response procedures, what is the next step the analyst should take?

Question 85hardmultiple choice
Read the full Security Policies and Procedures explanation →

A security auditor reviews a company's security policies and finds that the password policy requires a minimum length of 8 characters and complexity including uppercase, lowercase, digit, and special character. However, the policy does not mandate password expiration. Which of the following is the most significant risk due to this omission?

Question 86easymultiple choice
Read the full Security Policies and Procedures explanation →

An organization's data classification policy defines four levels: Public, Internal, Confidential, and Restricted. An employee accidentally sends an email containing customer payment card information (PCI) to the entire company mailing list. The data should have been classified as which level?

Question 87mediummultiple choice
Review the full routing breakdown →

A company has implemented a role-based access control (RBAC) policy for its network devices. A network engineer needs temporary access to configure a router in a different region. According to the RBAC policy, what is the appropriate procedure?

Question 88hardmultiple choice
Read the full Security Policies and Procedures explanation →

A business impact analysis (BIA) for a critical enterprise application reveals a maximum tolerable downtime (MTD) of 4 hours and a recovery time objective (RTO) of 2 hours. The current backup solution can restore the application in 3 hours under optimal conditions. Which of the following is the most appropriate action from a policy perspective?

Question 89easymultiple choice
Read the full Security Policies and Procedures explanation →

A security policy mandates that all employees complete annual security awareness training. Which of the following metrics best demonstrates the effectiveness of this training?

Question 90mediummultiple choice
Read the full Security Policies and Procedures explanation →

A change management policy requires that all network configuration changes be approved by a change advisory board (CAB) before implementation. An urgent security vulnerability requires an immediate firewall rule change to block an active exploit. What should the network administrator do?

Question 91hardmultiple choice
Review the full subnetting walkthrough →

A vendor security policy requires that all third-party remote access be limited to specific IP addresses and use multi-factor authentication. During an audit, it is discovered that a vendor's entire office subnet is allowed instead of individual IPs. The vendor argues that the broader range is necessary for redundancy. What is the best way to handle this from a policy perspective?

Question 92easymulti select
Read the full Security Policies and Procedures explanation →

Which TWO of the following are key elements that should be included in an incident response plan?

Question 93mediummulti select
Read the full Security Policies and Procedures explanation →

Which THREE of the following are common types of security policies that organizations typically implement?

Question 94hardmulti select
Read the full Security Policies and Procedures explanation →

Which TWO of the following are essential requirements for a security policy to be effective?

Question 95easymultiple choice
Study the full ACL explanation →

Refer to the exhibit. A network administrator applies this ACL to the WAN interface. What is the effect on BitTorrent traffic (which typically uses ports 6881-6889)?

Exhibit

Refer to the exhibit.

```
interface GigabitEthernet0/0
 ip access-group BLOCK_P2P in
!
ip access-list extended BLOCK_P2P
 deny tcp any any eq 6881 6889
 deny udp any any range 6881 6889
 permit ip any any
```
Question 96mediummultiple choice
Read the full network assurance explanation →

Refer to the exhibit. A security analyst observes these syslog messages from an ASA firewall. Based on the messages, which type of activity is most likely occurring?

Exhibit

Refer to the exhibit.

```
%ASA-4-106023: Deny tcp src outside:10.0.0.10/54321 dst inside:192.168.1.100/80 by access-group "OUTSIDE_IN"
%ASA-4-106023: Deny tcp src outside:10.0.0.10/54322 dst inside:192.168.1.100/80 by access-group "OUTSIDE_IN"
%ASA-4-106023: Deny tcp src outside:10.0.0.10/54323 dst inside:192.168.1.100/80 by access-group "OUTSIDE_IN"
```
Question 97hardmultiple choice
Study the full ACL explanation →

Refer to the exhibit. A security analyst reviews the access list. Senior management has authorized SSH access (port 22) to external servers only from the 10.1.1.0/24 and 10.1.2.0/24 subnets. What is the most significant security flaw in this ACL?

Exhibit

Refer to the exhibit.

```
Router# show ip access-list EXTENDED_FILTER
Extended IP access list EXTENDED_FILTER
    10 permit tcp 10.1.1.0 0.0.0.255 any eq 22
    20 permit tcp 10.1.2.0 0.0.0.255 any eq 22
    30 deny tcp any any eq 22
    40 permit ip any any
```
Question 98easymultiple choice
Read the full Security Policies and Procedures explanation →

A security policy requires that all email attachments be scanned for malware. An employee receives a legitimate PDF from a customer that is flagged as malicious. What should the analyst do first?

Question 99mediummultiple choice
Read the full Security Policies and Procedures explanation →

A security analyst notices repeated failed login attempts from an external IP. The company has a policy for account lockout after 5 failed attempts. However, the lockout is not triggering. What is the most likely cause?

Question 100easymultiple choice
Read the full Security Policies and Procedures explanation →

An organization's security policy specifies that all configuration changes must be approved through a change management process. An analyst discovers that a firewall rule was added without approval. What is the appropriate action?

Question 101hardmultiple choice
Read the full Security Policies and Procedures explanation →

A company's security policy requires that all network devices be managed using SSHv2. An auditor finds that some older switches are still using Telnet. The network team claims they cannot upgrade due to budget constraints. What is the best immediate action to mitigate risk?

Question 102mediummultiple choice
Read the full Security Policies and Procedures explanation →

A security policy requires that all privileged access be logged and monitored. A junior admin uses a shared service account to perform maintenance. The logs show the account logged in from multiple IPs at the same time. What does this indicate?

Question 103easymultiple choice
Read the full VPN explanation →

A security policy requires that all remote access be through a VPN using strong authentication. A user calls the help desk saying they cannot connect to the VPN. The analyst checks and sees that the user's token is not synchronized. What should the analyst do?

Question 104hardmultiple choice
Read the full Security Policies and Procedures explanation →

A company's security policy states that all network traffic must be inspected by an IPS. However, encrypted traffic (SSL/TLS) is bypassing inspection. The network team wants to implement SSL decryption. What is the primary policy consideration before implementing?

Question 105mediummultiple choice
Read the full Security Policies and Procedures explanation →

A company's incident response policy defines four phases: Preparation, Detection & Analysis, Containment Eradication & Recovery, and Post-Incident Activity. During an active ransomware outbreak, the IR team is unable to contain the spread because the containment plan did not account for the malware's use of PowerShell for lateral movement. Which phase had a deficiency?

Question 106hardmultiple choice
Read the full Security Policies and Procedures explanation →

A security policy requires that all endpoints have host-based firewalls enabled. A user reports that an application stopped working after a recent update. What should the analyst do?

Question 107mediummultiple choice
Read the full Security Policies and Procedures explanation →

An analyst is reviewing this configuration. What is the most significant security concern?

Exhibit

Refer to the exhibit.

access-list OUTSIDE extended permit tcp any host 192.168.1.100 eq www
access-list OUTSIDE extended permit tcp any host 192.168.1.100 eq https
access-list OUTSIDE extended deny ip any any
Question 108hardmultiple choice
Read the full Security Policies and Procedures explanation →

An analyst sees these logs. What should be the immediate course of action?

Exhibit

Refer to the exhibit.

%SEC-6-IPACCESSLOGP: list INBOUND denied tcp 10.0.0.1(12345) -> 192.168.1.1(22), 1 packet
%SEC-6-IPACCESSLOGP: list INBOUND denied tcp 10.0.0.2(54321) -> 192.168.1.1(22), 1 packet
%SEC-6-IPACCESSLOGP: list INBOUND denied tcp 10.0.0.3(11111) -> 192.168.1.1(22), 1 packet
%SEC-6-IPACCESSLOGP: list INBOUND denied tcp 10.0.0.4(22222) -> 192.168.1.1(22), 1 packet
Question 109easymultiple choice
Read the full VPN explanation →

An analyst is verifying a VPN configuration. Which of the following is true about this configuration?

Exhibit

Refer to the exhibit.

crypto ipsec transform-set ESP-AES256-SHA esp-aes 256 esp-sha-hmac
!
crypto map CMAP 10 ipsec-isakmp
 set peer 203.0.113.5
 set transform-set ESP-AES256-SHA
 match address VPN-TRAFFIC
Question 110mediummulti select
Read the full Security Policies and Procedures explanation →

A security policy requires that all data at rest be encrypted. Which TWO of the following are considered best practices for implementing encryption?

Question 111hardmulti select
Read the full Security Policies and Procedures explanation →

An organization's security policy requires that all security incidents be reported within 1 hour. A system administrator discovers a potential data breach but delays reporting by 3 hours because they were trying to contain it. Which TWO are the most likely consequences of this delay?

Question 112easymulti select
Read the full Security Policies and Procedures explanation →

An organization's security policy defines acceptable use of corporate email. Which THREE of the following actions are typically prohibited?

Question 113easymultiple choice
Read the full Security Policies and Procedures explanation →

An organization's security policy requires that all data at rest on laptops be encrypted. An employee reports that their laptop was stolen. Which control would most likely prevent data exposure?

Question 114mediummultiple choice
Read the full Security Policies and Procedures explanation →

An security auditor finds that the company's backup policy does not include offsite storage. The security policy requires that backups be stored in a geographically separate location. What should the company do?

Question 115hardmultiple choice
Read the full Security Policies and Procedures explanation →

A company is implementing a new data classification policy. The policy defines three levels: Public, Internal, and Confidential. An employee accidentally emails a spreadsheet marked 'Confidential' to an external partner. The email system automatically encrypts all outbound emails containing 'Confidential' classification. Which security control is being demonstrated?

Question 116easymultiple choice
Read the full Security Policies and Procedures explanation →

A company's security policy requires that all system logs be retained for at least one year. A security analyst discovers that log files are being overwritten after 30 days. What is the most likely cause?

Question 117mediummultiple choice
Read the full Security Policies and Procedures explanation →

A security policy requires that all remote access be authenticated using a one-time password (OTP) token. Which technology should be implemented?

Question 118hardmultiple choice
Read the full Security Policies and Procedures explanation →

During a security incident, the incident response team isolates a compromised workstation from the network. The security policy requires that all actions taken during the incident be documented and approved. However, the team lead isolates the workstation without waiting for formal approval. Which principle of incident response is being prioritized?

Question 119easymultiple choice
Read the full Security Policies and Procedures explanation →

A user reports that they cannot access a file server. The security policy requires that all access be logged and monitored. What is the most likely reason for the access failure?

Question 120mediummultiple choice
Read the full Security Policies and Procedures explanation →

A company's security policy requires that all firewall rule changes be approved through a change management process. An engineer notices an unauthorized rule that allows RDP from any external IP. What is the first step the engineer should take?

Question 121hardmultiple choice
Read the full NAT/PAT explanation →

An organization is developing a new cloud-based application. The security policy requires that all data be encrypted in transit and at rest. Which combination of controls meets this requirement?

Question 122easymulti select
Read the full Security Policies and Procedures explanation →

A security policy requires that employees use strong passwords. Which TWO of the following are characteristics of a strong password? (Select two.)

Question 123mediummulti select
Read the full Security Policies and Procedures explanation →

An incident response plan includes steps to contain a ransomware outbreak. Which TWO actions are typically performed during the containment phase? (Select two.)

Question 124hardmulti select
Review the full routing breakdown →

A security policy mandates that all network devices must be hardened. Which THREE of the following are common hardening best practices for routers and switches? (Select three.)

Question 125mediummultiple choice
Review the full routing breakdown →

Refer to the exhibit. A security analyst reviews the configuration of a router and notices the access list applied to the internal interface. Which traffic from the source network 10.0.0.0/8 will be permitted? (Assume typical web traffic.)

Exhibit

Building configuration...
Current configuration : 2345 bytes
!
interface GigabitEthernet0/1
 description Internal Network
 ip address 192.168.1.1 255.255.255.0
 no ip redirects
 no ip proxy-arp
 ip access-group INBOUND in
!
ip access-list extended INBOUND
 permit tcp 10.0.0.0 0.255.255.255 any eq 80
 permit tcp 10.0.0.0 0.255.255.255 any eq 443
 deny ip any any
Question 126hardmultiple choice
Read the full Security Policies and Procedures explanation →

GreenTech Inc. is a mid-sized company with 500 employees. The company uses Microsoft Exchange Online for email and has implemented a security policy that requires all employees to report suspicious emails to the security team. The security team uses a phishing simulation tool to train employees. In the past month, several employees have reported receiving emails that appear to be from the CEO requesting urgent wire transfers. The security team has blocked the sender domains and updated the email filters. However, one employee fell for the latest scam and transferred $50,000 to an account before reporting it. The security incident response plan states that any monetary loss must be reported to the board within 24 hours. The security analyst receives the report on Monday morning. What should the analyst do first based on the policy and best practices?

Question 127hardmultiple choice
Read the full NAT/PAT explanation →

MedSecure is a healthcare organization with a security policy that requires all security incidents to be handled following the NIST framework. A system administrator discovers that an unauthorized user has accessed a database containing patient records. The administrator immediately disconnects the server from the network. The security analyst is called to investigate. The analyst finds that the server was not part of the centralized logging system, and the only logs available are the database audit logs. The security policy mandates preservation of evidence and chain of custody. The analyst needs to collect the database audit logs. Which action should the analyst take to ensure proper evidence collection?

Question 128mediummultiple choice
Read the full NAT/PAT explanation →

A security analyst at a medium-sized enterprise notices that an employee's workstation has been sending outbound traffic to a known malicious IP address at irregular intervals. The analyst runs a scan and finds no malware signatures. What should the analyst do next?

Question 129hardmultiple choice
Read the full Security Policies and Procedures explanation →

A company is implementing a security policy that requires all employees to use multi-factor authentication (MFA) when accessing corporate resources remotely. However, during a recent security audit, it was found that several employees have been using app passwords for legacy applications that do not support MFA. What is the best practice under this policy?

Question 130easymultiple choice
Read the full Security Policies and Procedures explanation →

A network administrator is tasked with creating a security policy for handling sensitive data. Which of the following is the most critical element to include?

Question 131mediummulti select
Read the full Security Policies and Procedures explanation →

A security policy mandates that all network devices must have logging enabled and that logs must be reviewed regularly. Which TWO practices are essential for effective log review?

Question 132easymulti select
Read the full Security Policies and Procedures explanation →

A security analyst is creating a procedure for responding to a phishing email reported by a user. Which TWO steps should be included?

Question 133hardmulti select
Read the full Security Policies and Procedures explanation →

A company's security policy requires that all changes to firewall rules must be approved by the change advisory board (CAB). Which THREE of the following are valid reasons to bypass this process?

Question 134hardmultiple choice
Read the full NAT/PAT explanation →

You are a security analyst at a multinational corporation. The company has implemented a security policy that requires all employees to use company-issued laptops with full disk encryption. During a routine audit, you discover that a senior executive's laptop is not encrypted. The executive claims that IT support had disabled encryption because the laptop was running slowly. The current policy does not allow exceptions without management approval. The executive's laptop contains sensitive client data. What should you do?

Question 135mediummultiple choice
Read the full Security Policies and Procedures explanation →

You are the cybersecurity analyst for a small business that has a security policy requiring all network traffic to pass through a proxy server for content filtering. Recently, employees have been complaining that some websites are not loading correctly. You check the proxy logs and see that the proxy is blocking traffic that appears to be from non-standard ports. However, upon investigation, you find that the blocked sites are legitimate business tools that use custom ports. Which action aligns with the security policy?

Question 136easymultiple choice
Read the full NAT/PAT explanation →

A healthcare organization has a security policy that mandates immediate reporting of any potential data breach to the privacy officer. An analyst notices that an employee accidentally emailed a patient list to the wrong recipient. The recipient is known to be a trusted partner, but the email contained PHI. The analyst contacts the recipient who acknowledges receipt and agrees to delete the email. What should the analyst do next?

Question 137hardmultiple choice
Read the full wireless explanation →

A financial services company has a security policy that all remote access must be through VPN with two-factor authentication. An employee on a business trip uses a hotel Wi-Fi to connect to the corporate network but claims the VPN client was not working, so they used RDP directly over the internet to access their desktop. The employee's manager approved this as a temporary measure. The security team discovers this during a log review. The policy has no provision for temporary exceptions. What should be the security team's first action?

Question 138mediummultiple choice
Read the full Security Policies and Procedures explanation →

A company's security policy requires that all servers have host-based intrusion detection (HIDS) installed and configured to send alerts to the SIEM. During a routine check, you find that a critical database server has HIDS installed but is not sending alerts because the agent service is stopped. The server administrator says he stopped the service because it was using too much CPU. The policy requires that any deviation from baseline must be approved by the security team. What should you do?

Question 139easymultiple choice
Read the full Security Policies and Procedures explanation →

A small retail company has a security policy that requires all point-of-sale (POS) systems to be isolated on a separate network segment with strict firewall rules. During a network audit, you discover that the POS system is connected to the same network as the office workstations, violating policy. The store manager says it was done for convenience because the network cable was too short. What is the best course of action?

Question 140hardmultiple choice
Read the full NAT/PAT explanation →

A multinational company has a security policy that all data at rest in cloud storage must be encrypted using company-managed keys. The cloud administrator, due to performance concerns, configured server-side encryption with AWS managed keys instead. The security team discovers this during an audit. The policy does not differentiate between encryption types. The data stored includes financial records. What should the security team do?

Question 141mediummultiple choice
Read the full Security Policies and Procedures explanation →

A security policy requires that all mobile devices connecting to corporate email must have a screen lock and be able to be remotely wiped. An employee's personal phone is lost. The employee reports the loss immediately. The phone is enrolled in MDM with remote wipe capability. However, the employee has not set a screen lock, violating policy. The phone contains synced email and contacts. What should the security team do?

Question 142easymultiple choice
Read the full Security Policies and Procedures explanation →

An organization's security policy mandates that all external media (USB drives, external hard drives) must be scanned for malware before use. An employee inserts a USB drive to transfer a presentation for a meeting. The employee runs the antivirus scan, but it fails to complete because the USB drive has a hardware write-protect switch. The employee is in a hurry. What should the employee do?

Question 143easymulti select
Read the full Security Policies and Procedures explanation →

A company is creating an incident response policy. Which TWO elements should be included to ensure proper handling of security incidents?

Question 144mediummultiple choice
Read the full Security Policies and Procedures explanation →

Refer to the exhibit. A security analyst notices repeated login failures. According to the company's security policy, what action should be taken?

Exhibit

*Mar 1 12:34:56: %SEC_LOGIN-4-LOGIN_FAILED: Login failed for user 'admin' from source 192.168.1.50
*Mar 1 12:34:57: %SEC_LOGIN-4-LOGIN_FAILED: Login failed for user 'admin' from source 192.168.1.50
*Mar 1 12:34:58: %SEC_LOGIN-4-LOGIN_FAILED: Login failed for user 'admin' from source 192.168.1.50
Question 145hardmultiple choice
Read the full Security Policies and Procedures explanation →

A large enterprise has a security policy that mandates data classification and strict access controls. An IT administrator, John, has been granted temporary administrative privileges to resolve a server issue. During the maintenance window, John accesses a file server and downloads a spreadsheet containing customer PII (Personally Identifiable Information) classified as 'Confidential'. John then emails the spreadsheet to his personal email account to work from home. The security team receives an alert from the DLP system indicating the email transmission. According to the company's incident response policy, which of the following is the FIRST action the security team should take?

Practice tests

Scored 10-question sessions with instant feedback and explanations.

200-201 Practice Test 1 — 10 Questions→200-201 Practice Test 2 — 10 Questions→200-201 Practice Test 3 — 10 Questions→200-201 Practice Test 4 — 10 Questions→200-201 Practice Test 5 — 10 Questions→200-201 Practice Exam 1 — 20 Questions→200-201 Practice Exam 2 — 20 Questions→200-201 Practice Exam 3 — 20 Questions→200-201 Practice Exam 4 — 20 Questions→Free 200-201 Practice Test 1 — 30 Questions→Free 200-201 Practice Test 2 — 30 Questions→Free 200-201 Practice Test 3 — 30 Questions→200-201 Practice Questions 1 — 50 Questions→200-201 Practice Questions 2 — 50 Questions→200-201 Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Security Policies and ProceduresSecurity ConceptsSecurity MonitoringHost-Based AnalysisNetwork Intrusion Analysis

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Security Policies and Procedures setsAll Security Policies and Procedures questions200-201 Practice Hub