Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

Certifications›CISSP›Objectives›Security Operations
Objective 7.0

Security Operations

CISSP Practice Questions

Use this page to practise Security Operations questions for this certification. Focus on how the exam tests security operations in scenario format — understanding the why behind each answer builds more durable knowledge than memorising options.

Full Practice Test →All Objectives

What this objective tests

CISSP Security Operations — Key Topics

Security Operations questions on this certification test your ability to deploy and manage security operations concepts in scenario-based situations.

  • Core Security Operations concepts and how they apply in real-world cloud scenarios.
  • How to deploy security operations correctly and verify the outcome.
  • Troubleshooting security operations issues by interpreting error output and system state.
  • Cloud best practices and Security Operations design trade-offs tested by this certification.

Common exam traps

Where candidates lose marks on Security Operations

  • ⚠Selecting the most expensive service when a simpler managed option meets the requirement.
  • ⚠Forgetting that cloud resources must be explicitly secured — defaults are rarely secure.
  • ⚠Choosing a global service fix when the issue is region-specific.
  • ⚠Overlooking cost implications of cross-region data transfer in architecture questions.

CISSP Security Operations — Practice Questions

30 questions from this objective

Question 2mediummultiple choice
Full question →

A security analyst notices repeated failed login attempts from an internal IP address on the domain controller. After enabling account lockout, the lockouts continue but the source IP changes. What is the best next step?

Question 3hardmultiple choice
Read the full NAT/PAT explanation →

A SOC analyst receives an alert for a suspicious outbound connection from a server in the DMZ to an external IP on port 443. The server is a web application server that should only communicate internally. The analyst checks the process and finds it is 'svchost.exe' running from a non-standard path. What is the most appropriate immediate action?

Question 4easymultiple choice
Full question →

During a security audit, an organization discovers that several employees are sharing a single generic account to access a critical database. Which principle of security operations is being violated?

Question 5hardmultiple choice
Full question →

A security engineer is designing a new SIEM correlation rule to detect potential data exfiltration. The rule should trigger when a single internal host sends more than 10 MB of data to an external IP address within a 5-minute window, but only if the external IP is not on a whitelist of known business partners. Which approach best minimizes false positives while ensuring effective detection?

Question 6easymultiple choice
Full question →

A company's security policy requires that all removable media be encrypted. An employee plugs in a USB drive and is prompted to format it before use. After formatting, the drive is not encrypted. What is the most likely reason?

Question 7mediummultiple choice
Full question →

An organization is implementing a new backup strategy for its critical servers. The backup must support rapid restoration of individual files and allow for a recovery point objective (RPO) of no more than 15 minutes. Which backup method should be used for daily operations?

Question 8mediummultiple choice
Read the full NAT/PAT explanation →

During a vulnerability scan, a security analyst discovers that a web server is running an outdated version of Apache with known remote code execution vulnerabilities. The server is in production and cannot be patched immediately due to dependency conflicts. What is the best compensating control to reduce risk while a permanent fix is developed?

Question 9hardmulti select
Full question →

Which TWO of the following are essential components of a successful security awareness program?

Question 10mediummulti select
Full question →

Which THREE of the following are best practices for securing a data center's physical access?

Question 11easymulti select
Full question →

Which TWO of the following are valid reasons for conducting a business impact analysis (BIA)?

Question 12mediummultiple choice
Full question →

A network administrator finds the above log entry. The source IP 192.168.1.10 is a user workstation. What does this log entry indicate?

Exhibit

Refer to the exhibit.

Exhibit: syslog entry from a firewall
<134>2024-03-15T14:23:45Z FW-01 %ASA-4-106023: Deny tcp src inside:192.168.1.10/3345 dst outside:203.0.113.5/80 by access-group "OUTSIDE_IN" [0x0, 0x0]
Question 13hardmultiple choice
Full question →

An AWS security engineer is reviewing the above S3 bucket policy. What is the net effect of this policy on requests to read objects in the 'confidential' folder?

Exhibit

Refer to the exhibit.

Exhibit: snippet from a security policy in JSON format
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::example-bucket/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": "10.0.0.0/8"
        }
      }
    },
    {
      "Effect": "Deny",
      "Action": "s3:*",
      "Resource": "arn:aws:s3:::example-bucket/confidential/*",
      "Condition": {
        "NotIpAddress": {
          "aws:SourceIp": "10.100.0.0/16"
        }
      }
    }
  ]
}
Question 14mediummultiple choice
Read the full NAT/PAT explanation →

You are a security analyst at a financial institution. The company has a hybrid infrastructure with on-premises servers and AWS cloud. The on-premises network uses a SIEM that aggregates logs from all sources. Recently, the SIEM has been generating a high volume of alerts for failed SSH login attempts from an internal IP (10.10.50.100) to multiple Linux servers. The IP belongs to a jump box used by system administrators. Upon investigation, you find that the jump box is running a hardened OS, and only authorized admins can access it via SSH key authentication. However, the failed login attempts show usernames like 'root', 'admin', 'test', which are not valid accounts on the target servers. The attempts occur every 5 seconds around the clock. There are no successful logins from that IP. The jump box has the latest patches and antivirus. What should you do FIRST?

Question 15mediumdrag order
Full question →

Drag and drop the steps for implementing mandatory access control (MAC) in a secure system in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 16mediummatching
Full question →

Match each business continuity term to its definition.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Maximum acceptable downtime after a disaster

Maximum acceptable data loss measured in time

Average time between system failures

Average time to repair a failed system

Service level agreement defining performance metrics

Question 17easymultiple choice
Full question →

An organization is implementing a bring-your-own-device (BYOD) policy. Which security control should be enforced to ensure that only compliant devices can access corporate resources?

Question 18mediummultiple choice
Full question →

During a security incident, the incident response team identifies that an attacker exfiltrated data via a compromised service account. Which of the following is the BEST immediate step to contain the incident?

Question 19hardmultiple choice
Full question →

A security analyst observes repeated failed logon attempts from a single IP address against a domain controller. The account lockout policy is set to 5 attempts within 30 minutes. However, after the account is locked, the attack switches to a different username. Which type of attack is most likely occurring?

Question 20easymultiple choice
Full question →

An organization needs to ensure that backup tapes containing sensitive data are protected during transportation between sites. What is the most effective control?

Question 21mediummultiple choice
Full question →

A company is designing a recovery site for its critical database. The recovery time objective (RTO) is 2 hours, and the recovery point objective (RPO) is 15 minutes. Which of the following replication strategies is BEST suited?

Question 22hardmultiple choice
Full question →

An organization uses a siem to collect logs from multiple sources. The security team notices that some events are missing during peak traffic hours. Analysis shows that the log sources are sending data via UDP. What is the most likely cause?

Question 23easymultiple choice
Full question →

Which of the following is the PRIMARY purpose of a business impact analysis (BIA) in business continuity planning?

Question 24mediummultiple choice
Full question →

During an incident, a forensic analyst needs to preserve volatile data from a live Windows server. Which command should be used first to collect memory and network connection information?

Question 25hardmultiple choice
Full question →

An organization discovers that an employee has been using a personal cloud storage account to share confidential files. After revoking access, what is the NEXT best step to prevent recurrence?

Question 26easymulti select
Full question →

Which TWO of the following are key elements of a disaster recovery plan (DRP)?

Question 27mediummulti select
Full question →

Which THREE of the following are valid methods for securely disposing of magnetic hard drives?

Question 28hardmulti select
Full question →

Which THREE of the following are essential components of an effective incident response plan according to NIST SP 800-61?

Question 29easymultiple choice
Read the full network assurance explanation →

Refer to the exhibit. The syslog-ng configuration is used to forward logs to a central server. What type of logs are being forwarded?

Exhibit

Refer to the exhibit.

syslog-ng configuration:
filter f_auth { facility(auth) or facility(authpriv); };
log { source(s_sys); filter(f_auth); destination(d_central); };
Question 30mediummultiple choice
Study the full ACL explanation →

Refer to the exhibit. The ACL is applied inbound on a perimeter router. A security analyst notices that web traffic to an internal server is being blocked. What is the most likely cause?

Exhibit

Refer to the exhibit.

Firewall ACL:
access-list 100 permit tcp any any eq 80
access-list 100 permit tcp any any eq 443
access-list 100 permit udp any any eq 53
access-list 100 deny ip any any log
Question 31hardmultiple choice
Full question →

Refer to the exhibit. A security analyst reviews this event log entry. What does this event indicate?

Exhibit

Refer to the exhibit.

Windows Event Log entry:
Log Name: Security
Event ID: 4625
Account For Which Logon Failed:
  Security ID: S-1-5-18
  Account Name: SYSTEM
  Account Domain: NT AUTHORITY
Failure Information:
  Failure Reason: Account locked out.
  Sub Status: 0xc0000234

More Security Operations questions available in the full practice test.

Continue Practising →
←

Previous objective

Asset Security

All CISSP Objectives

  • 2.Asset Security
  • 7.Security Operations