Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Free Resources

Difficulty IndexLearn — Free ChaptersIT GlossaryFree Tools & LabsStudy GuidesCareer RoadmapsBrowse by VendorCisco Command ReferenceCCNA Scenarios

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Security Operations practice sets

CISSP Security Operations • Complete Question Bank

CISSP Security Operations — All Questions With Answers

Complete CISSP Security Operations question bank — all 0 questions with answers and detailed explanations.

60
Questions
Free
No signup
Certifications/CISSP/Practice Test/Security Operations/All Questions
Question 1mediummultiple choice
Read the full Security Operations explanation →

During a security incident, an organization's SOC team identifies a series of unauthorized access attempts from an external IP address. The incident manager needs to escalate this to the appropriate team. According to the incident response plan, which role is primarily responsible for coordinating the response and communicating with stakeholders?

Question 2mediummultiple choice
Read the full Security Operations explanation →

An organization's disaster recovery plan specifies a Recovery Time Objective (RTO) of 4 hours for its critical financial application. Which disaster recovery site would be MOST appropriate to meet this RTO?

Question 3hardmultiple choice
Read the full Security Operations explanation →

A forensic investigator arrives at a crime scene involving a compromised server. The server is still running. According to the order of volatility, which of the following should the investigator capture FIRST?

Question 4easymultiple choice
Read the full Security Operations explanation →

Which of the following BEST describes the difference between a Business Continuity Plan (BCP) and a Disaster Recovery Plan (DRP)?

Question 5mediummultiple choice
Read the full Security Operations explanation →

A SOC team is using a SIEM to correlate events from multiple sources. They want to automate responses to common threats. Which technology should they integrate to achieve security orchestration and automation?

Question 6hardmultiple choice
Read the full Security Operations explanation →

An organization's data loss prevention (DLP) solution is configured to block emails containing credit card numbers. This is an example of which type of DLP control?

Question 7mediummultiple choice
Read the full Security Operations explanation →

During a vulnerability management lifecycle, after vulnerabilities are identified and prioritized, what is the NEXT step?

Question 8easymultiple choice
Read the full Security Operations explanation →

Which of the following metrics is used to determine the maximum amount of data loss an organization can tolerate in a disaster?

Question 9mediummultiple choice
Read the full Security Operations explanation →

An organization is implementing a change management process. Which group is responsible for reviewing and approving major changes?

Question 10easymultiple choice
Read the full Security Operations explanation →

What is the PRIMARY purpose of a chain of custody in digital forensics?

Question 11mediummultiple choice
Read the full DNS explanation →

A SOC has three tiers: Tier 1 triages alerts, Tier 2 investigates, and Tier 3 performs advanced analysis. An alert about a potential data exfiltration using DNS tunneling is escalated from Tier 1. Which tier is BEST suited to perform deep packet inspection and memory forensics to confirm the exfiltration?

Question 12hardmultiple choice
Read the full Security Operations explanation →

An organization is recovering from a ransomware attack that encrypted critical servers. The backup strategy must ensure that the Recovery Point Objective (RPO) of 1 hour is met. Which backup method is MOST appropriate?

Question 13mediummulti select
Read the full Security Operations explanation →

A security analyst is examining a memory dump from a compromised workstation. Which TWO tools are commonly used for memory forensics?

Question 14mediummulti select
Read the full Security Operations explanation →

An organization is updating its incident response plan. According to best practices, which THREE components should be included in the plan?

Question 15hardmulti select
Read the full Security Operations explanation →

A company is designing a disaster recovery strategy for its e-commerce platform. The platform requires an RTO of 2 hours and an RPO of 15 minutes. Which TWO strategies would BEST meet these requirements?

Question 16easymultiple choice
Read the full Security Operations explanation →

An organization is developing an incident response plan. Which component is responsible for defining the specific conditions that constitute an incident?

Question 17mediummultiple choice
Read the full Security Operations explanation →

During a digital forensics investigation, a security analyst must preserve evidence in order of volatility. Which of the following represents the correct sequence from most volatile to least volatile?

Question 18mediummultiple choice
Read the full Security Operations explanation →

A company is selecting a disaster recovery site for critical applications that must be restored within 4 hours with minimal data loss. Which site type best meets these requirements?

Question 19hardmultiple choice
Read the full Security Operations explanation →

A SOC analyst receives an alert from the SIEM indicating a large volume of outbound data from a sensitive database server to an external IP address. The analyst queries the SIEM and finds the server communicated with the external IP during non-business hours. Which type of incident is most likely occurring?

Question 20easymultiple choice
Read the full Security Operations explanation →

Which metric defines the maximum amount of data loss an organization can tolerate during a disaster?

Question 21mediummultiple choice
Read the full Security Operations explanation →

A security team is implementing data loss prevention (DLP) to protect sensitive information. Which DLP type is best suited to monitor and block sensitive data leaving the corporate network via email or web traffic?

Question 22easymultiple choice
Read the full Security Operations explanation →

Which role in an incident response team is primarily responsible for coordinating communication with external parties, such as the media and regulators?

Question 23mediummultiple choice
Read the full Security Operations explanation →

A business continuity plan (BCP) differs from a disaster recovery plan (DRP) in that the BCP primarily focuses on:

Question 24hardmultiple choice
Read the full Security Operations explanation →

An organization is implementing a patch management process. Which of the following is the most critical step to ensure that patches do not disrupt critical business operations?

Question 25easymultiple choice
Read the full Security Operations explanation →

Which digital forensics tool is specifically designed for memory forensics?

Question 26mediummultiple choice
Read the full Security Operations explanation →

A security analyst is reviewing SIEM logs and notices multiple failed login attempts from a single IP address followed by a successful login. The account belongs to a user in finance. Which incident category is most appropriate?

Question 27mediummultiple choice
Read the full Security Operations explanation →

What is the primary purpose of a Change Advisory Board (CAB) in change management?

Question 28mediummulti select
Read the full Security Operations explanation →

An organization is designing a security operations center (SOC) with three tiers. Which TWO of the following are typical responsibilities of Tier 1 analysts? (Select TWO)

Question 29hardmulti select
Read the full Security Operations explanation →

During a forensic investigation, which THREE of the following are essential to maintain chain of custody? (Select THREE)

Question 30hardmulti select
Read the full Security Operations explanation →

A company is evaluating disaster recovery strategies and wants to minimize both RTO and RPO. Which THREE options provide the best combination of low RTO and low RPO? (Select THREE)

Question 31easymultiple choice
Read the full Security Operations explanation →

Which of the following best describes the primary purpose of an incident response plan?

Question 32mediummultiple choice
Read the full Security Operations explanation →

During a digital forensics investigation, which of the following data sources has the highest order of volatility?

Question 33hardmultiple choice
Read the full Security Operations explanation →

An organization has a maximum tolerable downtime (MTD) of 8 hours for its critical e-commerce platform. The recovery time objective (RTO) is set to 4 hours, and the recovery point objective (RPO) is 30 minutes. Which disaster recovery strategy is most cost-effective while meeting these requirements?

Question 34mediummultiple choice
Read the full Security Operations explanation →

Which of the following is the primary purpose of a Change Advisory Board (CAB)?

Question 35easymultiple choice
Read the full Security Operations explanation →

What type of DLP system monitors data in motion across the network?

Question 36mediummultiple choice
Read the full Security Operations explanation →

An organization's security operations center (SOC) uses a SIEM to correlate logs. The SOC manager wants to automate response actions for low-severity alerts. Which technology would best support this goal?

Question 37mediummultiple choice
Read the full Security Operations explanation →

During a forensic investigation, the investigator must ensure that evidence is properly handled and documented. What is the primary purpose of maintaining a chain of custody?

Question 38hardmultiple choice
Read the full Security Operations explanation →

An organization is designing its incident response team roles. Which role is primarily responsible for collecting and preserving evidence for legal proceedings?

Question 39easymultiple choice
Read the full Security Operations explanation →

Which of the following is an example of a social engineering attack?

Question 40mediummultiple choice
Read the full Security Operations explanation →

An organization wants to ensure that its critical database can be restored to a point within the last 15 minutes in case of failure. Which metric defines this requirement?

Question 41hardmultiple choice
Read the full Security Operations explanation →

Which of the following is the most important factor when prioritizing vulnerability remediation in a vulnerability management program?

Question 42mediummultiple choice
Read the full Security Operations explanation →

A SOC analyst at Tier 1 identifies a potential malware infection on a user workstation. What is the next step in the standard incident response process?

Question 43mediummulti select
Read the full Security Operations explanation →

A security analyst is selecting forensic tools for an investigation. Which TWO tools are best suited for memory forensics? (Select TWO.)

Question 44mediummulti select
Read the full Security Operations explanation →

An organization is planning its disaster recovery strategy. Which THREE options are considered recovery site types? (Select THREE.)

Question 45hardmulti select
Read the full Security Operations explanation →

A security manager is reviewing incident categories for inclusion in the incident response plan. Which THREE of the following are common incident categories? (Select THREE.)

Question 46mediummultiple choice
Read the full Security Operations explanation →

An organization is developing an incident response plan. Which component is primarily responsible for defining the criteria for escalating an incident to senior management and legal counsel?

Question 47hardmultiple choice
Read the full Security Operations explanation →

During a forensic investigation, an analyst must collect volatile data in the correct order. Which of the following sequences correctly follows the order of volatility?

Question 48easymultiple choice
Read the full Security Operations explanation →

An organization has a maximum tolerable downtime (MTD) of 8 hours for a critical application. The recovery time objective (RTO) is set to 4 hours. Which of the following best describes the purpose of the RTO?

Question 49mediummultiple choice
Read the full Security Operations explanation →

A SOC analyst (Tier 1) receives an alert from the SIEM indicating a potential malware infection on a critical server. According to SOC tier responsibilities, what is the analyst's primary action?

Question 50hardmultiple choice
Read the full Security Operations explanation →

A company plans to implement a disaster recovery site that can be operational within 2 hours of a failure. Which type of DR site best meets this requirement?

Question 51easymultiple choice
Read the full Security Operations explanation →

Which type of digital forensics involves capturing and analyzing network traffic to investigate a security incident?

Question 52mediummultiple choice
Read the full Security Operations explanation →

A security team implements a Data Loss Prevention (DLP) solution to monitor email attachments for sensitive data. Which type of DLP is being used?

Question 53hardmultiple choice
Read the full Security Operations explanation →

A Change Advisory Board (CAB) is evaluating a request to implement a critical security patch. Which RACI element is typically assigned to the CAB for the 'Approve' activity?

Question 54easymultiple choice
Read the full Security Operations explanation →

Which of the following is a key difference between a Business Continuity Plan (BCP) and a Disaster Recovery Plan (DRP)?

Question 55mediummulti select
Read the full Security Operations explanation →

A security analyst is identifying incident categories for a new incident response plan. Which TWO of the following are valid incident categories according to standard IR frameworks?

Question 56mediummulti select
Read the full Security Operations explanation →

During a forensic investigation, which TWO of the following are essential steps to maintain chain of custody?

Question 57hardmulti select
Read the full Security Operations explanation →

A company is selecting a disaster recovery strategy for a mission-critical application. Which TWO of the following strategies provide the shortest recovery time objective (RTO)?

Question 58mediummulti select
Read the full Security Operations explanation →

A SOC manager is designing a tiered incident response team. Which THREE of the following are standard roles in an incident response team according to industry best practices?

Question 59hardmulti select
Read the full Security Operations explanation →

A security analyst is configuring a SIEM to improve threat detection. Which THREE of the following are essential capabilities of a SIEM system?

Question 60easymulti select
Read the full Security Operations explanation →

A company is implementing a Data Loss Prevention (DLP) program. Which THREE of the following are common types of DLP controls?

Practice tests

Scored 10-question sessions with instant feedback and explanations.

CISSP Practice Test 1 — 25 Questions→CISSP Practice Test 2 — 25 Questions→CISSP Practice Test 3 — 25 Questions→CISSP Practice Test 4 — 25 Questions→CISSP Practice Test 5 — 25 Questions→CISSP Practice Exam 1 — 20 Questions→CISSP Practice Exam 2 — 20 Questions→CISSP Practice Exam 3 — 20 Questions→CISSP Practice Exam 4 — 20 Questions→Free CISSP Practice Test 1 — 30 Questions→Free CISSP Practice Test 2 — 30 Questions→Free CISSP Practice Test 3 — 30 Questions→CISSP Practice Questions 1 — 50 Questions→CISSP Practice Questions 2 — 50 Questions→CISSP Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Security and Risk ManagementAsset SecuritySecurity OperationsSecurity Architecture and EngineeringCommunication and Network SecuritySecurity Assessment and TestingSoftware Development SecurityIdentity and Access Management

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Security Operations setsAll Security Operations questionsCISSP Practice Hub