Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Security Operations practice sets

CISSP Security Operations • Complete Question Bank

CISSP Security Operations — All Questions With Answers

Complete CISSP Security Operations question bank — all 0 questions with answers and detailed explanations.

68
Questions
Free
No signup
Certifications/CISSP/Practice Test/Security Operations/All Questions
Question 1mediummultiple choice
Read the full Security Operations explanation →

A security analyst notices repeated failed login attempts from an internal IP address on the domain controller. After enabling account lockout, the lockouts continue but the source IP changes. What is the best next step?

Question 2hardmultiple choice
Read the full NAT/PAT explanation →

A SOC analyst receives an alert for a suspicious outbound connection from a server in the DMZ to an external IP on port 443. The server is a web application server that should only communicate internally. The analyst checks the process and finds it is 'svchost.exe' running from a non-standard path. What is the most appropriate immediate action?

Question 3easymultiple choice
Read the full Security Operations explanation →

During a security audit, an organization discovers that several employees are sharing a single generic account to access a critical database. Which principle of security operations is being violated?

Question 4hardmultiple choice
Read the full Security Operations explanation →

A security engineer is designing a new SIEM correlation rule to detect potential data exfiltration. The rule should trigger when a single internal host sends more than 10 MB of data to an external IP address within a 5-minute window, but only if the external IP is not on a whitelist of known business partners. Which approach best minimizes false positives while ensuring effective detection?

Question 5easymultiple choice
Read the full Security Operations explanation →

A company's security policy requires that all removable media be encrypted. An employee plugs in a USB drive and is prompted to format it before use. After formatting, the drive is not encrypted. What is the most likely reason?

Question 6mediummultiple choice
Read the full Security Operations explanation →

An organization is implementing a new backup strategy for its critical servers. The backup must support rapid restoration of individual files and allow for a recovery point objective (RPO) of no more than 15 minutes. Which backup method should be used for daily operations?

Question 7mediummultiple choice
Read the full NAT/PAT explanation →

During a vulnerability scan, a security analyst discovers that a web server is running an outdated version of Apache with known remote code execution vulnerabilities. The server is in production and cannot be patched immediately due to dependency conflicts. What is the best compensating control to reduce risk while a permanent fix is developed?

Question 8hardmulti select
Read the full Security Operations explanation →

Which TWO of the following are essential components of a successful security awareness program?

Question 9mediummulti select
Read the full Security Operations explanation →

Which THREE of the following are best practices for securing a data center's physical access?

Question 10easymulti select
Read the full Security Operations explanation →

Which TWO of the following are valid reasons for conducting a business impact analysis (BIA)?

Question 11mediummultiple choice
Read the full Security Operations explanation →

A network administrator finds the above log entry. The source IP 192.168.1.10 is a user workstation. What does this log entry indicate?

Exhibit

Refer to the exhibit.

Exhibit: syslog entry from a firewall
<134>2024-03-15T14:23:45Z FW-01 %ASA-4-106023: Deny tcp src inside:192.168.1.10/3345 dst outside:203.0.113.5/80 by access-group "OUTSIDE_IN" [0x0, 0x0]
Question 12hardmultiple choice
Read the full Security Operations explanation →

An AWS security engineer is reviewing the above S3 bucket policy. What is the net effect of this policy on requests to read objects in the 'confidential' folder?

Exhibit

Refer to the exhibit.

Exhibit: snippet from a security policy in JSON format
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::example-bucket/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": "10.0.0.0/8"
        }
      }
    },
    {
      "Effect": "Deny",
      "Action": "s3:*",
      "Resource": "arn:aws:s3:::example-bucket/confidential/*",
      "Condition": {
        "NotIpAddress": {
          "aws:SourceIp": "10.100.0.0/16"
        }
      }
    }
  ]
}
Question 13mediummultiple choice
Read the full NAT/PAT explanation →

You are a security analyst at a financial institution. The company has a hybrid infrastructure with on-premises servers and AWS cloud. The on-premises network uses a SIEM that aggregates logs from all sources. Recently, the SIEM has been generating a high volume of alerts for failed SSH login attempts from an internal IP (10.10.50.100) to multiple Linux servers. The IP belongs to a jump box used by system administrators. Upon investigation, you find that the jump box is running a hardened OS, and only authorized admins can access it via SSH key authentication. However, the failed login attempts show usernames like 'root', 'admin', 'test', which are not valid accounts on the target servers. The attempts occur every 5 seconds around the clock. There are no successful logins from that IP. The jump box has the latest patches and antivirus. What should you do FIRST?

Question 14mediumdrag order
Read the full Security Operations explanation →

Drag and drop the steps for implementing mandatory access control (MAC) in a secure system in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 15mediummatching
Read the full Security Operations explanation →

Match each business continuity term to its definition.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Maximum acceptable downtime after a disaster

Maximum acceptable data loss measured in time

Average time between system failures

Average time to repair a failed system

Service level agreement defining performance metrics

Question 16easymultiple choice
Read the full Security Operations explanation →

An organization is implementing a bring-your-own-device (BYOD) policy. Which security control should be enforced to ensure that only compliant devices can access corporate resources?

Question 17mediummultiple choice
Read the full Security Operations explanation →

During a security incident, the incident response team identifies that an attacker exfiltrated data via a compromised service account. Which of the following is the BEST immediate step to contain the incident?

Question 18hardmultiple choice
Read the full Security Operations explanation →

A security analyst observes repeated failed logon attempts from a single IP address against a domain controller. The account lockout policy is set to 5 attempts within 30 minutes. However, after the account is locked, the attack switches to a different username. Which type of attack is most likely occurring?

Question 19easymultiple choice
Read the full Security Operations explanation →

An organization needs to ensure that backup tapes containing sensitive data are protected during transportation between sites. What is the most effective control?

Question 20mediummultiple choice
Read the full Security Operations explanation →

A company is designing a recovery site for its critical database. The recovery time objective (RTO) is 2 hours, and the recovery point objective (RPO) is 15 minutes. Which of the following replication strategies is BEST suited?

Question 21hardmultiple choice
Read the full Security Operations explanation →

An organization uses a siem to collect logs from multiple sources. The security team notices that some events are missing during peak traffic hours. Analysis shows that the log sources are sending data via UDP. What is the most likely cause?

Question 22easymultiple choice
Read the full Security Operations explanation →

Which of the following is the PRIMARY purpose of a business impact analysis (BIA) in business continuity planning?

Question 23mediummultiple choice
Read the full Security Operations explanation →

During an incident, a forensic analyst needs to preserve volatile data from a live Windows server. Which command should be used first to collect memory and network connection information?

Question 24hardmultiple choice
Read the full Security Operations explanation →

An organization discovers that an employee has been using a personal cloud storage account to share confidential files. After revoking access, what is the NEXT best step to prevent recurrence?

Question 25easymulti select
Read the full Security Operations explanation →

Which TWO of the following are key elements of a disaster recovery plan (DRP)?

Question 26mediummulti select
Read the full Security Operations explanation →

Which THREE of the following are valid methods for securely disposing of magnetic hard drives?

Question 27hardmulti select
Read the full Security Operations explanation →

Which THREE of the following are essential components of an effective incident response plan according to NIST SP 800-61?

Question 28easymultiple choice
Read the full network assurance explanation →

Refer to the exhibit. The syslog-ng configuration is used to forward logs to a central server. What type of logs are being forwarded?

Exhibit

Refer to the exhibit.

syslog-ng configuration:
filter f_auth { facility(auth) or facility(authpriv); };
log { source(s_sys); filter(f_auth); destination(d_central); };
Question 29mediummultiple choice
Study the full ACL explanation →

Refer to the exhibit. The ACL is applied inbound on a perimeter router. A security analyst notices that web traffic to an internal server is being blocked. What is the most likely cause?

Exhibit

Refer to the exhibit.

Firewall ACL:
access-list 100 permit tcp any any eq 80
access-list 100 permit tcp any any eq 443
access-list 100 permit udp any any eq 53
access-list 100 deny ip any any log
Question 30hardmultiple choice
Read the full Security Operations explanation →

Refer to the exhibit. A security analyst reviews this event log entry. What does this event indicate?

Exhibit

Refer to the exhibit.

Windows Event Log entry:
Log Name: Security
Event ID: 4625
Account For Which Logon Failed:
  Security ID: S-1-5-18
  Account Name: SYSTEM
  Account Domain: NT AUTHORITY
Failure Information:
  Failure Reason: Account locked out.
  Sub Status: 0xc0000234
Question 31easymultiple choice
Read the full Security Operations explanation →

A security analyst detects repeated failed login attempts from a single external IP address targeting a user account. What is the best IMMEDIATE action?

Question 32mediummultiple choice
Read the full Security Operations explanation →

A company uses a SIEM to correlate logs from multiple sources. Which log source is most critical for detecting privilege escalation attacks?

Question 33hardmultiple choice
Read the full Security Operations explanation →

An organization implements a data loss prevention (DLP) solution. Which action is most effective for protecting data at rest on endpoint devices?

Question 34easymultiple choice
Read the full Security Operations explanation →

According to NIST SP 800-61, which phase of incident response immediately follows detection and analysis?

Question 35mediummultiple choice
Read the full Security Operations explanation →

A SOC analyst receives an alert for a high number of outbound connections to a known malicious IP. Which action should be taken first?

Question 36hardmultiple choice
Read the full Security Operations explanation →

An organization's backup strategy includes daily full backups and hourly incremental backups. The system suffers a ransomware attack that encrypts all data. Which backup set is essential to restore the most recent clean state?

Question 37easymultiple choice
Read the full Security Operations explanation →

Which of the following is a key principle of privileged access management (PAM)?

Question 38mediummultiple choice
Read the full Security Operations explanation →

A security team is reviewing firewall logs and sees many dropped packets from an external IP. What type of attack is most likely?

Question 39hardmultiple choice
Study the full virtualization explanation →

In a virtualized environment, which security control is most effective for isolating VMs from each other?

Question 40mediummulti select
Read the full Security Operations explanation →

Which TWO of the following are examples of detective controls?

Question 41hardmulti select
Read the full Security Operations explanation →

Which THREE of the following are required components of a Business Continuity Plan (BCP)?

Question 42easymulti select
Read the full Security Operations explanation →

Which THREE of the following are key activities in the recovery phase of incident response?

Question 43mediummultiple choice
Read the full Security Operations explanation →

Refer to the exhibit. What type of attack is indicated by the logs?

Exhibit

Feb 10 12:34:56 host1 sshd[1234]: Failed password for root from 10.0.0.1 port 22 ssh2
Feb 10 12:34:57 host1 sshd[1234]: Failed password for root from 10.0.0.1 port 22 ssh2
Feb 10 12:34:58 host1 sshd[1234]: Failed password for root from 10.0.0.1 port 22 ssh2
Feb 10 12:35:00 host1 sshd[1234]: Accepted password for admin from 10.0.0.2 port 22 ssh2
Question 44hardmultiple choice
Read the full Security Operations explanation →

Refer to the exhibit. What is the security risk of this S3 bucket policy?

Exhibit

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::bucketA/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": "192.0.2.0/24"
        }
      }
    },
    {
      "Effect": "Allow",
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::bucketA/*"
    }
  ]
}
Question 45easymultiple choice
Read the full Security Operations explanation →

Refer to the exhibit. What is the most likely cause of the denied traffic?

Exhibit

Mar 15 08:20:00 firewall1: %ASA-4-106023: Deny tcp src outside:203.0.113.5/1234 dst inside:10.0.0.10/80 by access-group "OUTSIDE_IN"
Mar 15 08:20:01 firewall1: %ASA-4-106023: Deny tcp src outside:203.0.113.5/1235 dst inside:10.0.0.10/80 by access-group "OUTSIDE_IN"
Mar 15 08:20:02 firewall1: %ASA-4-106023: Deny tcp src outside:203.0.113.5/1236 dst inside:10.0.0.10/80 by access-group "OUTSIDE_IN"
Question 46mediummultiple choice
Read the full Security Operations explanation →

A security analyst notices that the SIEM is generating an overwhelming number of low-priority alerts from a single application server. The server is critical to operations. What is the BEST approach to reduce noise without compromising security?

Question 47easymultiple choice
Read the full Security Operations explanation →

Which of the following is a key requirement for an effective backup strategy to ensure data can be recovered after a ransomware attack?

Question 48hardmultiple choice
Read the full Security Operations explanation →

During an incident response, the team identifies that the attacker gained access through a compromised service account with domain admin privileges. Which of the following steps should be taken FIRST to contain the incident?

Question 49mediummultiple choice
Read the full Security Operations explanation →

A company is deploying a new web application and needs to ensure that only HTTPS traffic is allowed. What is the MOST effective way to enforce this at the network perimeter?

Question 50easymultiple choice
Read the full Security Operations explanation →

Which of the following is a primary purpose of conducting a tabletop exercise for incident response?

Question 51hardmultiple choice
Read the full Security Operations explanation →

A security team is evaluating a new endpoint detection and response (EDR) solution. Which of the following capabilities is MOST important for detecting fileless malware?

Question 52mediummultiple choice
Read the full Security Operations explanation →

An organization is required to retain audit logs for seven years due to regulatory compliance. The logs are currently stored on a file server that is approaching capacity. What is the BEST way to manage log storage?

Question 53easymultiple choice
Read the full Security Operations explanation →

Which of the following is a best practice for managing privileged user accounts?

Question 54mediummultiple choice
Read the full Security Operations explanation →

During a forensic investigation, the team needs to preserve evidence from a running server. What is the FIRST step the team should take?

Question 55mediummulti select
Read the full Security Operations explanation →

Which TWO of the following are essential components of a disaster recovery plan? (Choose two.)

Question 56mediummulti select
Read the full Security Operations explanation →

Which TWO of the following are effective methods for detecting unauthorized access to a network? (Choose two.)

Question 57hardmulti select
Read the full Security Operations explanation →

Which THREE of the following are common indicators of a privilege escalation attack? (Choose three.)

Question 58hardmultiple choice
Read the full Security Operations explanation →

Based on the firewall log entry, what is the most likely reason the connection was denied?

Exhibit

Refer to the exhibit.

Exhibit:
May 15 09:12:34 fw01 %ASA-4-106023: Deny tcp src inside:192.168.1.10/54321 dst outside:203.0.113.5/80 by access-group "outside-in" [0x0, 0x0]
Question 59mediummultiple choice
Read the full Security Operations explanation →

Based on the log entry from an authentication server, which immediate action should the security team take to reduce risk?

Exhibit

Refer to the exhibit.

Exhibit:
May 15 09:15:00 authsrvr sshd[1234]: Failed password for root from 10.0.0.5 port 22 ssh2
Question 60hardmultiple choice
Read the full Security Operations explanation →

An organization with 500 employees operates a hybrid infrastructure with on-premises Active Directory and cloud-based services (Office 365, Azure). The security team receives an alert from the SIEM showing a high number of failed login attempts for a service account named 'svc_backup' from an external IP address. The account has delegated permissions to back up all domain controllers. The attempts are ongoing and fall below the lockout threshold to avoid detection. The team suspects a targeted password spraying attack. The helpdesk reports no recent password changes for this account. The incident response plan requires containment within 15 minutes. The cloud services are integrated with AD via Azure AD Connect. Which of the following actions BEST contains the attack while minimizing operational impact?

Question 61mediummulti select
Read the full Security Operations explanation →

Your organization is forming an incident response team (IRT). According to NIST SP 800-61, which TWO roles are considered core to the incident response team?

Question 62easymultiple choice
Read the full VPN explanation →

You are the lead security analyst at a mid-sized financial services firm. At 2:15 PM, the SIEM alerts on multiple failed login attempts from an external IP address against the VPN gateway. The attempts stopped at 2:20 PM, but at 2:30 PM, a user reports that their account was used to send a phishing email to internal employees. You confirm that the user's account has been compromised. The CEO asks for an immediate update. What should be your FIRST action according to the incident response framework your company follows (based on NIST SP 800-61)?

Question 63mediummultiple choice
Read the full Security Operations explanation →

A healthcare organization is implementing a new SIEM solution to centralize log management from its network devices, servers, and applications. The compliance team requires that all logs be retained for at least one year to meet HIPAA regulations. The SIEM platform has limited storage capacity and uses a hot/warm/cold tier architecture. The system currently ingests about 500 GB of logs per day. The security team wants to ensure that critical logs (e.g., authentication failures, privilege escalations) remain immediately searchable for at least 90 days, while less critical logs can be moved to cheaper storage after 30 days. What is the most cost-effective storage strategy that meets all requirements?

Question 64hardmultiple choice
Read the full NAT/PAT explanation →

Your organization, a multinational e-commerce company, has suffered a ransomware attack that encrypted critical database servers and file shares. The ransom note demands payment in cryptocurrency within 48 hours or the data will be permanently destroyed. The company has a backup strategy that includes daily full backups and hourly incremental backups, stored both on-site and off-site. However, during the incident response, you discover that the most recent on-site backups are also encrypted because the backup server was connected to the network and affected by the same ransomware. Off-site backups are on tape and were last rotated out 72 hours ago. The CEO is pressuring to pay the ransom to restore operations quickly. Which option should the incident response team prioritize to minimize data loss and reputational damage?

Question 65easymultiple choice
Read the full Security Operations explanation →

You are the security manager for a manufacturing company with a large facility that houses production servers and sensitive intellectual property. The facility has a single physical entrance that uses a card reader for access control. During a routine audit, you find that the door prop alarm has been bypassed by taping a magnet to the sensor, allowing the door to stay open without triggering an alert. The security guard station is located 200 feet away and does not have a direct line of sight to the door. Which control should you implement FIRST to prevent unauthorized physical access?

Question 66mediummulti select
Read the full Security Operations explanation →

Which TWO of the following are key principles for designing an effective Security Operations Center (SOC)?

Question 67hardmultiple choice
Read the full Security Operations explanation →

Examine the Cisco ASA access-list named 'outside_in'. A penetration tester reports that they were able to establish an RDP session from an external IP address 203.0.113.55 to the internal host 10.10.10.10 on port 3389. Which configuration change would BEST prevent this while still allowing legitimate remote administration from the authorized management station?

Exhibit

Refer to the exhibit.

```
access-list outside_in extended permit tcp any host 10.10.10.10 eq 80 log
access-list outside_in extended permit tcp any host 10.10.10.10 eq 443 log
access-list outside_in extended permit tcp host 192.168.1.100 host 10.10.10.10 eq 3389 log
access-list outside_in extended deny ip any any log
```
Question 68easymultiple choice
Read the full Security Operations explanation →

A medium-sized financial services company has a flat network topology with no segmentation between the corporate LAN and the server farm. The security team recently deployed a host-based intrusion detection system (HIDS) on all critical servers. Over the past week, the HIDS has generated multiple high-severity alerts indicating outbound connections from a database server to an external IP address in a foreign country, occurring every hour and lasting only a few seconds. The database server contains sensitive customer data. The company's incident response plan (IRP) has not been updated in two years, and the CISO wants to ensure a response that minimizes business disruption while protecting data. The IT team is small, and the security analyst on duty suspects a data exfiltration attempt but is unsure. What should the analyst do FIRST?

Practice tests

Scored 10-question sessions with instant feedback and explanations.

CISSP Practice Test 1 — 10 Questions→CISSP Practice Test 2 — 10 Questions→CISSP Practice Test 3 — 10 Questions→CISSP Practice Test 4 — 10 Questions→CISSP Practice Test 5 — 10 Questions→CISSP Practice Exam 1 — 20 Questions→CISSP Practice Exam 2 — 20 Questions→CISSP Practice Exam 3 — 20 Questions→CISSP Practice Exam 4 — 20 Questions→Free CISSP Practice Test 1 — 30 Questions→Free CISSP Practice Test 2 — 30 Questions→Free CISSP Practice Test 3 — 30 Questions→CISSP Practice Questions 1 — 50 Questions→CISSP Practice Questions 2 — 50 Questions→CISSP Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Software Development SecuritySecurity Assessment and TestingIdentity and Access ManagementSecurity and Risk ManagementSecurity Architecture and EngineeringCommunication and Network SecurityAsset SecuritySecurity Operations

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Security Operations setsAll Security Operations questionsCISSP Practice Hub