Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsSSCPDomainsSecurity Operations and Administration
SSCPFree — No Signup

Security Operations and Administration

Practice SSCP Security Operations and Administration questions with full explanations on every answer.

79questions

Start practicing

Security Operations and Administration — choose a session length

10 questions~10 min20 questions~20 min30 questions~30 min50 questions~50 min

Free · No account required

SSCP Domains

Risk Identification, Monitoring and AnalysisNetwork and Communications SecuritySystems and Application SecuritySecurity Operations and AdministrationIncident Response and RecoveryAccess ControlsCryptography

Practice Security Operations and Administration questions

10Q20Q30Q50Q

All SSCP Security Operations and Administration questions (79)

Start session

Click any question to see the full explanation and answer options, or start a focused practice session above.

1

A security analyst receives an alert that a user account has been locked out multiple times within 10 minutes. The analyst checks the account and finds it is a service account used for automated backups. What is the most likely cause?

2

A company implements a new policy requiring all privileged access requests to be approved by a manager. However, after deployment, analysts report that they cannot perform emergency changes outside business hours. What is the best solution?

3

A security administrator is tasked with ensuring that only authorized software can run on company workstations. Which security control should be implemented?

4

An organization's security policy requires that all data at rest be encrypted. A database administrator objects, stating that encryption will degrade performance. What is the best response?

5

During a security audit, it is discovered that several employees have access to shared network drives containing sensitive HR data. The HR manager states that these employees no longer need access. What is the most efficient way to revoke access?

6

A company wants to ensure that employees use strong passwords. Which policy is most effective?

7

A security team is investigating a potential data exfiltration incident. They notice that a large amount of data was transferred to an external IP address during off-hours. What should be the first step?

8

An organization uses role-based access control (RBAC). A user complains that they can access a resource they were previously denied. The security administrator finds that the user's role was recently changed. What is the most likely cause?

9

Which of the following is the primary purpose of a security awareness program?

10

Which TWO of the following are valid reasons for implementing a separation of duties policy? (Choose two.)

11

Which THREE of the following are essential elements of an effective incident response plan? (Choose three.)

12

Which TWO of the following are examples of administrative controls? (Choose two.)

13

Based on the exhibit, which type of attack is most likely occurring?

14

Based on the exhibit, which of the following best describes the firewall configuration?

15

You are the security administrator for a mid-sized financial company that processes credit card transactions. The company has a mix of on-premises servers and cloud-based services. Recently, the company experienced a data breach where an attacker exfiltrated customer data from a database server. The investigation reveals that the attacker used compromised credentials of a database administrator (DBA) account. The DBA account had been used by multiple administrators without proper auditing. The company wants to implement a solution to prevent such incidents in the future. The solution must: 1) ensure that each administrator has a unique account for database access, 2) require approval for privileged actions, 3) provide a full audit trail of all privileged activities, and 4) be cost-effective. Which of the following is the best course of action?

16

You work for a hospital that has recently transitioned to an electronic health record (EHR) system. The system stores protected health information (PHI) and must comply with HIPAA. The hospital's security policy requires that all access to PHI be logged and that any unauthorized access be detected promptly. The IT department has implemented logging on the EHR system, but the security team is overwhelmed by the volume of logs and cannot review them in a timely manner. Additionally, there have been incidents where employees accessed patient records without a legitimate need, but these were only discovered months later during random audits. The hospital needs to improve its detection capabilities. Which of the following is the most effective solution?

17

Drag and drop the steps for establishing a VPN using IPsec in tunnel mode into the correct order.

18

Match each network security device to its function.

19

A security administrator needs to ensure that only authorized personnel can reset user passwords in Active Directory. Which of the following is the BEST method to delegate this responsibility without granting unnecessary privileges?

20

An organization implements a new security policy requiring all portable storage devices to be encrypted. Which of the following is the MOST effective control to enforce this policy?

21

A security analyst is investigating a potential data exfiltration incident. The logs show a large number of outbound DNS queries to a domain that resolves to an IP address in a foreign country. The queries contain encoded strings in the subdomain. Which type of attack is MOST likely occurring?

22

A system administrator receives a report that a critical server is running low on disk space. After investigation, it is determined that the log files are not being rotated properly. Which of the following is the BEST solution to prevent this issue in the future?

23

An employee reports that they cannot access a shared folder on the network. The security administrator checks the permission and finds that the user is in the correct group, but the 'Deny' entry for a different group is blocking access. What is the MOST likely cause?

24

A security engineer is configuring a firewall to block all inbound traffic except for specific services. Which of the following design principles is being applied?

25

A company experiences a security breach where an attacker gained access to the network through a compromised vendor account. Which of the following controls would have BEST prevented this attack?

26

A system administrator needs to securely transfer log files from a Linux server to a central log collector. Which protocol should be used to ensure confidentiality and integrity?

27

During a security assessment, a penetration tester discovers that a web application allows users to upload files without proper validation. The tester successfully uploads a PHP web shell. Which control would have MOST effectively prevented this exploitation?

28

Which TWO of the following are key components of an organization's security policy framework? (Choose two.)

29

Which THREE of the following are appropriate techniques for securely disposing of magnetic hard disk drives that contain sensitive data? (Choose three.)

30

Which TWO of the following are examples of administrative controls in a security program? (Choose two.)

31

Refer to the exhibit. What does this event indicate?

32

Refer to the exhibit. An administrator implements this firewall rule. What is the intended effect?

33

Refer to the exhibit. A systems administrator configures this Group Policy setting. What is the direct consequence?

34

A security administrator notices that a critical server's event log shows repeated failed login attempts from an internal IP address that normally does not generate any traffic. The administrator immediately blocks the IP at the firewall and resets the account password. However, the incident response team later determines that the attacker had already gained access to the server. What is the MOST likely reason the administrator's actions were insufficient?

35

A company implements a policy that requires all employees to change their passwords every 60 days. Which of the following is the PRIMARY security benefit of this requirement?

36

An organization uses role-based access control (RBAC). After a merger, a user account from the acquired company is migrated into the parent company's domain. The user is assigned to multiple roles, but is unable to access a critical application that requires a specific role. The administrator verified that the user's account is enabled and the application server is reachable. What is the MOST likely cause?

37

A security administrator is reviewing backup procedures for a database server. The current backup policy mandates a full backup every Sunday and differential backups Tuesday through Friday. On Wednesday, a failure occurs, and the database is lost. The last successful full backup was completed on Sunday, and the last differential backup was completed on Tuesday. How many backup sets are needed to restore the database to its state as of Tuesday?

38

During a security audit, it is discovered that a system administrator shared their personal credentials with a colleague to troubleshoot an issue after hours. This violates the company's policy regarding password sharing. Which control would BEST prevent this type of incident in the future?

39

An organization wants to ensure that only authorized devices can connect to its internal network. Which of the following should be implemented?

40

A security analyst notices that an employee's account has been sending large amounts of data to an external IP address during non-business hours. The analyst suspects the employee's credentials have been compromised. What is the FIRST step the analyst should take according to incident response procedures?

41

A company's VPN logs show that a user's account authenticated from two different geographic locations within a span of 10 minutes. The distances between locations make physical travel impossible. The security team investigates and finds that the user's password is complex and not shared. What is the MOST likely explanation?

42

A security administrator needs to set file permissions on a shared folder so that only members of the 'Finance' group can read and write to it. All existing permissions should be removed. Which command should the administrator use?

43

A security administrator is implementing a change management process. Which TWO of the following are essential components of a change management policy? (Choose two.)

44

A security operations team is developing an incident response plan. Which TWO steps are part of the 'containment, eradication, and recovery' phase? (Choose two.)

45

A security administrator is tasked with managing user access. Which THREE of the following are principles of least privilege? (Choose three.)

46

Refer to the exhibit. A security analyst reviews the log and determines that the system was under a brute force attack. However, the analyst notices that the attack stopped after 5 minutes, and the IP address was not blocked. Which of the following is the MOST likely reason the attack stopped?

47

Refer to the exhibit. A security analyst reviews these iptables rules and expects SSH access to be blocked, but it is still allowed. What is the MOST likely reason?

48

Refer to the exhibit. A security administrator notices repeated events with the same failure reason for the Administrator account. What is the MOST likely type of attack?

49

A system administrator needs to grant a temporary contractor access to a specific shared folder for two weeks. Which access control approach is most appropriate?

50

An organization's help desk receives multiple reports of employees unable to access a critical internal application. The IT team confirms the application server is running. What is the FIRST step in the incident response process?

51

A security administrator is implementing change management for a critical financial system. Which of the following is the MOST important control to prevent unauthorized changes?

52

An IT auditor reports that firewall logs are not being reviewed regularly. Which control should be implemented to address this finding?

53

A small business wants to protect its data from ransomware. Which backup strategy provides the BEST protection against an attack where the backup files are also encrypted?

54

A company has a policy requiring segregation of duties (SoD) for financial transactions. Which scenario represents a violation of this principle?

55

A new employee needs access to the CRM, email, and file servers. The security policy requires that access privileges are granted based on job function. Which process should be used?

56

An organization wants to prevent unauthorized persons from entering a secure server room. Which control is the MOST effective?

57

A security awareness program is being developed. Which topic is MOST critical for all employees to understand to reduce the risk of social engineering?

58

Which TWO of the following are types of intrusion detection systems (IDS) based on the detection method?

59

Which THREE of the following are key objectives of data classification?

60

Which TWO of the following are essential components of a disaster recovery plan (DRP)?

61

An analyst runs the netstat command on a web server. Based on the output, which connection is the MOST suspicious?

62

An analyst reviews a Windows security log. Given the event, what is the MOST likely cause of the lockout?

63

A network administrator implements the firewall rules above. What is the effect of this rulebase?

64

A system administrator notices that a user's account has been locked out multiple times within an hour. The admin reviews the logs and finds repeated failed login attempts from an unusual IP address. What is the BEST immediate action to mitigate further risk?

65

An organization is migrating from on-premises servers to a cloud IaaS model. The security team must ensure that virtual machine (VM) images are hardened before deployment. Which of the following is the MOST effective control to ensure consistency and compliance with security baselines?

66

A security analyst is reviewing the access control policy and notices that some users have been granted 'write' access to a directory that contains sensitive financial reports. Which principle of information security is being violated?

67

A company's security policy requires that employees must change their passwords every 60 days. However, help desk tickets show that many users are locked out after forgetting their new passwords. Which of the following would BEST balance security and usability?

68

Which TWO of the following are essential steps in a security incident response process according to the SSCP common body of knowledge? (Select the two best answers.)

69

Which THREE of the following are valid methods for enforcing separation of duties in an IT environment? (Select the three best answers.)

70

Which TWO of the following are key components of a data classification policy? (Select the two best answers.)

71

A small business has 50 employees and uses a cloud-based email service. The IT manager receives a report that several employees have been receiving phishing emails that appear to come from the company's CEO. The emails request that employees purchase gift cards and send the codes urgently. Two employees have already complied, losing $500 total. The manager wants to prevent this from recurring. The company has a limited budget and no dedicated security staff. Which of the following actions should the manager take FIRST?

72

A hospital's IT department manages a network with hundreds of medical devices, including patient monitors and infusion pumps, all connected to a separate VLAN. The security team has identified that several devices are running outdated firmware with known vulnerabilities. The vendor has not released patches for these legacy devices. The hospital cannot replace them immediately due to budget constraints. The network team proposes moving the devices to a more restrictive firewall zone and implementing intrusion detection. Which of the following additional controls should be implemented to BEST reduce the risk of a breach exploiting these devices?

73

A financial firm is implementing a new access control system for its critical trading application. The application currently uses local accounts and password authentication. The security team wants to enforce multi-factor authentication (MFA) and centralized user management. The firm has an existing Active Directory (AD) infrastructure and a certificate authority (CA). However, the trading application only supports smart card authentication via PKI and does not support integration with AD directly. The IT team must design a solution that meets security requirements while minimizing changes to the application. Which approach should the team take?

74

A university's IT department manages a network used by students and faculty. The security team notices an unusual increase in outbound traffic from the student dormitory network during late hours. Upon investigation, they discover that several student laptops are infected with malware that is attempting to connect to external command-and-control (C2) servers. The team needs to contain the incident quickly while minimizing impact on legitimate users. Which of the following is the BEST immediate containment measure?

75

A government contractor is required to comply with the Federal Information Security Management Act (FISMA). The security officer must implement a continuous monitoring program for all information systems. The contractor uses a mix of on-premises servers and cloud services. The contractor has a SIEM tool that collects logs from all systems. However, the SIEM generates a high number of alerts, many of which are false positives, overwhelming the security team. The team wants to improve the effectiveness of the monitoring program without increasing staff. Which of the following actions would MOST effectively address the issue?

76

A large e-commerce company has a disaster recovery (DR) plan that requires Recovery Time Objective (RTO) of 4 hours and Recovery Point Objective (RPO) of 1 hour for its customer database. The database runs on a clustered SQL server with synchronous replication to a standby server in a different data center. During a recent test, the IT team found that failover took 3 hours, but due to a replication lag of 45 minutes, some transactions were lost. The team needs to meet both RTO and RPO. Which of the following changes should the team implement FIRST?

77

Which TWO of the following are key components of a security awareness program?

78

What does this log entry most likely indicate?

79

A company has 200 employees using a Windows Active Directory environment. The security administrator receives multiple alerts that user accounts are being locked out every 15 minutes. The help desk confirms that users who report the issue are able to log in successfully after unlocking their accounts, but they get locked out again shortly after. The administrator checks the domain controller security logs and sees many failed logon attempts with a specific service account name 'svc_backup' from multiple workstations. The svc_backup account is used for a backup application that runs scheduled tasks. What should the administrator do to resolve the issue?

Practice all 79 Security Operations and Administration questions

Other SSCP exam domains

Risk Identification, Monitoring and AnalysisNetwork and Communications SecuritySystems and Application SecurityIncident Response and RecoveryAccess ControlsCryptography

Frequently asked questions

What does the Security Operations and Administration domain cover on the SSCP exam?

The Security Operations and Administration domain covers the key concepts tested in this area of the SSCP exam blueprint published by ISC2. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all SSCP domains — no account required.

How many Security Operations and Administration questions are in the SSCP question bank?

The Courseiva SSCP question bank contains 79 questions in the Security Operations and Administration domain. Click any question to see the full explanation and answer breakdown.

What is the best way to practice Security Operations and Administration for SSCP?

Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.

Can I practice only Security Operations and Administration questions for SSCP?

Yes — the session launcher on this page draws questions exclusively from the Security Operations and Administration domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.

Free forever · No credit card required

Track your SSCP domain progress

Save your results, see per-domain analytics, and get readiness scores — free, for every certification.

Sign Up Free

Free forever · Every certification included

Practice Session

10 questions20 questions30 questions50 questions

Study Resources

All DomainsPractice TestMock ExamFlashcardsStudy Guide

Related Exams

CCCISSPSY0-701