Practice SSCP Security Operations and Administration questions with full explanations on every answer.
Start practicing
Security Operations and Administration — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
A security analyst receives an alert that a user account has been locked out multiple times within 10 minutes. The analyst checks the account and finds it is a service account used for automated backups. What is the most likely cause?
2A company implements a new policy requiring all privileged access requests to be approved by a manager. However, after deployment, analysts report that they cannot perform emergency changes outside business hours. What is the best solution?
3A security administrator is tasked with ensuring that only authorized software can run on company workstations. Which security control should be implemented?
4An organization's security policy requires that all data at rest be encrypted. A database administrator objects, stating that encryption will degrade performance. What is the best response?
5During a security audit, it is discovered that several employees have access to shared network drives containing sensitive HR data. The HR manager states that these employees no longer need access. What is the most efficient way to revoke access?
6A company wants to ensure that employees use strong passwords. Which policy is most effective?
7A security team is investigating a potential data exfiltration incident. They notice that a large amount of data was transferred to an external IP address during off-hours. What should be the first step?
8An organization uses role-based access control (RBAC). A user complains that they can access a resource they were previously denied. The security administrator finds that the user's role was recently changed. What is the most likely cause?
9Which of the following is the primary purpose of a security awareness program?
10Which TWO of the following are valid reasons for implementing a separation of duties policy? (Choose two.)
11Which THREE of the following are essential elements of an effective incident response plan? (Choose three.)
12Which TWO of the following are examples of administrative controls? (Choose two.)
13Based on the exhibit, which type of attack is most likely occurring?
14Based on the exhibit, which of the following best describes the firewall configuration?
15You are the security administrator for a mid-sized financial company that processes credit card transactions. The company has a mix of on-premises servers and cloud-based services. Recently, the company experienced a data breach where an attacker exfiltrated customer data from a database server. The investigation reveals that the attacker used compromised credentials of a database administrator (DBA) account. The DBA account had been used by multiple administrators without proper auditing. The company wants to implement a solution to prevent such incidents in the future. The solution must: 1) ensure that each administrator has a unique account for database access, 2) require approval for privileged actions, 3) provide a full audit trail of all privileged activities, and 4) be cost-effective. Which of the following is the best course of action?
16You work for a hospital that has recently transitioned to an electronic health record (EHR) system. The system stores protected health information (PHI) and must comply with HIPAA. The hospital's security policy requires that all access to PHI be logged and that any unauthorized access be detected promptly. The IT department has implemented logging on the EHR system, but the security team is overwhelmed by the volume of logs and cannot review them in a timely manner. Additionally, there have been incidents where employees accessed patient records without a legitimate need, but these were only discovered months later during random audits. The hospital needs to improve its detection capabilities. Which of the following is the most effective solution?
17Drag and drop the steps for establishing a VPN using IPsec in tunnel mode into the correct order.
18Match each network security device to its function.
19A security administrator needs to ensure that only authorized personnel can reset user passwords in Active Directory. Which of the following is the BEST method to delegate this responsibility without granting unnecessary privileges?
20An organization implements a new security policy requiring all portable storage devices to be encrypted. Which of the following is the MOST effective control to enforce this policy?
21A security analyst is investigating a potential data exfiltration incident. The logs show a large number of outbound DNS queries to a domain that resolves to an IP address in a foreign country. The queries contain encoded strings in the subdomain. Which type of attack is MOST likely occurring?
22A system administrator receives a report that a critical server is running low on disk space. After investigation, it is determined that the log files are not being rotated properly. Which of the following is the BEST solution to prevent this issue in the future?
23An employee reports that they cannot access a shared folder on the network. The security administrator checks the permission and finds that the user is in the correct group, but the 'Deny' entry for a different group is blocking access. What is the MOST likely cause?
24A security engineer is configuring a firewall to block all inbound traffic except for specific services. Which of the following design principles is being applied?
25A company experiences a security breach where an attacker gained access to the network through a compromised vendor account. Which of the following controls would have BEST prevented this attack?
26A system administrator needs to securely transfer log files from a Linux server to a central log collector. Which protocol should be used to ensure confidentiality and integrity?
27During a security assessment, a penetration tester discovers that a web application allows users to upload files without proper validation. The tester successfully uploads a PHP web shell. Which control would have MOST effectively prevented this exploitation?
28Which TWO of the following are key components of an organization's security policy framework? (Choose two.)
29Which THREE of the following are appropriate techniques for securely disposing of magnetic hard disk drives that contain sensitive data? (Choose three.)
30Which TWO of the following are examples of administrative controls in a security program? (Choose two.)
31Refer to the exhibit. What does this event indicate?
32Refer to the exhibit. An administrator implements this firewall rule. What is the intended effect?
33Refer to the exhibit. A systems administrator configures this Group Policy setting. What is the direct consequence?
34A security administrator notices that a critical server's event log shows repeated failed login attempts from an internal IP address that normally does not generate any traffic. The administrator immediately blocks the IP at the firewall and resets the account password. However, the incident response team later determines that the attacker had already gained access to the server. What is the MOST likely reason the administrator's actions were insufficient?
35A company implements a policy that requires all employees to change their passwords every 60 days. Which of the following is the PRIMARY security benefit of this requirement?
36An organization uses role-based access control (RBAC). After a merger, a user account from the acquired company is migrated into the parent company's domain. The user is assigned to multiple roles, but is unable to access a critical application that requires a specific role. The administrator verified that the user's account is enabled and the application server is reachable. What is the MOST likely cause?
37A security administrator is reviewing backup procedures for a database server. The current backup policy mandates a full backup every Sunday and differential backups Tuesday through Friday. On Wednesday, a failure occurs, and the database is lost. The last successful full backup was completed on Sunday, and the last differential backup was completed on Tuesday. How many backup sets are needed to restore the database to its state as of Tuesday?
38During a security audit, it is discovered that a system administrator shared their personal credentials with a colleague to troubleshoot an issue after hours. This violates the company's policy regarding password sharing. Which control would BEST prevent this type of incident in the future?
39An organization wants to ensure that only authorized devices can connect to its internal network. Which of the following should be implemented?
40A security analyst notices that an employee's account has been sending large amounts of data to an external IP address during non-business hours. The analyst suspects the employee's credentials have been compromised. What is the FIRST step the analyst should take according to incident response procedures?
41A company's VPN logs show that a user's account authenticated from two different geographic locations within a span of 10 minutes. The distances between locations make physical travel impossible. The security team investigates and finds that the user's password is complex and not shared. What is the MOST likely explanation?
42A security administrator needs to set file permissions on a shared folder so that only members of the 'Finance' group can read and write to it. All existing permissions should be removed. Which command should the administrator use?
43A security administrator is implementing a change management process. Which TWO of the following are essential components of a change management policy? (Choose two.)
44A security operations team is developing an incident response plan. Which TWO steps are part of the 'containment, eradication, and recovery' phase? (Choose two.)
45A security administrator is tasked with managing user access. Which THREE of the following are principles of least privilege? (Choose three.)
46Refer to the exhibit. A security analyst reviews the log and determines that the system was under a brute force attack. However, the analyst notices that the attack stopped after 5 minutes, and the IP address was not blocked. Which of the following is the MOST likely reason the attack stopped?
47Refer to the exhibit. A security analyst reviews these iptables rules and expects SSH access to be blocked, but it is still allowed. What is the MOST likely reason?
48Refer to the exhibit. A security administrator notices repeated events with the same failure reason for the Administrator account. What is the MOST likely type of attack?
49A system administrator needs to grant a temporary contractor access to a specific shared folder for two weeks. Which access control approach is most appropriate?
50An organization's help desk receives multiple reports of employees unable to access a critical internal application. The IT team confirms the application server is running. What is the FIRST step in the incident response process?
51A security administrator is implementing change management for a critical financial system. Which of the following is the MOST important control to prevent unauthorized changes?
52An IT auditor reports that firewall logs are not being reviewed regularly. Which control should be implemented to address this finding?
53A small business wants to protect its data from ransomware. Which backup strategy provides the BEST protection against an attack where the backup files are also encrypted?
54A company has a policy requiring segregation of duties (SoD) for financial transactions. Which scenario represents a violation of this principle?
55A new employee needs access to the CRM, email, and file servers. The security policy requires that access privileges are granted based on job function. Which process should be used?
56An organization wants to prevent unauthorized persons from entering a secure server room. Which control is the MOST effective?
57A security awareness program is being developed. Which topic is MOST critical for all employees to understand to reduce the risk of social engineering?
58Which TWO of the following are types of intrusion detection systems (IDS) based on the detection method?
59Which THREE of the following are key objectives of data classification?
60Which TWO of the following are essential components of a disaster recovery plan (DRP)?
61An analyst runs the netstat command on a web server. Based on the output, which connection is the MOST suspicious?
62An analyst reviews a Windows security log. Given the event, what is the MOST likely cause of the lockout?
63A network administrator implements the firewall rules above. What is the effect of this rulebase?
64A system administrator notices that a user's account has been locked out multiple times within an hour. The admin reviews the logs and finds repeated failed login attempts from an unusual IP address. What is the BEST immediate action to mitigate further risk?
65An organization is migrating from on-premises servers to a cloud IaaS model. The security team must ensure that virtual machine (VM) images are hardened before deployment. Which of the following is the MOST effective control to ensure consistency and compliance with security baselines?
66A security analyst is reviewing the access control policy and notices that some users have been granted 'write' access to a directory that contains sensitive financial reports. Which principle of information security is being violated?
67A company's security policy requires that employees must change their passwords every 60 days. However, help desk tickets show that many users are locked out after forgetting their new passwords. Which of the following would BEST balance security and usability?
68Which TWO of the following are essential steps in a security incident response process according to the SSCP common body of knowledge? (Select the two best answers.)
69Which THREE of the following are valid methods for enforcing separation of duties in an IT environment? (Select the three best answers.)
70Which TWO of the following are key components of a data classification policy? (Select the two best answers.)
71A small business has 50 employees and uses a cloud-based email service. The IT manager receives a report that several employees have been receiving phishing emails that appear to come from the company's CEO. The emails request that employees purchase gift cards and send the codes urgently. Two employees have already complied, losing $500 total. The manager wants to prevent this from recurring. The company has a limited budget and no dedicated security staff. Which of the following actions should the manager take FIRST?
72A hospital's IT department manages a network with hundreds of medical devices, including patient monitors and infusion pumps, all connected to a separate VLAN. The security team has identified that several devices are running outdated firmware with known vulnerabilities. The vendor has not released patches for these legacy devices. The hospital cannot replace them immediately due to budget constraints. The network team proposes moving the devices to a more restrictive firewall zone and implementing intrusion detection. Which of the following additional controls should be implemented to BEST reduce the risk of a breach exploiting these devices?
73A financial firm is implementing a new access control system for its critical trading application. The application currently uses local accounts and password authentication. The security team wants to enforce multi-factor authentication (MFA) and centralized user management. The firm has an existing Active Directory (AD) infrastructure and a certificate authority (CA). However, the trading application only supports smart card authentication via PKI and does not support integration with AD directly. The IT team must design a solution that meets security requirements while minimizing changes to the application. Which approach should the team take?
74A university's IT department manages a network used by students and faculty. The security team notices an unusual increase in outbound traffic from the student dormitory network during late hours. Upon investigation, they discover that several student laptops are infected with malware that is attempting to connect to external command-and-control (C2) servers. The team needs to contain the incident quickly while minimizing impact on legitimate users. Which of the following is the BEST immediate containment measure?
75A government contractor is required to comply with the Federal Information Security Management Act (FISMA). The security officer must implement a continuous monitoring program for all information systems. The contractor uses a mix of on-premises servers and cloud services. The contractor has a SIEM tool that collects logs from all systems. However, the SIEM generates a high number of alerts, many of which are false positives, overwhelming the security team. The team wants to improve the effectiveness of the monitoring program without increasing staff. Which of the following actions would MOST effectively address the issue?
76A large e-commerce company has a disaster recovery (DR) plan that requires Recovery Time Objective (RTO) of 4 hours and Recovery Point Objective (RPO) of 1 hour for its customer database. The database runs on a clustered SQL server with synchronous replication to a standby server in a different data center. During a recent test, the IT team found that failover took 3 hours, but due to a replication lag of 45 minutes, some transactions were lost. The team needs to meet both RTO and RPO. Which of the following changes should the team implement FIRST?
77Which TWO of the following are key components of a security awareness program?
78What does this log entry most likely indicate?
79A company has 200 employees using a Windows Active Directory environment. The security administrator receives multiple alerts that user accounts are being locked out every 15 minutes. The help desk confirms that users who report the issue are able to log in successfully after unlocking their accounts, but they get locked out again shortly after. The administrator checks the domain controller security logs and sees many failed logon attempts with a specific service account name 'svc_backup' from multiple workstations. The svc_backup account is used for a backup application that runs scheduled tasks. What should the administrator do to resolve the issue?
The Security Operations and Administration domain covers the key concepts tested in this area of the SSCP exam blueprint published by ISC2. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all SSCP domains — no account required.
The Courseiva SSCP question bank contains 79 questions in the Security Operations and Administration domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Security Operations and Administration domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included