Practice SSCP Security Operations and Administration questions with full explanations on every answer.
Start practicing
Security Operations and Administration — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
A company wants to ensure that employees understand the proper use of corporate email and internet. Which policy should they implement?
2During a security audit, it is found that several employees have written their passwords on sticky notes attached to their monitors. Which policy is being violated?
3A security awareness training program is being developed. Which topic is most important to include to reduce the risk of credential theft?
4A security metric shows that patch compliance is at 85%. The goal is 95%. Which action should be taken first?
5A change request to update a critical database server has been approved by the Change Advisory Board (CAB). During testing, a major compatibility issue is discovered. What is the best course of action?
6A security administrator needs to ensure that all servers are configured with a hardened baseline. Which tool is best suited to detect deviations from the baseline configuration?
7A company wants to track all hardware assets including serial numbers and locations. What is the primary repository for this information?
8An organization uses a mantrap at its main entrance. An employee badges in, enters the first door, but then the second door fails to open. What should the employee do?
9Which backup type copies all data that has changed since the last full backup, regardless of subsequent backups?
10A company has a Recovery Time Objective (RTO) of 4 hours for its critical database. Which backup strategy best supports this RTO?
11A critical vulnerability with a CVSS score of 9.8 is discovered in a web server that cannot be patched due to vendor dependency. What is the best compensating control?
12Which of the following is a key principle of the 3-2-1 backup rule?
13A security administrator receives an alert from the SIEM indicating a configuration change on a critical server. The change was not part of any approved change request. What should be the first step?
14A company is implementing a new access control system for its data center. Which physical security control is best for preventing tailgating?
15A patch management process is being audited. Which finding indicates a critical gap in the process?
16A security administrator is selecting security metrics for the organization. Which TWO metrics are most useful for measuring the effectiveness of patching? (Select TWO)
17A company is implementing a change management process. Which THREE elements are essential for every change request? (Select THREE)
18An organization is enhancing its backup strategy. According to the 3-2-1 rule, which THREE characteristics must the backup strategy include? (Select THREE)
19A security administrator is designing physical security for a high-security area. Which TWO controls are most effective for preventing unauthorized entry? (Select TWO)
20During a post-implementation review of a recent change, it is found that the change introduced a security vulnerability. What TWO actions should be taken? (Select TWO)
21A security administrator is drafting an acceptable use policy (AUP). Which of the following should be included to address the use of personal devices for work purposes?
22During a change management process, the Change Advisory Board (CAB) has approved a change to update a critical database server. After implementation, a rollback is necessary due to unforeseen performance issues. What should the change manager do next?
23An organization is implementing configuration management and wants to detect unauthorized changes to server configurations. Which of the following tools would be most effective for this purpose?
24A security analyst notices an alert indicating that a user's workstation has been connected to an unauthorized external device. Which physical security control would best help prevent such incidents?
25Which of the following backup methods copies all data that has changed since the last full backup, regardless of any intermediate backups?
26During a security awareness training session, an employee asks how to identify a phishing email. Which of the following is the most reliable indicator of a phishing attempt?
27A company is implementing a new patch management process. After scanning for missing patches, the team must prioritize which patches to apply first. Which combination of factors is most critical for prioritization?
28Which of the following is the primary purpose of a configuration management database (CMDB)?
29A security administrator is evaluating backup strategies for a critical database with a recovery time objective (RTO) of 4 hours and a recovery point objective (RPO) of 1 hour. Which backup approach best meets these requirements?
30An organization wants to ensure that all new servers are deployed with a hardened baseline configuration. Which of the following is the most effective control to enforce this?
31A security metric tracking the percentage of systems with critical patches applied within 48 hours is an example of which type of metric?
32Which of the following is the correct order of steps in the change management process?
33A security administrator needs to dispose of hard drives that contain sensitive data. Which method provides the highest assurance that data cannot be recovered?
34An organization's security policy requires that all portable media containing sensitive data be encrypted. Which type of control does this requirement represent?
35A company's backup strategy uses a full backup on Sundays and differential backups on other days. On Thursday, the storage system fails. How many backups are required to restore the data?
36Which TWO of the following are key components of the 3-2-1 backup rule?
37A security administrator is implementing physical security for a data center. Which THREE of the following controls should be included to provide layered security?
38Which THREE of the following are examples of security awareness training topics?
39An organization is implementing a software inventory management process. Which TWO of the following should be tracked for each software asset?
40Which TWO of the following are valid reasons to deny a change request during the CAB approval process?
41A security administrator is implementing a policy that requires all employees to use a password manager and enable multi-factor authentication. This policy is BEST described as a:
42During a security awareness training session, an employee reports receiving an email that appears to be from the CEO requesting an urgent wire transfer. The email has a suspicious domain and poor grammar. Which type of attack is this an example of?
43A company has a backup policy that performs a full backup every Sunday and incremental backups on other days. On Wednesday, a server fails. How many backup sets are needed to restore the server to its state on Tuesday night?
44Which of the following is the PRIMARY purpose of implementing a clean desk policy?
45A security analyst notices multiple failed login attempts on a critical server followed by a successful login from an unusual IP address. Which metric would BEST capture this event?
46A change request to update a firewall rule has been submitted. After impact assessment, the change is approved by the Change Advisory Board (CAB). What is the NEXT step in the change management process?
47An organization wants to ensure that servers are configured securely before deployment. They plan to use a hardened operating system image and regularly scan for deviations using SCAP. Which concept does this represent?
48Which of the following physical security controls is designed to prevent tailgating by requiring two doors to be interlocked?
49A company uses a backup strategy that backs up all data every Sunday and backs up only data that has changed since the last full backup on other days. This is an example of which backup type?
50A vulnerability scan identifies a critical vulnerability on a web server with a CVSS score of 9.8. The server hosts a public-facing application. However, the patch would require a reboot that would cause downtime during business hours. What should the security administrator do FIRST?
51An employee is leaving the company. As part of the offboarding process, which action should be taken regarding the hardware assigned to the employee?
52Which of the following is the BEST definition of Recovery Point Objective (RPO)?
53A security administrator is reviewing log files and notices that a user logged in at 3:00 AM from an IP address in a foreign country. The user's manager confirms the user is not authorized for remote access. Which type of policy has likely been violated?
54During a post-implementation review of a change, it is discovered that the change introduced a configuration deviation from the baseline. The deviation was not detected during testing. What is the BEST way to prevent this in the future?
55An organization wants to ensure that sensitive data on laptops is protected in case of loss or theft. Which control is MOST effective?
56Which TWO of the following are key components of the 3-2-1 backup rule? (Select TWO)
57Which THREE of the following are valid steps in the change management process? (Select THREE)
58Which TWO of the following are examples of physical security controls? (Select TWO)
59Which THREE of the following are critical elements of a patch management policy? (Select THREE)
60Which TWO of the following are key components of a configuration management database (CMDB)? (Select TWO)
61An organization's security policy prohibits employees from sharing passwords. What type of policy is this?
62A security awareness training program aims to reduce successful phishing attacks. Which metric is most appropriate for measuring the effectiveness of this training?
63During a change management process, the Change Advisory Board (CAB) approves a high-risk change. What is the NEXT step according to standard change management?
64What is the primary purpose of a baseline configuration in configuration management?
65An organization uses a SIEM to alert when a server's configuration changes from its hardened baseline. This is an example of:
66During a physical security audit, it is discovered that employees often prop open the mantrap door to allow easier access. What is the BEST control to address this?
67Which backup type copies all data that has changed since the last full backup, regardless of any incremental backups?
68An organization needs to recover data from a backup after a ransomware attack. The backup was taken 12 hours ago, and the RPO is 4 hours. What is the impact?
69A security administrator is prioritizing patches for a vulnerability with a CVSS score of 9.8 that is being actively exploited in the wild. The affected server has a low criticality classification. What should the administrator do?
70Which physical security control is designed to prevent tailgating by allowing only one person to enter at a time?
71An organization's backup policy states: 'Maintain three copies of data on two different media types, with one copy stored offsite.' This is known as:
72After a patch is deployed to a critical server, the system becomes unstable. The change management plan includes a rollback procedure. What should be done FIRST?
73Which TWO controls are examples of physical security controls that can help prevent unauthorized access to a data center? (Select TWO.)
74A security administrator is implementing the 3-2-1 backup rule. Which THREE actions are required to comply with this rule? (Select THREE.)
The Security Operations and Administration domain covers the key concepts tested in this area of the SSCP exam blueprint published by ISC2. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all SSCP domains — no account required.
The Courseiva SSCP question bank contains 74 questions in the Security Operations and Administration domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Security Operations and Administration domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included