Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

Certifications›SC-900›Objectives›Describe the concepts of security, compliance, and identity
Objective 1.0

Describe the concepts of security, compliance, and identity

SC-900 Practice Questions

Use this page to practise Describe the concepts of security, compliance, and identity questions for this certification. Focus on how the exam tests describe the concepts of security, compliance, and identity in scenario format — understanding the why behind each answer builds more durable knowledge than memorising options.

Full Practice Test →All Objectives

What this objective tests

SC-900 Describe the concepts of security, compliance, and identity — Key Topics

Describe the concepts of security, compliance, and identity questions on this certification test your ability to deploy and manage describe the concepts of security, compliance, and identity concepts in scenario-based situations.

  • Core Describe the concepts of security, compliance, and identity concepts and how they apply in real-world cloud scenarios.
  • How to deploy describe the concepts of security, compliance, and identity correctly and verify the outcome.
  • Troubleshooting describe the concepts of security, compliance, and identity issues by interpreting error output and system state.
  • Cloud best practices and Describe the concepts of security, compliance, and identity design trade-offs tested by this certification.

Common exam traps

Where candidates lose marks on Describe the concepts of security, compliance, and identity

  • ⚠Selecting the most expensive service when a simpler managed option meets the requirement.
  • ⚠Forgetting that cloud resources must be explicitly secured — defaults are rarely secure.
  • ⚠Choosing a global service fix when the issue is region-specific.
  • ⚠Overlooking cost implications of cross-region data transfer in architecture questions.

SC-900 Describe the concepts of security, compliance, and identity — Practice Questions

30 questions from this objective

Question 2easymultiple choice
Full question →

A security analyst is explaining the core principles of information security to a new team member. Which principle ensures that data is not modified by unauthorized parties?

Question 3mediummultiple choice
Full question →

A company is moving its on-premises database to Azure SQL Database. According to the shared responsibility model, which security tasks remain the responsibility of the customer?

Question 4easymultiple choice
Read the full NAT/PAT explanation →

A security architect is adopting a new security model that assumes breach and verifies every access request. The model eliminates implicit trust and requires continuous validation. Which security model is being implemented?

Question 5mediummultiple choice
Full question →

A company is migrating its on-premises workloads to Azure. The CISO wants to understand the division of security responsibilities between Microsoft and the customer across cloud service models. For which cloud service model does the customer have the most security responsibility?

Question 6hardmulti select
Full question →

A security architect is designing a new security posture based on the Zero Trust model. The architect wants to ensure that every access request is fully authenticated, authorized, and encrypted before granting access, and that access is granted only to the minimum necessary resources. Which three principles of Zero Trust align with these requirements? (Choose three.)

Question 7easymultiple choice
Full question →

A company's security policy requires that customer data must only be accessible by authorized sales representatives. Which security principle does this requirement directly enforce?

Question 8hardmultiple choice
Full question →

A company uses Microsoft Entra ID and has multiple departments with separate organizational units (OUs) in its on-premises Active Directory. The help desk team needs to be able to reset passwords for users only in the Finance department. What feature should be used to delegate this administrative scope?

Question 9easymultiple choice
Full question →

A security administrator is explaining the concept of defense in depth to a new team member. Which statement best describes this approach?

Question 10mediummulti select
Full question →

A user logs into a company's financial application using their Microsoft Entra ID credentials. After successful sign-in, the application displays a dashboard with data for only the regions the user is authorized to manage. Which two security concepts are demonstrated in this scenario? (Select all that apply.)

Question 11hardmultiple choice
Full question →

A security manager wants to ensure that an employee who sends an email cannot later deny having sent it. Which security concept and associated technology is best suited to achieve this?

Question 12easymultiple choice
Full question →

A company assigns permissions to users based strictly on their job title (e.g., Sales Manager can edit documents, Sales User can only read). Which identity and access management concept is being implemented?

Question 13easymultiple choice
Full question →

A company implements a security measure to ensure that only authorized employees can view sensitive customer records. Which principle of the CIA triad does this measure primarily protect?

Question 14easymultiple choice
Full question →

A company implements regular data backups and a disaster recovery plan to restore critical systems after an outage. Which security principle is primarily being addressed by these measures?

Question 15easymultiple choice
Full question →

A security administrator configures user accounts so that employees have only the permissions necessary to perform their job functions and no more. Which security concept is being applied?

Question 16easymultiple choice
Full question →

A company uses cryptographic hashes to verify that a downloaded software file has not been modified by an attacker during transmission. Which principle of the CIA triad is primarily being addressed?

Question 17easymultiple choice
Read the full NAT/PAT explanation →

A healthcare organization stores patient records in an encrypted database. Access to the database is restricted to authorized medical staff only. Which security principle is primarily being addressed by these measures?

Question 18easymultiple choice
Read the full NAT/PAT explanation →

A financial institution uses digital signatures to ensure that a transaction record has not been altered after it was processed. Which security principle is primarily addressed?

Question 19mediummultiple choice
Read the full VPN explanation →

A company requires all employees to provide a one-time passcode generated by an authenticator app in addition to their password when accessing the corporate VPN. This practice is an example of which security concept?

Question 20easymultiple choice
Full question →

A security architect is designing a system where user access rights are reviewed and certified on a regular basis by data owners. The goal is to ensure that users continue to have only the permissions necessary to perform their job functions and that no excessive permissions exist. Which security principle is primarily being implemented through these regular reviews?

Question 21easymultiple choice
Full question →

A company configures its access control system so that each user can only access the data and perform actions that are strictly necessary for their job role. This configuration is a direct implementation of which security principle?

Question 22hardmultiple choice
Full question →

A company hosts a line-of-business application on an Azure virtual machine. The IT team is responsible for configuring the operating system, installing security updates, and managing the application code. An auditor asks who is responsible for the physical security of the data center where the virtual machine runs. According to the shared responsibility model for cloud services, who is responsible?

Question 23easymultiple choice
Full question →

A company regularly performs automated backups of its critical databases and has a disaster recovery plan to restore operations quickly after a system failure. Which security principle is primarily being addressed by these measures?

Question 24easymultiple choice
Full question →

A security architect is designing a defense strategy for the organization's network. The architect assumes that an attacker may already have breached the perimeter and is operating inside the network. Therefore, the design does not automatically trust any user or device, even if they are inside the corporate network, and requires continuous verification for every access request. Which security principle does this approach best represent?

Question 25easymultiple choice
Full question →

A company implements a security strategy that includes multiple layers of controls: a perimeter firewall, an intrusion detection system, endpoint antivirus software, and multi-factor authentication for user access. The goal is that if one layer fails, another layer is in place to prevent or mitigate an attack. Which security principle does this approach best represent?

Question 26easymultiple choice
Full question →

A security manager explains that the company's security strategy relies on multiple layers of controls, such as firewalls, antivirus software, and multi-factor authentication, so that if one layer fails, another can still prevent an attack. Which security principle does this strategy best represent?

Question 27hardmultiple choice
Full question →

A company is deploying a web application on Azure App Service. The security officer states that according to the shared responsibility model, the customer is responsible for managing access to the application and securing the application code. Which of the following responsibilities does Microsoft retain for Azure App Service?

Question 28easymultiple choice
Full question →

A security architect is designing a defense strategy for a company's IT infrastructure. The strategy includes deploying a network firewall, using an intrusion detection system, installing antivirus software on all endpoints, and requiring multi-factor authentication for all user accounts. The architect explains that if the firewall fails, the IDS can detect an intrusion, and if the IDS misses something, the antivirus might catch it, and MFA can protect even if credentials are compromised. Which security principle best describes this layered approach?

Question 29mediummultiple choice
Read the full NAT/PAT explanation →

A company uses digital signatures to ensure that a sender cannot later deny having sent a message. Which security principle does this primarily address?

Question 30easymultiple choice
Full question →

An attacker gains access to a company's email system and reads confidential customer emails. Which security principle has been compromised?

Question 31easymultiple choice
Full question →

A company subscribes to Microsoft 365 E5, a Software-as-a-Service (SaaS) offering. The IT department is responsible for configuring user accounts and managing data in Exchange Online and SharePoint Online. According to the shared responsibility model, which security responsibility is retained by Microsoft for this SaaS deployment?

More Describe the concepts of security, compliance, and identity questions available in the full practice test.

Continue Practising →

All SC-900 Objectives

  • 1.Describe the concepts of security, compliance, and identity