Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsSY0-701DomainsSecurity Program Management and Oversight
SY0-701Free — No Signup

Security Program Management and Oversight

Security Program Management & Oversight covers the governance, risk management, compliance, and business continuity aspects of cybersecurity—how to plan, implement, and improve an organization's security program.

211questions

Start practicing

Security Program Management and Oversight — choose a session length

10 questions~10 min20 questions~20 min30 questions~30 min50 questions~50 min

Free · No account required

SY0-701 Domains

General Security ConceptsThreats, Vulnerabilities, and MitigationsSecurity ArchitectureSecurity OperationsSecurity Program Management and Oversight

Domain overview

About the Security Program Management and Oversight domain

Security Program Management & Oversight is the domain of the SY0-701 exam that covers how organizations build, maintain, and improve their security programs. Think of it as the 'management layer' of cybersecurity—not the technical tools like firewalls or antivirus, but the policies, procedures, governance, and risk management that ensure those tools are used effectively. In plain English, this domain teaches you how to run a security department like a business: setting goals, measuring performance, managing budgets, complying with laws, and continuously improving. It’s about the 'big picture' decisions that keep an organization safe from cyber threats.

Why is this important for real-world IT/security/cloud work? Because technical skills alone won't get you far. A security engineer who can configure a SIEM but doesn't understand incident response plans or compliance requirements (like GDPR or HIPAA) is a liability. In the real world, you’ll need to justify security spending to executives, write policies that balance security with usability, and ensure your cloud infrastructure meets regulatory standards. For example, if you work at a healthcare company, you must know how to implement a security program that protects patient data under HIPAA. This domain gives you the vocabulary and frameworks to communicate with managers, auditors, and legal teams.

On the SY0-701 exam, this domain (worth 20% of the score) tests your knowledge of: security governance principles (e.g., policies, standards, procedures), risk management processes (identifying, assessing, and mitigating risks), compliance with laws and regulations (e.g., GDPR, PCI DSS), business continuity and disaster recovery concepts, and security awareness training. You’ll also see questions on third-party risk management, data classification, and security metrics (KPIs). The exam won’t ask you to write a policy, but you must understand the purpose of each document and when to use it. For instance, you should know the difference between a policy (high-level intent) and a procedure (step-by-step instructions).

To approach studying this domain, start by memorizing the key documents and their hierarchy: policies → standards → procedures → guidelines. Then, focus on risk management: the steps of risk assessment (identification, analysis, evaluation, treatment) and common risk treatment options (avoid, transfer, mitigate, accept). Use real-world examples: imagine a company storing customer credit card data—what PCI DSS requirements apply? How would you create a business continuity plan for a ransomware attack? Practice with sample questions that ask you to identify the correct policy or control for a given scenario. Since this domain is conceptual, create flashcards for terms like 'due care' vs. 'due diligence,' 'RPO' vs. 'RTO,' and 'quantitative' vs. 'qualitative' risk assessment. Finally, connect the dots: security program management ties together all other domains—it’s the 'why' behind the technical controls you learn elsewhere.

Exam objectives

What Security Program Management and Oversight tests on SY0-701

  1. 1

    Security governance principles: policies, standards, procedures, and guidelines

  2. 2

    Risk management process: identification, assessment, analysis, and treatment of risks

  3. 3

    Compliance with laws and regulations: GDPR, HIPAA, PCI DSS, SOX, etc.

  4. 4

    Business continuity and disaster recovery: BCP, DRP, RTO, RPO, and testing

  5. 5

    Security awareness and training: phishing simulations, role-based training, and metrics

  6. 6

    Third-party risk management: vendor assessments, SLAs, and due diligence

Watch out — common Security Program Management and Oversight traps

  • !

    Confusing policy vs. procedure: a policy is high-level intent, a procedure is step-by-step; exam may ask which document defines 'acceptable use' (policy) vs. 'how to reset a password' (procedure)

  • !

    Mixing up risk treatment options: avoid (eliminate activity), transfer (buy insurance), mitigate (add controls), accept (acknowledge risk); candidates often pick 'mitigate' when 'avoid' is correct for a high-risk scenario

  • !

    Forgetting that compliance is not the same as security: a company can be compliant with a regulation but still have poor security; exam may present a scenario where a compliant organization is breached and ask what's missing (e.g., risk assessment beyond compliance)

  • !

    Misinterpreting RTO vs. RPO: RTO is time to restore service, RPO is acceptable data loss; exam might describe a backup strategy and ask which metric it satisfies

Practice Security Program Management and Oversight questions

10Q20Q30Q50Q

All SY0-701 Security Program Management and Oversight questions (211)

Start session

Click any question to see the full explanation and answer options, or start a focused practice session above.

1

A company is evaluating a new cloud-based customer relationship management (CRM) provider. The provider’s documentation includes a SOC 2 Type II report, but the company’s compliance team specifically requires evidence that data in transit is encrypted using TLS 1.2 or higher, and data at rest is encrypted with AES-256. Which of the following actions best demonstrates that the company has performed proper due diligence in vendor risk management?

2

A security manager is evaluating the effectiveness of a new security awareness training program that all employees completed last quarter. The company has been conducting monthly phishing simulation campaigns for the past year. Which of the following metrics would provide the strongest evidence that the training is achieving its intended goal of changing employee behavior?

3

After completing a vulnerability scan, a security analyst discovers that a legacy customer-facing application running on an unsupported operating system contains a critical remote code execution vulnerability. The application is essential to daily operations and cannot be patched or upgraded in the near term. Management has approved the purchase of a hardware-based network firewall that will be placed in front of the application to restrict inbound traffic to only authorized source IP addresses and port numbers. Which risk management strategy does this action primarily represent?

4

A security manager is preparing a quarterly report for the board of directors on the effectiveness of the organization's security program. The manager has access to detailed technical data, including firewall log statistics, patch compliance percentages, and number of phishing simulation clicks. Which of the following would be the most appropriate way to present this information to the board?

5

A security manager is leading a risk assessment for the organization. The team identifies a legacy application that contains a known critical vulnerability. The vendor has discontinued support and no patch is available. The manager calculates that the annualized loss expectancy (ALE) for exploiting this vulnerability is $50,000. Implementing a third-party web application firewall (WAF) as a compensating control would cost $80,000 per year. The organization's leadership decides that accepting the risk is the most cost-effective approach. Which of the following documents should the security manager update to formally record this risk acceptance decision and obtain the necessary sign-off?

6

A security manager at a financial services company is proposing a new policy that would require annual background checks for all employees with access to sensitive customer payment data. The proposed policy, if implemented, would increase the organization's operational costs by approximately $200,000 per year. The manager needs to obtain formal approval to implement this policy. Which of the following groups is MOST likely to have the authority to approve this policy and allocate the necessary budget?

7

A security manager at a healthcare organization is reviewing the results of a third-party vendor risk assessment for a cloud-based email service that will store protected health information (PHI). The assessment reveals that the vendor encrypts data at rest using AES-256 but does not support customer-managed encryption keys. The vendor's data center is located in a country that is not subject to HIPAA jurisdiction. The vendor's previous penetration test report is over 18 months old. Which of the following is the most appropriate risk management action for the security manager to take?

8

A security manager at a hospital is reviewing the annual vendor risk assessment for a cloud-based electronic health record (EHR) provider. The provider's SOC 2 Type II report, issued six months ago, identifies a significant deficiency in logical access controls: the provider failed to revoke access for former employees in a timely manner. The provider's management has asserted that this deficiency has been fully remediated, but the next SOC 2 audit is not scheduled for another eight months. The hospital's data protection policy requires that any vendor handling protected health information (PHI) must have a current SOC 2 Type II report with no unresolved significant deficiencies. Which of the following is the most appropriate next step for the security manager?

9

A security manager at a financial services company is evaluating the effectiveness of a newly deployed security awareness training program. The program included modules on recognizing phishing emails, password security, and tailgating. One month after the training, the manager wants to assess whether employees are applying the learned behaviors to reduce the risk of phishing attacks. Which of the following metrics would provide the most valid indication of the training's behavioral impact?

10

A security manager at a healthcare organization is responsible for maintaining the information security policy. A project manager requests a policy exception to use a cloud-based analytics platform that stores patient data. The platform currently encrypts data at rest with AES-128 instead of the required AES-256. The security manager assesses the risk and determines that the likelihood of data exposure is low due to other compensating controls already in place, but the impact would be high. The residual risk is within the organization's risk appetite. Which of the following is the most appropriate action for the security manager to take?

11

An IT manager wants a document that defines the mandatory minimum requirements for all company laptops, including full-disk encryption, password length, and screen-lock timing. The help desk also needs a separate document that shows exactly how to enroll a laptop in management software. Which document type should contain the mandatory laptop requirements?

12

During onboarding, a manager wants a document that explains how to request access to a shared drive, who approves it, and what the help desk must do after approval. Which document type is MOST appropriate?

13

A manager asks how the security team decides which issue should be fixed first. Which two factors are MOST important to evaluate for each risk?

14

Match each awareness-program metric to the interpretation the security team should use. 1. 8% of users clicked the simulated phishing link. 2. 34% of users reported the simulation using the report-phish button. 3. The median time from message delivery to first user report was 12 minutes. 4. 96% of staff completed the annual awareness module.

15

Based on the exhibit, which risk should be prioritized first under the company's likelihood-impact scoring model?

16

Based on the exhibit, which document type should the organization update if it wants the listed endpoint settings to be mandatory baseline requirements?

17

A security manager wants evidence that annual security awareness training was completed by employees. Which artifact is the best proof?

18

Match each audit request to the best evidence artifact. 1. Auditors want proof that managers reviewed privileged access last quarter. 2. Auditors want evidence that an emergency firewall change was approved before implementation. 3. Auditors want to verify that annual security training was completed by staff. 4. Auditors want to confirm that records were deleted after the retention period expired.

19

A marketing analyst asks for a spreadsheet containing customer names, email addresses, purchase history, and government ID numbers so the team can build a campaign list. What is the BEST security response?

20

A department identifies a low-likelihood software risk that would be expensive to fix right now. Leadership decides the business can live with the exposure for now, but wants it documented and reviewed later. What risk treatment is this?

21

A supplier tells your company it wants to use a new subcontractor to process customer data. What is the BEST contract control to reduce this risk?

22

After three months of phishing awareness training, the security team wants a metric that best shows whether employees are becoming harder to trick. Which metric is MOST useful?

23

An external auditor asks for proof that firewall rule changes were reviewed and approved before being implemented during the last quarter. Which evidence is MOST appropriate to provide?

24

A company is evaluating a new payroll SaaS provider that will store employee tax and bank details. Before signing the contract, which action BEST supports vendor due diligence?

25

Match each vendor-risk concern to the contractual control that best addresses it. 1. The company wants the right to review the vendor's controls and supporting records after the contract is signed. 2. The company wants to know when the vendor will use subcontractors that may touch its data. 3. The company wants written notice within 24 hours if the vendor suffers an incident affecting company data. 4. The company wants assurance that the vendor's controls are independently assessed each year.

26

Match each procurement need to the vendor due diligence artifact or control that best fits. 1. Procurement wants independent evidence that a SaaS provider's controls operated effectively during the last year. 2. The team wants to know what files, libraries, and modules were included in a supplier's software build. 3. The business needs a signed agreement that defines how customer data is handled and what the vendor must do if an incident occurs. 4. The procurement team wants answers about MFA, logging, and incident response before onboarding a cloud supplier.

27

A data analyst needs a copy of a customer file for product testing. The file includes names, email addresses, purchase history, and government ID numbers, but the test team only needs the names and purchase history. What is the BEST handling action?

28

Based on the exhibit, which document type should define the exact encryption algorithm and minimum key length for all company laptops?

29

A project team identifies a new risk with a high likelihood of minor data exposure during a pilot rollout. The impact is low, but the issue would become harder to address after production launch. The business owner wants the project to proceed. What should the risk owner do NEXT?

30

Match each governance need to the document type that best fits. 1. All employees must follow rules for acceptable use of company systems. 2. Every company laptop must use full-disk encryption and a 14-character screen-lock PIN. 3. The service desk follows these exact steps to verify a caller before resetting MFA. 4. Admins are encouraged to place non-production test data in approved folders when practical.

31

A business unit wants to keep using a customer portal even though a low-likelihood, high-impact dependency risk was identified. Leadership does not want to stop the service, but it does want to lower exposure and formally document the remaining risk. Which two actions best fit that approach? Select two.

32

After implementing MFA and stronger monitoring, a department still has a small chance of account misuse that could affect a low-value internal tool. The business owner reviews the remaining exposure and agrees it is within tolerance. What should happen next?

33

A desktop engineering team needs the document that sets the mandatory minimum password length and screen-lock timeout for all company laptops. Which document type should they use?

34

After several password-reset incidents, the security team wants one document that sets mandatory minimum controls for privileged accounts and another that tells the help desk the exact steps to verify identity and reset access. Which two document types should they use? Select two.

35

A software supplier used by your company is adding a new library to its product and says the change is "internal only." Your security team wants better visibility into future component risks before the next renewal. What requirement would BEST support supply chain due diligence?

36

HR needs to share a copy of employee records with a benefits contractor for testing. The contractor only needs names and coverage selections, not Social Security numbers or bank details. Which two actions best satisfy data handling requirements? Select two.

37

HR needs to send a benefits contractor a file for testing, but the contractor only needs employee names and plan selections. What is the best action before sharing the file?

38

A company is considering a new SaaS vendor that will process customer records. What is the best first action before signing the contract?

39

The legal team wants to confirm that customer records are being deleted on schedule after the retention period expires. Which two artifacts best demonstrate compliance? Select two.

40

A finance application has a known vulnerability in a third-party reporting component. The vendor says a patch will not be available for six months, but the business cannot stop using the application. What is the BEST risk treatment for the organization to pursue next?

41

The service desk needs a document that tells analysts exactly how to verify a caller and reset a password for a locked account. Which document type should they use?

42

Based on the exhibit, what is the best next step before onboarding the vendor?

43

Match each requirement or instruction to the correct governance document type. Use each document type once.

44

The help desk needs a document that tells analysts exactly how to verify a caller, reset a password, and record the ticket when a user is locked out. What type of document is this?

45

Match each procurement or oversight need to the best vendor due diligence artifact or clause. Use each item once.

46

Based on the exhibit, which artifact is the strongest evidence that the firewall change was reviewed and approved before implementation?

47

Match each risk-register description to the correct risk term. Use each term once.

48

Match each business scenario to the most appropriate risk treatment. 1. A legacy reporting server is expensive to replace, and leadership is willing to monitor the low expected loss for now. 2. A public web portal is being hit by credential stuffing, so the team adds MFA and rate limiting. 3. The organization wants protection from a costly third-party outage by purchasing cyber insurance. 4. A proposed project would collect regulated data that the business has decided not to process at all.

49

Match each data example to the most appropriate classification label. 1. A public marketing flyer approved for external posting. 2. An internal org chart and office directory meant only for employees. 3. A customer case file with contact details and order history. 4. A vault export containing API keys and encryption secrets.

50

Based on the exhibit, what should the security team add before approving the vendor's requested change?

51

Based on the exhibit, which risk treatment should the security manager recommend first?

52

Based on the exhibit, what is the best data-handling action before sharing the file with the third party?

53

Based on the exhibit, which missing control best improves oversight of the supplier?

54

Based on the exhibit, which metric best shows that employees are recognizing and escalating phishing attempts more quickly?

55

Based on the exhibit, which metric best indicates improved phishing resistance?

56

A payroll SaaS provider has passed initial review, but before contract signing it announces that customer data will be processed by a new subcontractor in another country. The business wants to keep the onboarding timeline short, but security still needs assurance that the change does not increase exposure. What is the BEST next step?

57

An external auditor asks for proof that quarterly privileged access reviews were completed and that any exceptions were tracked to closure during the last year. Which evidence is MOST appropriate to provide?

58

Based on the exhibit, what is the best risk treatment recommendation for the security manager?

59

A company wants to state that customer data must not be emailed externally unless a manager approves the exception. Which document type should contain this rule?

60

Based on the exhibit, which document type should the service desk use for the locked-account workflow?

61

A business-critical internal reporting portal is exposed to all employees. A scan finds a high-severity vulnerability, but the vendor says a fix will not be available for 30 days. The application is only used by finance once a month, and the business can tolerate a brief outage if needed. Which risk treatment is the BEST immediate action?

62

After a phishing-awareness campaign, which metric best shows that employees are becoming more resistant to phishing attempts?

63

A business wants to keep operating even if a supplier-related loss occurs, so it purchases cyber insurance to offset possible costs. Which risk treatment is being used?

64

A software supplier used by your organization begins subcontracting a critical part of its service to an unknown hosting company. Which contractual control would BEST help manage this supply chain risk?

65

Match each awareness-program metric or pattern to the best interpretation. Use each interpretation once.

66

Match each business situation to the best risk treatment. Use each treatment once.

67

An external auditor asks for proof that emergency firewall changes were reviewed and approved before implementation last quarter. Which two artifacts are the best evidence? Select two.

68

A small internal reporting server has a low-severity vulnerability. Fixing it now would require several hours of downtime, while the business impact of exploitation is considered low. What is the BEST risk treatment for this situation?

69

A software supplier is adding a new subcontractor to process your company's customer data. The security team wants to understand the new exposure before allowing the change. Which three items should it request or review first? Select three.

70

A desktop engineering team asks for the document that specifies the exact minimum encryption setting, screen-lock timer, and password length for company laptops. Which type of document should they follow?

71

Based on the exhibit, which item is the strongest evidence that quarterly privileged access reviews occurred?

72

After a phishing simulation, many users still almost submitted credentials to a fake Microsoft login page. Security wants to reduce repeat mistakes quickly without interrupting daily work. Which approach is best?

73

An HR analyst must share a spreadsheet with an external auditor. The spreadsheet includes employee names, Social Security numbers, bank account numbers, and salary data, but the auditor only needs employee names and total payroll. Which three actions best protect the data? Select three.

74

Paper onboarding forms have reached the end of their retention period, and no legal hold applies. What should happen next?

75

A manager asks how to decide whether a new security issue is worth spending money on. Which two factors should be reviewed first? Select two.

76

A small company has two security issues and can fix only one this week. Which should be prioritized first? One issue is an internal lab server with a medium-severity flaw. The other is an internet-facing login portal using default administrator credentials.

77

Which document should define mandatory settings such as full-disk encryption, a 10-minute screen-lock timeout, and removal of local administrator rights on company laptops?

78

Several employees nearly entered credentials into a fake mailbox login page. The security team wants to reduce repeat mistakes quickly without overwhelming the whole company. What is the best communication approach?

79

After a phishing simulation, many users still nearly entered credentials. Leadership wants to reduce repeat mistakes without causing long training sessions. Which two actions are the best balance of security and usability? Select two.

80

An HR analyst needs to send a payroll reconciliation file to an external auditor. The file contains employee names, SSNs, bank account numbers, and salary details, but the auditor only needs employee IDs, payment totals, and a control total. What should the analyst do first?

81

An HR analyst must send a compensation spreadsheet to an external auditor. The auditor only needs employee names, departments, and salary totals; Social Security numbers and bank account fields are not required. What should the analyst do before sharing the file?

82

A vendor-supported legacy application can run only with a deprecated browser plug-in on two engineering workstations for 30 days while a replacement is tested. Management wants to allow the exception without weakening the security program. What is the best action?

83

After several near-miss phishing attempts, leadership wants to reduce mistakes quickly without disrupting daily work. Which three measures are the best balance of security and usability? Select three.

84

A records clerk finds paper forms containing customer identifiers. The retention period has expired, and no legal hold applies. Which two actions are appropriate next? Select two.

85

An engineering team requests a 30-day exception to use an unsupported browser plug-in on two workstations so a customer deliverable can be finished. Security agrees the business need is legitimate, but wants to reduce exposure. What must be included before the exception is approved?

86

The exhibit shows a weekly risk register for a small enterprise. Which three findings should be remediated first based on likelihood of exploitation and business impact? Select three.

87

An HR spreadsheet contains employee names, Social Security numbers, and bank account numbers. Which label is most appropriate under a Public, Internal, Confidential, and Restricted scheme?

88

A help desk team is writing a procedure for resetting MFA after a user loses a phone. Which two details belong in the procedure rather than in the policy? Select two.

89

A vulnerability scan identifies four issues across a small company. Which item should the operations team remediate first?

90

A business unit asks for a 30-day exception to use an unsupported browser plug-in on two engineering workstations while a replacement is tested. Which three conditions should be required before approval? Select three.

91

An accounts payable specialist receives an email inside an existing vendor thread that asks for a last-minute bank-account change before a payment run. The wording is professional, the signature matches, and the request is urgent. Which three actions should the specialist take? Select three.

92

After a phishing simulation, many employees still almost entered credentials into a fake login page. Leadership wants the fastest improvement without creating training fatigue or disrupting daily work. Which three measures are the best balance of security and usability? Select three.

93

A company can patch only one of two internet-facing systems this week. System 1 has a critical vulnerability but is reachable only through the corporate VPN during maintenance windows. System 2 has a medium vulnerability and supports the public payment site, which shows active attack traffic every day. Which system should be prioritized first?

94

An engineering tool runs on an unsupported operating system, but the tool is used only occasionally and can be replaced by a supported cloud service with little workflow impact. Which risk treatment is best?

95

A customer portal team must keep an unsupported Linux appliance online for 60 days while a replacement is built. The appliance processes payment tokens and cannot be patched until the vendor certifies the new image. Which two actions best reduce the residual risk during the 60-day window? Select two.

96

A records manager discovers 18-month-old paper onboarding forms stored in a cabinet. The retention schedule says the forms must be destroyed after 12 months unless legal hold applies, and no hold has been issued. What is the best next step?

97

A security manager wants one document that states employees must protect company laptops and another that defines exact required settings such as disk encryption and a 10-minute screen lock. Which two document types are the best fit? Select two.

98

A developer requests a 45-day exception to use an unsupported browser plug-in on two engineering workstations so a legacy design tool can finish a customer deliverable. Which three conditions should be required before approving the exception? Select three.

99

A project team must share a spreadsheet containing customer names, account numbers, and purchase history with an external auditor. The auditor only needs account numbers and totals. What is the best privacy control?

100

An HR analyst must send a salary file to an external auditor. The auditor only needs names, departments, and salary totals, not Social Security numbers or bank account details. Which two actions should the analyst take first? Select two.

101

A project team needs to use an unapproved file-sharing application for two weeks because the approved platform cannot support an external client collaboration feature. What is the best security action?

102

A legacy payroll server contains a critical vulnerability. The vendor says a patch is 45 days away, and the system must remain available for payroll processing. Which risk treatment is the best short-term choice?

103

A business owner asks whether to proceed with a medium-risk issue on an internal reporting system. The vulnerability is unlikely to be exploited because the system is reachable only from a segmented admin network, and no sensitive data is stored there. The owner wants to postpone remediation until the next planned upgrade window. Which risk treatment is being chosen?

104

A weekly risk review lists several findings. Which two should be addressed first based on likelihood of exploitation and business impact? Select two.

105

A security manager is writing baseline requirements for all corporate laptops. Which three statements belong in the standard rather than in a policy or guideline? Select three.

106

A hospital's claims portal has two open risks. Risk A is an internet-facing login page with a low-severity software flaw, but monitoring shows a steady increase in automated login attempts. Risk B is an internal file share with a medium-severity patch gap, but only a small admin group can access it and no exploitation is observed. Leadership can fund only one remediation this month. Which risk should be prioritized first?

107

A file contains employee Social Security numbers and bank account details. The company uses the labels Public, Internal, Confidential, and Restricted. Which label is most appropriate?

108

A small company can only remediate two findings this week. Which two should be fixed first based on risk to the business? Select two.

109

A records manager confirms that paper onboarding forms containing government IDs are past retention, no legal hold exists, and the files are no longer needed. Which three actions should happen next? Select three.

110

A manufacturing company must keep a legacy scheduling application running for 60 days while replacement testing finishes. The application supports production orders, and the business cannot tolerate a shutdown. Which three conditions should be required before approving the temporary exception? Select three.

111

A development manager wants to copy a production customer database into a test environment so testers can reproduce a bug. The database contains names, addresses, and payment tokens. What is the best security practice before the copy is made?

112

A cloud-hosted invoicing app has a critical vulnerability, but the vendor says a patch will not be available for six weeks. The team adds a web application firewall rule, restricts access to the app subnet, and increases monitoring until the patch arrives. What is this best described as?

113

An employee receives an email that appears to be from the CEO and asks for gift cards before a meeting. What should the employee do first?

114

A company wants every corporate laptop to use the same required screen-lock timeout, disk encryption setting, and local administrator restriction. Which document should define these mandatory settings?

115

A vendor-supported application cannot be patched for 30 days, but the business must keep it online. What is the best short-term risk treatment?

116

After a phishing simulation, many users still nearly entered credentials on the fake page. Security wants the fastest improvement without scheduling long training sessions. What is the best response?

117

A security manager wants every corporate laptop to use the same mandatory settings, including disk encryption, a 10-minute screen lock, and removal of local administrator rights. Which document should define these specific requirements?

118

An employee receives a text message claiming their email password expired and asks them to tap a link and confirm a one-time code. Which two responses are appropriate? Select two.

119

A company has two security issues to address this week. One is a public-facing login portal that uses default administrator credentials. The other is an internal lab system used only by one tester. Which issue should be prioritized first?

120

A security team wants to reduce repeated user mistakes after a phishing campaign without overwhelming employees with long training sessions. Which approach is best?

121

A department finished using paper forms that contain customer information, and the retention period has expired. What is the best next step?

122

A vendor says a patch for a critical flaw in a public-facing application will not be available for 30 days, but the service must stay online. What is the best short-term risk treatment?

123

A records manager finds paper onboarding forms and scanned copies that contain government ID numbers. The retention period has expired, no legal hold exists, and the forms are no longer needed. Which three actions should occur before disposal? Select three.

124

A help desk technician receives a call from someone claiming to be a contractor whose MFA device was lost during travel. The caller knows the company org chart and asks for a new device enrollment. Which three responses are appropriate? Select three.

125

An employee receives an email that says, 'This is the CEO. Buy gift cards now and reply with the codes before the meeting starts.' What should the employee do?

126

HR stores scanned government IDs collected during onboarding. The retention policy says the files may be kept for 90 days after employment verification, then destroyed. What should security require?

127

Match each excerpt from a small enterprise security program to the correct governance artifact.

128

A manufacturer identifies a rare but very costly ransomware risk. Executives decide not to eliminate the activity, but to purchase cyber insurance and formally acknowledge the remaining exposure. Which risk treatment is being used?

129

A Linux operations team is building a new production gold image for database servers. Security requires every build to disable password-based SSH, enable audit logging, use the company NTP servers, and remove the desktop package set. The admins need a document that defines these exact required settings and allows exceptions only through formal approval. Which artifact should be used?

130

A business unit is worried about the financial impact of a rare but severe data center outage. After reviewing the risk register, leadership decides to purchase cyber insurance and document the remaining exposure rather than redesign the entire platform. Which risk treatment is this?

131

Leadership is deciding between two security controls for a customer portal outage risk. Finance wants to compare the options in dollars, using expected loss, not just a high/medium/low rating. Which approach should the analyst use?

132

A support team wants to export customer tickets into a test analytics environment so developers can search real examples while minimizing privacy exposure. The exported data includes names, email addresses, and account IDs that are not needed for the test. What is the best first step?

133

A business owner asks the security team to compare the cost of two controls for a legacy application in dollar terms. The team estimates the annual chance of a breach, the potential loss per event, and the expected yearly loss after each control is applied. Which risk analysis approach is being used?

134

A help desk manager wants sample customer tickets copied into a test environment so developers can reproduce support issues. The tickets include names, phone numbers, and account details. Which action best reduces privacy exposure while still supporting testing?

135

Based on the exhibit, which governance artifact is the security team reviewing?

136

A procurement team is evaluating a payroll SaaS vendor. They want independent evidence that the vendor's controls were designed and operating effectively over the last six months, not just at a single point in time. Which report should they request?

137

Based on the exhibit, which system should be restored first after a total site outage?

138

Leadership wants to compare two controls for protecting a customer portal. Option A costs $40,000 and reduces annual loss expectancy from $120,000 to $30,000. Option B costs $15,000 and reduces annual loss expectancy to $70,000. Which analysis method best supports this decision?

139

A developer finds a critical bug in a customer portal on Friday afternoon. The fix must be released quickly, but the team needs a way to reverse the change if testing reveals a problem and wants the release to follow the normal approval process. Which two practices should be used? Select two.

140

Based on the exhibit, what should management implement next?

141

An HR manager wants to share employee data with a benefits analytics vendor. The dataset includes names, employee IDs, home addresses, and medical leave codes. Security wants to reduce privacy exposure while still allowing the vendor to complete the analysis. What is the best first step?

142

A network engineer needs to change an ACL on a production firewall so a new SaaS integration works. The business cannot tolerate an extended outage, and the change must be reversible if testing fails. Which practice best fits?

143

Before approving a new payroll SaaS provider, the security team wants independent evidence that the vendor's controls operated effectively during the last year and wants the contract to clearly define security responsibilities. Which two items should they request or review? Select two.

144

A help desk team needs sample customer tickets in a lower environment for testing. The records contain names, phone numbers, and case details. Which approach best reduces privacy risk while still allowing useful testing?

145

A developer finds a production bug on Friday afternoon. The fix has already passed staging, but the business wants the release to be reversible if the hotfix causes trouble. Which change-management practice best satisfies both speed and control?

146

During business impact analysis interviews, the team needs two inputs that help determine which business services must recover first after an outage. Which two inputs are the most useful? Select two.

147

Procurement is reviewing a new payroll SaaS provider. The business wants independent evidence that the vendor's controls were designed and operating effectively over the last six months. Which document should the security team request?

148

A records manager is preparing to delete old HR emails next week under the retention schedule. Legal notifies the team that those messages may be needed for an active investigation. What should the records manager do first?

149

A business unit keeps a low-priority legacy tool but adds extra monitoring and patching. The company also buys cyber insurance to reduce the financial effect of a loss. Which two risk treatment strategies are being used? Select two.

150

After several employees clicked on a realistic phishing email, management wants a control that both improves user behavior and gives the security team a way to measure improvement over time. Which approach is best?

151

A development team needs to release a security fix to a customer portal, but the change must not introduce a new outage or bypass review controls. Which practice best supports a secure and repeatable release?

152

A records manager learns that emails related to a harassment investigation are scheduled for deletion next week under the retention policy. Legal issues a hold because the case may go to court. What should the records manager do?

153

Based on the exhibit, what should the security team recommend before sharing the report?

154

After several employees clicked on phishing emails, management wants to reduce future click rates and show measurable improvement across finance, HR, and executive assistants. Which control best meets that goal?

155

The SOC is writing step-by-step instructions for responding to a suspected malware infection on a laptop. The document should tell analysts exactly what to do first, second, and third during triage and containment. Which governance artifact should they create?

156

Based on the exhibit, which control option provides the greatest net annual financial benefit for the organization?

157

A development team needs to release an urgent fix for a customer portal on Friday evening. The business wants the change to be reversible if something breaks, and security does not want the team to skip release controls. Which requirement should be part of the change process?

158

Several employees reported a text message that looked like it came from the VPN support team and linked to a fake sign-in page. Management wants to reduce future success of these attacks and improve how quickly users report suspicious messages. What should the security team implement?

159

Based on the exhibit, what is the best next step before the hotfix is released?

160

After a phishing campaign, several employees entered credentials on a fake login page. Management wants a control that both improves user behavior and gives the security team a way to measure whether click rates are going down. Which two actions best meet that goal? Select two.

161

The CIO wants to compare two mitigation options for a payment system outage and justify the budget request in dollars. The team already knows the likely downtime window, annual incident frequency, and estimated revenue loss per hour. Which approach would best support the decision?

162

Based on the exhibit, what should the records manager do next?

163

A security manager issues a mandatory document that requires all corporate laptops to use full-disk encryption, automatic screen lock after 10 minutes, and approved endpoint protection software. The document will be checked during compliance reviews. Which governance artifact is this?

164

Based on the exhibit, which governance artifact is being described?

165

A security manager is creating a document that requires every corporate laptop to use full-disk encryption, automatic screen locking after 10 minutes, and approved antivirus software. Which two governance artifacts best fit those requirements? Select two.

166

A company is signing a contract with a SaaS expense platform. Security wants the vendor to notify the company within 24 hours of a confirmed incident, maintain customer data segregation, and allow the company to verify security commitments if required. Which control should be added to the agreement?

167

After a phishing campaign, 18 employees entered credentials on a fake login page. Management wants a program that both reduces future click rates and provides measurable improvement over time. What should security implement?

168

A records manager finds a folder of payroll reports on a shared drive. The business says the reports are no longer active, but legal retention rules require keeping them for another two years. What is the best action?

169

A security manager is creating a company-wide requirement that all Windows laptops must have full-disk encryption, screen lock after 10 minutes, and approved antivirus enabled. Administrators can choose the exact implementation details, but the minimum settings must be mandatory across the fleet. Which governance artifact should the manager update?

170

Based on the exhibit, what is the best next request before approving the vendor?

171

A project lead needs to send a spreadsheet labeled confidential to an external auditor. The file contains employee names, salaries, and performance notes. Which handling step best protects the data while still supporting the business need?

172

Based on the exhibit, what is the best handling decision for the requested file?

173

Based on the exhibit, which action should the security team prioritize next?

174

A security team is defining the minimum approved configuration for all new Linux web servers. The document must require specific logging settings, approved packages, and disabled services, and administrators must check servers against it during audits. Which governance artifact best fits this need?

175

An organization is evaluating a payroll SaaS provider after the procurement team asks for evidence that the vendor's security controls were designed and operating effectively during the past year. Which document should the security team review first?

176

A manager needs to send a spreadsheet containing employee names, salaries, and performance notes to an external auditor. Which two actions best support proper data handling? Select two.

177

A security manager publishes a document that tells help desk staff exactly how to verify identity, reset an admin password, record the ticket number, and close out the request during a maintenance window. What type of governance artifact is this?

178

A records manager is told that some HR emails may be needed for an active investigation, while unrelated messages are still due for deletion under the retention schedule. Which two actions should the manager take? Select two.

179

A project team needs to use a temporary file-sharing service for two weeks because the approved platform is under maintenance. The security manager wants the exception to be reviewed, time-limited, and documented with the business reason. Which governance document should be created?

180

Based on the exhibit, which awareness action should the security manager prioritize next?

181

Based on the exhibit, what should the security team recommend for the finance workstation pilot?

182

An employee notices that a contractor left a printed report containing customer data on a conference room table. What should the employee do first?

183

Based on the exhibit, what is the best governance action before the sales team uses the legacy portal without MFA?

184

Based on the exhibit, what is the best next step before the marketing SaaS platform goes live?

185

Based on the exhibit, which contract change would most directly reduce the organization's third-party response risk?

186

A policy states that sensitive data must be encrypted, but it does not say which encryption strength to use. The security architect wants a document that lists the exact approved encryption settings for systems to follow. What document is needed?

187

Based on the exhibit, what is the best response to the facilities manager's request?

188

A coworker asks for a spreadsheet containing employee home addresses and personal phone numbers so they can build a team contact list. What is the best response?

189

Based on the exhibit, which document should be updated first to reflect the new ticketing platform while keeping approval requirements unchanged?

190

A security team wants every company laptop to have the same screen-lock timeout, disk encryption setting, and local firewall configuration. Which type of document should define these mandatory settings?

191

After reviewing a risk memo, the operations director signs off on continuing to use an older application because the cost of replacement is too high right now. Which risk management action did the director take?

192

A department wants to keep using a cloud printing service even though the vendor has not yet completed the company's security questionnaire. The business owner agrees to add extra log monitoring until the review is finished. What is the best term for the added monitoring?

193

A help desk technician receives a ticket asking for a password reset on a manager's account. The requester says the manager is traveling and cannot be reached. What is the best action before making any change?

194

The executive team wants to know which payment services are most critical and how long each can be offline before the business is seriously harmed. Which activity should security support?

195

An operations manager states that the customer portal may be unavailable for no more than 15 minutes in a month before the issue must be escalated to executives. Which risk management concept does this statement describe?

196

An auditor asks for evidence that the new workstation hardening baseline is actually applied across all finance laptops. Which evidence is the best to provide?

197

A legacy production scanner cannot support MFA, but it must remain available for six months until replacement hardware arrives. What is the best security response?

198

After several rounds of phishing simulations, management wants a metric that best shows employees are improving at recognizing suspicious messages. Which metric should security track?

199

Based on the exhibit, what is the best risk response for the security team to recommend before the customer portal goes live?

200

During a tabletop exercise, the team realizes no one has a list of who to notify if the online ordering system goes down. Which continuity planning element is missing?

201

A development team wants to skip testing and deploy a major application change directly to production to meet a release date. What should the security team require?

202

Based on the exhibit, what should the organization do before approving this SaaS vendor to process employee HR records?

203

Before contracting with a cloud-based payroll provider, the security team requests a security questionnaire, proof of controls, and an independent audit report. What activity is this?

204

A security manager is designing a security program to align with business goals. Which three of the following are essential components of a security program that directly support governance and oversight? (Choose three.)

205

An organization is implementing a third-party vendor risk management program. Which three of the following should be included as key activities to maintain oversight of vendor security? (Choose three.)

206

A security analyst is reviewing the organization’s security awareness program. Which three of the following are key metrics that demonstrate the effectiveness of the program? (Choose three.)

207

An organization is developing a business continuity and disaster recovery (BC/DR) plan. Which three of the following are essential elements that should be included to ensure proper management and oversight? (Choose three.)

208

Which four of the following are key components of a successful security awareness and training program within an organization? (Choose four.)

209

Which four of the following are essential elements of an effective business continuity plan (BCP) that a security manager should oversee? (Choose four.)

210

Drag and drop the steps to perform a factory reset on a managed switch into the correct order.

211

Drag and drop the steps to perform a password reset for a user in Active Directory into the correct order.

Practice all 211 Security Program Management and Oversight questions

Other SY0-701 exam domains

General Security ConceptsThreats, Vulnerabilities, and MitigationsSecurity ArchitectureSecurity Operations

Frequently asked questions

What does the Security Program Management and Oversight domain cover on the SY0-701 exam?

Security Program Management & Oversight covers the governance, risk management, compliance, and business continuity aspects of cybersecurity—how to plan, implement, and improve an organization's security program.

How many Security Program Management and Oversight questions are in the SY0-701 question bank?

The Courseiva SY0-701 question bank contains 211 questions in the Security Program Management and Oversight domain. Click any question to see the full explanation and answer breakdown.

What is the best way to practice Security Program Management and Oversight for SY0-701?

Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.

Can I practice only Security Program Management and Oversight questions for SY0-701?

Yes — the session launcher on this page draws questions exclusively from the Security Program Management and Oversight domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.

Free forever · No credit card required

Track your SY0-701 domain progress

Save your results, see per-domain analytics, and get readiness scores — free, for every certification.

Sign Up Free

Free forever · Every certification included

Practice Session

10 questions20 questions30 questions50 questions

Study Resources

All DomainsPractice TestMock ExamFlashcardsStudy Guide

Related Exams

N10-009CS0-003CAS-004AZ-500