SY0-701 Security Program Management and Oversight • Complete Question Bank
Complete SY0-701 Security Program Management and Oversight question bank — all 0 questions with answers and detailed explanations.
Drag a concept onto its matching description — or click a concept then click the description.
Click rate
Report rate
Time to report
Training completion rate
Risk register: - Scoring model: Likelihood and impact are each rated from 1 to 5; higher total score means higher priority - R-101: Medium likelihood (3), High impact (4), current control: manual review - R-102: High likelihood (5), Medium impact (3), current control: none - R-103: Low likelihood (1), Critical impact (5), current control: compensating detective control - R-104: High likelihood (4), High impact (4), current control: backup power only - Business note: Only one risk can be funded this quarter.
Security document hierarchy: - Corporate policy: "Endpoints must be protected against unauthorized access." - Standard excerpt: "All managed laptops shall use full-disk encryption, auto-lock after 10 minutes of inactivity, and a 14-character password minimum." - Procedure excerpt: "Step 1: Open Settings. Step 2: Enable BitLocker. Step 3: Confirm policy sync." - Guideline excerpt: "Users should avoid storing sensitive files locally when possible."
Drag a concept onto its matching description — or click a concept then click the description.
Access review attestation report
Approved change ticket
LMS completion export
Retention deletion log
Drag a concept onto its matching description — or click a concept then click the description.
Right-to-audit clause
Subprocessor disclosure requirement
Breach-notification clause
SOC 2 Type II report
Drag a concept onto its matching description — or click a concept then click the description.
SOC 2 Type II report
Software bill of materials (SBOM)
Data processing agreement (DPA)
Security questionnaire
Endpoint governance draft -------------------------------------------------- Policy: Company-owned laptops must use approved full-disk encryption. Document B: [blank] Procedure: Steps for enabling encryption in the MDM console. Guideline: Recommended screen-lock timeout ranges by job role.
Drag a concept onto its matching description — or click a concept then click the description.
Policy
Standard
Procedure
Guideline
Vendor due diligence summary -------------------------------------------------- Vendor: CloudInvoice SOC 2 Type II report: 22 months old Penetration test: completed, no high findings Subprocessors: 4 listed, 2 operate in another country Business continuity evidence: not provided Contract draft: no breach-notification window, no audit-rights clause
Drag a concept onto its matching description — or click a concept then click the description.
Policy
Standard
Procedure
Guideline
Drag a concept onto its matching description — or click a concept then click the description.
SOC 2 Type II report
Data processing agreement (DPA)
Software bill of materials (SBOM)
Right-to-audit clause
Disaster recovery test report
Change control evidence: - CHG-8842: "Allow vendor IP range for maintenance window" - Requested: 2026-04-18 09:10 - Reviewed by CAB: Approved 2026-04-18 11:40 - Implemented: 2026-04-18 22:05 - Post-change validation: Firewall logs show only the approved destination was opened - Separate email: "Looks fine to me" from engineer after implementation
Drag a concept onto its matching description — or click a concept then click the description.
Likelihood
Impact
Inherent risk
Residual risk
Risk appetite
Drag a concept onto its matching description — or click a concept then click the description.
Accept
Mitigate
Transfer
Avoid
Drag a concept onto its matching description — or click a concept then click the description.
Public
Internal
Confidential
Restricted
Supplier diligence summary: - Vendor: Northstar Payroll Services - SOC 2 Type II report received; one low-severity exception noted for delayed log review - Subprocessor change notice: Vendor plans to move backup processing to SkyCove Hosting next month - Contract terms: No clause requiring prior approval for new subprocessors - Security team concern: Customer bank details will be included in the backup set
Risk register excerpt: - Risk ID: R-22 - Asset: Internet-facing file transfer appliance - Finding: Unsupported firmware; vendor end-of-support was announced 9 months ago - Likelihood: High - Impact: High - Current control: Basic password policy only - Estimated cost to replace: $9,500 one-time - Estimated cost to add WAF rules: $2,000 - Business note: The system processes customer tax documents and cannot be left exposed for a full quarter.
Data extract request: - Fields in spreadsheet: employee name, home address, email, bank routing number, bank account number, government ID number, benefits selections - Requester: Third-party benefits administrator - Business purpose: Test import mapping; only name, email, and benefits selections are required - Policy note: Government IDs and bank data must not leave HR systems unless explicitly approved
Supplier security scorecard -------------------------------------------------- Supplier: DeltaPrint Services New subcontractor added last week: Yes Data processing agreement: Signed Breach-notification window: 30 days Right-to-audit clause: Not included Annual attestation: Self-certified by supplier only
Phishing simulation results: - Quarter 1: 1,000 employees tested; 84 clicked; 219 reported within 15 minutes; median report time 8 minutes - Quarter 2: 1,000 employees tested; 71 clicked; 401 reported within 15 minutes; median report time 3 minutes - Repeat clickers: 11 in Quarter 1; 3 in Quarter 2
Awareness dashboard -------------------------------------------------- Quarter 1 -> Quarter 2 Phish click rate: 14% -> 9% Phish report rate: 21% -> 34% Median time to report: 16 min -> 7 min Training completion: 98% -> 99%
Risk register excerpt -------------------------------------------------- Risk ID: R-19 Asset: Partner self-service portal on legacy VM Likelihood: 4/5 Impact: 5/5 Current controls: firewall ACL, nightly backups Business note: Portal must remain online for 90 more days until migration completes Available budget: Compensating controls approved for this quarter
Service desk draft: - Verify caller using employee ID and manager callback - Reset password in the IAM portal - Record ticket number and recovery method - Ask user to confirm no sensitive applications are open Management request: "Turn this draft into the document analysts must follow exactly when a user is locked out."
Drag a concept onto its matching description — or click a concept then click the description.
Improved phishing resistance
Better escalation culture
Faster detection and triage
Targeted refresher coaching needed
Drag a concept onto its matching description — or click a concept then click the description.
Accept risk
Mitigate risk
Transfer risk
Avoid risk
External audit request -------------------------------------------------- Request: Provide proof of quarterly privileged access reviews for FY2025. Evidence package received: 1. Signed access review spreadsheet with reviewer name, review date, and exceptions 2. SIEM export of administrator logins 3. Help desk ticket for a password reset 4. Screenshot of the access review policy
Finding 1: Customer portal admin access lacks MFA. Internet-facing, moderate exploitability, high business impact. Finding 2: Internal training wiki uses default template permissions. Intranet only, low exploitability, low business impact. Finding 3: Payroll file share inherits broad write permissions. Internal network, easy lateral movement, high business impact. Finding 4: Conference-room printer uses the default admin password. Internal network, moderate exploitability, medium business impact. Finding 5: Isolated lab VM runs an outdated package. No production connectivity, contained, low business impact.
1. All company laptops must use full-disk encryption, automatic screen locking after 10 minutes, and the approved EDR agent. 2. To replace a lost MFA token, the help desk must verify identity, disable the old token, and re-enroll the user before access is restored. 3. Users should avoid storing confidential files on removable media unless there is a documented business need. 4. The engineering team may use one unsupported browser plug-in on two workstations for 30 days while a redesign is completed. 5. Remote access is allowed only through the approved VPN with MFA.
Drag a concept onto its matching description — or click a concept then click the description.
Standard
Procedure
Guideline
Exception
Policy
Document title: Linux Server Baseline v3.2 Approval: Infrastructure Manager Scope: All production Linux servers Requirements: - SSH enabled - Telnet disabled - Unused services removed - Central logging enabled Purpose: Define the minimum approved configuration for new builds and rebuilds.
Business impact analysis excerpt: System A - Payroll Maximum tolerable downtime: 8 hours Recovery time objective: 4 hours Recovery point objective: 1 hour Impact note: regulatory penalties begin after one missed payroll cycle System B - Customer portal Maximum tolerable downtime: 24 hours Recovery time objective: 8 hours Recovery point objective: 15 minutes Impact note: revenue loss approx. $240,000/day System C - Email Maximum tolerable downtime: 72 hours Recovery time objective: 24 hours Recovery point objective: 8 hours System D - Dev test lab Maximum tolerable downtime: 30 days Recovery time objective: 7 days Recovery point objective: 24 hours
Phishing simulation results for Q1: Finance: 22% clicked HR: 19% clicked Executive assistants: 28% clicked Users who reported the message using the reporting button: 41% Management goal: Reduce click rates and increase reporting over the next quarter.
Data sharing request: Recipient: Outside analytics vendor Requested file: Monthly absenteeism report Fields requested: employee name, home address, phone number, badge ID, medical leave code, department Purpose stated by requester: Trend analysis for staffing patterns Internal note: The vendor only needs department-level trends for the project.
Risk register excerpt for the public payment API Current estimated annual loss expectancy without additional controls: $260,000 Option A: Tighten change approvals and require admin MFA Control cost: $40,000 Residual annual loss expectancy: $160,000 Option B: Implement active-active failover between regions Control cost: $120,000 Residual annual loss expectancy: $40,000 Option C: Purchase cyber insurance for the service Control cost: $25,000 Residual annual loss expectancy: $220,000 Option D: Add manual fallback processing and user training Control cost: $10,000 Residual annual loss expectancy: $210,000
Emergency change request CHG-8841 Service: Customer portal login API Reason: critical authentication bug causing lockouts Pipeline status: - Code review: pending - Automated unit tests: skipped to save time - Integration tests: failed once and were not rerun - Rollback plan: not documented - Approval: verbal yes from operations supervisor - Deployment window: 21:30-22:00 tonight
Records schedule excerpt: - Incident investigation emails: retain 2 years, then delete - HR complaint records: retain 5 years, then delete Legal notice received today: "Preserve all messages, chat transcripts, attachments, and ticket notes related to case HR-2024-118 until further notice. Do not delete, alter, or auto-archive any related records." System status: - Auto-deletion job for the affected mailbox will run tonight at 23:00
Document ID: BAS-014 Title: Windows 11 Laptop Minimum Configuration Scope: All corporate laptops Requirements: Full-disk encryption enabled; screen lock after 10 minutes; approved EDR installed; USB mass storage blocked; local administrator rights removed Approval: Security manager and endpoint engineering lead Review cycle: annually or after major OS changes
Vendor onboarding packet: - SOC 2 Type I report: issued 14 months ago - Penetration test summary: performed by the vendor's internal security team - Shared responsibility matrix: included - Contract: no breach notification SLA, no right-to-audit clause Business requirement: "We need independent evidence that the vendor's controls were operating effectively during the last six months before procurement approval."
Data request: File: customer_export.csv Contents: full name, street address, SSN last 4, account balance, support notes Requestor: external troubleshooting contractor Policy excerpt: - Internal: company staff only - Confidential: encrypt in transit, approved recipients only - Restricted: minimize, mask where possible, owner approval required, time-limited access, logged sharing - Public: may be shared externally without restriction
Phishing simulation results by department Finance: 31% clicked invoice lure, 9% reported it HR: 28% clicked policy-update lure, 8% reported it Executive Assistants: 39% clicked calendar-invite lure, 4% reported it Help Desk: 12% clicked, 29% reported Observation: Most missed messages closely match each team's daily workflow and terminology.
Phishing simulation results from the last 30 days: - Executives: 24% clicked, 0% reported - Customer Support: 19% clicked, 1% reported - Finance: 11% clicked, 3% reported - IT: 6% clicked, 8% reported Program note: - The organization wants to reduce user clicks and improve reporting of suspicious messages.
Procurement review notes: - Vendor provides a desktop application for invoice reconciliation - Installer is signed, but the vendor cannot provide a software bill of materials this quarter - The application will run on 12 finance workstations only - Access will be limited to read-only invoice data from a nonproduction export - Proposed controls: application allowlisting, standard user accounts, and network segmentation - Security concern: The business wants to approve the pilot immediately
Policy excerpt: - All privileged remote access must use MFA. Standard excerpt: - Approved MFA methods are authenticator app or FIDO2 security key. Procedure excerpt: - Service desk validates identity, enrolls the device, and closes the ticket. Exception request: - The legacy partner portal supports only password authentication for 60 days until migration completes. - The business owner asked for a quick email approval so the team can proceed today.
Risk register excerpt: - Third-party service: CampaignInsight SaaS - Data stored: Campaign names, business contact emails, and campaign performance metrics - Known gaps: No customer-managed encryption keys, SOC report is current but lists two low-severity findings, and the vendor cannot support custom log export this quarter - Compensating controls: SSO, SCIM deprovisioning, monthly access review, and export restrictions - Business impact if delayed: Launch slips by 45 days and a contract penalty may apply - Residual risk rating after controls: Medium
Vendor onboarding summary: - Service: Cloud-based document translation platform - Data handled: Internal policy drafts and limited employee contact details - Existing contract terms: Standard uptime clause only - Security concerns: Vendor does not currently promise breach notification timing, security contact escalation, or the right to review independent assurance reports - Business note: The vendor is needed for a pilot with non-sensitive documents only
Corporate privacy notice excerpt: - Employee home addresses, personal phone numbers, and emergency contacts are collected for payroll, benefits, tax reporting, and emergency notification only. - Access is limited to HR and Payroll unless a privacy review approves another purpose. Ticket: - Facilities manager requests an export of all employee home addresses and personal phone numbers to mail holiday gifts and parking passes.
Current governance set: - Policy: Security changes must be approved and recorded. - Standard: All change requests must use the enterprise ITSM platform. - Procedure: Step-by-step instructions show screenshots from the old ITSM tool. - Guideline: Teams may add helpful notes, but the content is optional. Change note: - The company replaced the ITSM platform last week. - Approval workflow, evidence requirements, and retention rules did not change.
Risk Register Excerpt Asset: Customer portal API Threat: Web application vulnerability in search endpoint Inherent likelihood: High (4/5) Inherent impact: High (5/5) Current control: WAF rule added after recent scan Business note: Patch is available and estimated at 3 developer days Policy note: Internet-facing systems with a known critical vulnerability may not be accepted if a fix is available before release Target go-live: 14 days Residual risk owner: Application manager
Third-Party Security Review Summary Vendor: BluePeak HR Cloud Data type: Employee PII and payroll identifiers Assessment results: - SOC 2 Type II report: Not available - Last independent penetration test: 18 months ago - Breach notification clause: "As soon as practical" - Data deletion after termination: 180 days - Subprocessor list: Not maintained - Admin MFA: Enabled - Backup encryption: Not documented Procurement note: Business unit wants to sign this week to meet HR onboarding deadlines.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.