Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Security Program Management and Oversight practice sets

SY0-701 Security Program Management and Oversight • Complete Question Bank

SY0-701 Security Program Management and Oversight — All Questions With Answers

Complete SY0-701 Security Program Management and Oversight question bank — all 0 questions with answers and detailed explanations.

211
Questions
Free
No signup
Certifications/SY0-701/Practice Test/Security Program Management and Oversight/All Questions
Question 1mediummultiple choice
Read the full Security Program Management and Oversight explanation →

A company is evaluating a new cloud-based customer relationship management (CRM) provider. The provider’s documentation includes a SOC 2 Type II report, but the company’s compliance team specifically requires evidence that data in transit is encrypted using TLS 1.2 or higher, and data at rest is encrypted with AES-256. Which of the following actions best demonstrates that the company has performed proper due diligence in vendor risk management?

Question 2mediummultiple choice
Read the full Security Program Management and Oversight explanation →

A security manager is evaluating the effectiveness of a new security awareness training program that all employees completed last quarter. The company has been conducting monthly phishing simulation campaigns for the past year. Which of the following metrics would provide the strongest evidence that the training is achieving its intended goal of changing employee behavior?

Question 3mediummultiple choice
Read the full NAT/PAT explanation →

After completing a vulnerability scan, a security analyst discovers that a legacy customer-facing application running on an unsupported operating system contains a critical remote code execution vulnerability. The application is essential to daily operations and cannot be patched or upgraded in the near term. Management has approved the purchase of a hardware-based network firewall that will be placed in front of the application to restrict inbound traffic to only authorized source IP addresses and port numbers. Which risk management strategy does this action primarily represent?

Question 4mediummultiple choice
Read the full NAT/PAT explanation →

A security manager is preparing a quarterly report for the board of directors on the effectiveness of the organization's security program. The manager has access to detailed technical data, including firewall log statistics, patch compliance percentages, and number of phishing simulation clicks. Which of the following would be the most appropriate way to present this information to the board?

Question 5mediummultiple choice
Read the full NAT/PAT explanation →

A security manager is leading a risk assessment for the organization. The team identifies a legacy application that contains a known critical vulnerability. The vendor has discontinued support and no patch is available. The manager calculates that the annualized loss expectancy (ALE) for exploiting this vulnerability is $50,000. Implementing a third-party web application firewall (WAF) as a compensating control would cost $80,000 per year. The organization's leadership decides that accepting the risk is the most cost-effective approach. Which of the following documents should the security manager update to formally record this risk acceptance decision and obtain the necessary sign-off?

Question 6mediummultiple choice
Read the full Security Program Management and Oversight explanation →

A security manager at a financial services company is proposing a new policy that would require annual background checks for all employees with access to sensitive customer payment data. The proposed policy, if implemented, would increase the organization's operational costs by approximately $200,000 per year. The manager needs to obtain formal approval to implement this policy. Which of the following groups is MOST likely to have the authority to approve this policy and allocate the necessary budget?

Question 7mediummultiple choice
Read the full Security Program Management and Oversight explanation →

A security manager at a healthcare organization is reviewing the results of a third-party vendor risk assessment for a cloud-based email service that will store protected health information (PHI). The assessment reveals that the vendor encrypts data at rest using AES-256 but does not support customer-managed encryption keys. The vendor's data center is located in a country that is not subject to HIPAA jurisdiction. The vendor's previous penetration test report is over 18 months old. Which of the following is the most appropriate risk management action for the security manager to take?

Question 8mediummultiple choice
Read the full Security Program Management and Oversight explanation →

A security manager at a hospital is reviewing the annual vendor risk assessment for a cloud-based electronic health record (EHR) provider. The provider's SOC 2 Type II report, issued six months ago, identifies a significant deficiency in logical access controls: the provider failed to revoke access for former employees in a timely manner. The provider's management has asserted that this deficiency has been fully remediated, but the next SOC 2 audit is not scheduled for another eight months. The hospital's data protection policy requires that any vendor handling protected health information (PHI) must have a current SOC 2 Type II report with no unresolved significant deficiencies. Which of the following is the most appropriate next step for the security manager?

Question 9mediummultiple choice
Read the full Security Program Management and Oversight explanation →

A security manager at a financial services company is evaluating the effectiveness of a newly deployed security awareness training program. The program included modules on recognizing phishing emails, password security, and tailgating. One month after the training, the manager wants to assess whether employees are applying the learned behaviors to reduce the risk of phishing attacks. Which of the following metrics would provide the most valid indication of the training's behavioral impact?

Question 10mediummultiple choice
Read the full NAT/PAT explanation →

A security manager at a healthcare organization is responsible for maintaining the information security policy. A project manager requests a policy exception to use a cloud-based analytics platform that stores patient data. The platform currently encrypts data at rest with AES-128 instead of the required AES-256. The security manager assesses the risk and determines that the likelihood of data exposure is low due to other compensating controls already in place, but the impact would be high. The residual risk is within the organization's risk appetite. Which of the following is the most appropriate action for the security manager to take?

Question 11mediummultiple choice
Read the full Security Program Management and Oversight explanation →

An IT manager wants a document that defines the mandatory minimum requirements for all company laptops, including full-disk encryption, password length, and screen-lock timing. The help desk also needs a separate document that shows exactly how to enroll a laptop in management software. Which document type should contain the mandatory laptop requirements?

Question 12mediummultiple choice
Read the full Security Program Management and Oversight explanation →

During onboarding, a manager wants a document that explains how to request access to a shared drive, who approves it, and what the help desk must do after approval. Which document type is MOST appropriate?

Question 13easymulti select
Read the full Security Program Management and Oversight explanation →

A manager asks how the security team decides which issue should be fixed first. Which two factors are MOST important to evaluate for each risk?

Question 14mediummatching
Read the full Security Program Management and Oversight explanation →

Match each awareness-program metric to the interpretation the security team should use. 1. 8% of users clicked the simulated phishing link. 2. 34% of users reported the simulation using the report-phish button. 3. The median time from message delivery to first user report was 12 minutes. 4. 96% of staff completed the annual awareness module.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Click rate

Report rate

Time to report

Training completion rate

Question 15hardmultiple choice
Read the full Security Program Management and Oversight explanation →

Based on the exhibit, which risk should be prioritized first under the company's likelihood-impact scoring model?

Exhibit

Risk register:
- Scoring model: Likelihood and impact are each rated from 1 to 5; higher total score means higher priority
- R-101: Medium likelihood (3), High impact (4), current control: manual review
- R-102: High likelihood (5), Medium impact (3), current control: none
- R-103: Low likelihood (1), Critical impact (5), current control: compensating detective control
- R-104: High likelihood (4), High impact (4), current control: backup power only
- Business note: Only one risk can be funded this quarter.
Question 16hardmultiple choice
Read the full Security Program Management and Oversight explanation →

Based on the exhibit, which document type should the organization update if it wants the listed endpoint settings to be mandatory baseline requirements?

Exhibit

Security document hierarchy:
- Corporate policy: "Endpoints must be protected against unauthorized access."
- Standard excerpt: "All managed laptops shall use full-disk encryption, auto-lock after 10 minutes of inactivity, and a 14-character password minimum."
- Procedure excerpt: "Step 1: Open Settings. Step 2: Enable BitLocker. Step 3: Confirm policy sync."
- Guideline excerpt: "Users should avoid storing sensitive files locally when possible."
Question 17easymultiple choice
Read the full Security Program Management and Oversight explanation →

A security manager wants evidence that annual security awareness training was completed by employees. Which artifact is the best proof?

Question 18mediummatching
Read the full Security Program Management and Oversight explanation →

Match each audit request to the best evidence artifact. 1. Auditors want proof that managers reviewed privileged access last quarter. 2. Auditors want evidence that an emergency firewall change was approved before implementation. 3. Auditors want to verify that annual security training was completed by staff. 4. Auditors want to confirm that records were deleted after the retention period expired.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Access review attestation report

Approved change ticket

LMS completion export

Retention deletion log

Question 19mediummultiple choice
Read the full Security Program Management and Oversight explanation →

A marketing analyst asks for a spreadsheet containing customer names, email addresses, purchase history, and government ID numbers so the team can build a campaign list. What is the BEST security response?

Question 20easymultiple choice
Read the full Security Program Management and Oversight explanation →

A department identifies a low-likelihood software risk that would be expensive to fix right now. Leadership decides the business can live with the exposure for now, but wants it documented and reviewed later. What risk treatment is this?

Question 21easymultiple choice
Read the full Security Program Management and Oversight explanation →

A supplier tells your company it wants to use a new subcontractor to process customer data. What is the BEST contract control to reduce this risk?

Question 22mediummultiple choice
Read the full Security Program Management and Oversight explanation →

After three months of phishing awareness training, the security team wants a metric that best shows whether employees are becoming harder to trick. Which metric is MOST useful?

Question 23mediummultiple choice
Read the full Security Program Management and Oversight explanation →

An external auditor asks for proof that firewall rule changes were reviewed and approved before being implemented during the last quarter. Which evidence is MOST appropriate to provide?

Question 24mediummultiple choice
Read the full Security Program Management and Oversight explanation →

A company is evaluating a new payroll SaaS provider that will store employee tax and bank details. Before signing the contract, which action BEST supports vendor due diligence?

Question 25mediummatching
Read the full Security Program Management and Oversight explanation →

Match each vendor-risk concern to the contractual control that best addresses it. 1. The company wants the right to review the vendor's controls and supporting records after the contract is signed. 2. The company wants to know when the vendor will use subcontractors that may touch its data. 3. The company wants written notice within 24 hours if the vendor suffers an incident affecting company data. 4. The company wants assurance that the vendor's controls are independently assessed each year.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Right-to-audit clause

Subprocessor disclosure requirement

Breach-notification clause

SOC 2 Type II report

Question 26mediummatching
Read the full Security Program Management and Oversight explanation →

Match each procurement need to the vendor due diligence artifact or control that best fits. 1. Procurement wants independent evidence that a SaaS provider's controls operated effectively during the last year. 2. The team wants to know what files, libraries, and modules were included in a supplier's software build. 3. The business needs a signed agreement that defines how customer data is handled and what the vendor must do if an incident occurs. 4. The procurement team wants answers about MFA, logging, and incident response before onboarding a cloud supplier.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

SOC 2 Type II report

Software bill of materials (SBOM)

Data processing agreement (DPA)

Security questionnaire

Question 27mediummultiple choice
Read the full Security Program Management and Oversight explanation →

A data analyst needs a copy of a customer file for product testing. The file includes names, email addresses, purchase history, and government ID numbers, but the test team only needs the names and purchase history. What is the BEST handling action?

Question 28mediummultiple choice
Read the full Security Program Management and Oversight explanation →

Based on the exhibit, which document type should define the exact encryption algorithm and minimum key length for all company laptops?

Exhibit

Endpoint governance draft
--------------------------------------------------
Policy: Company-owned laptops must use approved full-disk encryption.
Document B: [blank]
Procedure: Steps for enabling encryption in the MDM console.
Guideline: Recommended screen-lock timeout ranges by job role.
Question 29mediummultiple choice
Read the full Security Program Management and Oversight explanation →

A project team identifies a new risk with a high likelihood of minor data exposure during a pilot rollout. The impact is low, but the issue would become harder to address after production launch. The business owner wants the project to proceed. What should the risk owner do NEXT?

Question 30mediummatching
Read the full Security Program Management and Oversight explanation →

Match each governance need to the document type that best fits. 1. All employees must follow rules for acceptable use of company systems. 2. Every company laptop must use full-disk encryption and a 14-character screen-lock PIN. 3. The service desk follows these exact steps to verify a caller before resetting MFA. 4. Admins are encouraged to place non-production test data in approved folders when practical.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Policy

Standard

Procedure

Guideline

Question 31mediummulti select
Read the full Security Program Management and Oversight explanation →

A business unit wants to keep using a customer portal even though a low-likelihood, high-impact dependency risk was identified. Leadership does not want to stop the service, but it does want to lower exposure and formally document the remaining risk. Which two actions best fit that approach? Select two.

Question 32mediummultiple choice
Read the full Security Program Management and Oversight explanation →

After implementing MFA and stronger monitoring, a department still has a small chance of account misuse that could affect a low-value internal tool. The business owner reviews the remaining exposure and agrees it is within tolerance. What should happen next?

Question 33easymultiple choice
Read the full Security Program Management and Oversight explanation →

A desktop engineering team needs the document that sets the mandatory minimum password length and screen-lock timeout for all company laptops. Which document type should they use?

Question 34mediummulti select
Read the full Security Program Management and Oversight explanation →

After several password-reset incidents, the security team wants one document that sets mandatory minimum controls for privileged accounts and another that tells the help desk the exact steps to verify identity and reset access. Which two document types should they use? Select two.

Question 35mediummultiple choice
Read the full Security Program Management and Oversight explanation →

A software supplier used by your company is adding a new library to its product and says the change is "internal only." Your security team wants better visibility into future component risks before the next renewal. What requirement would BEST support supply chain due diligence?

Question 36mediummulti select
Read the full Security Program Management and Oversight explanation →

HR needs to share a copy of employee records with a benefits contractor for testing. The contractor only needs names and coverage selections, not Social Security numbers or bank details. Which two actions best satisfy data handling requirements? Select two.

Question 37easymultiple choice
Read the full Security Program Management and Oversight explanation →

HR needs to send a benefits contractor a file for testing, but the contractor only needs employee names and plan selections. What is the best action before sharing the file?

Question 38easymultiple choice
Read the full Security Program Management and Oversight explanation →

A company is considering a new SaaS vendor that will process customer records. What is the best first action before signing the contract?

Question 39mediummulti select
Read the full Security Program Management and Oversight explanation →

The legal team wants to confirm that customer records are being deleted on schedule after the retention period expires. Which two artifacts best demonstrate compliance? Select two.

Question 40mediummultiple choice
Read the full NAT/PAT explanation →

A finance application has a known vulnerability in a third-party reporting component. The vendor says a patch will not be available for six months, but the business cannot stop using the application. What is the BEST risk treatment for the organization to pursue next?

Question 41easymultiple choice
Read the full Security Program Management and Oversight explanation →

The service desk needs a document that tells analysts exactly how to verify a caller and reset a password for a locked account. Which document type should they use?

Question 42mediummultiple choice
Read the full Security Program Management and Oversight explanation →

Based on the exhibit, what is the best next step before onboarding the vendor?

Exhibit

Vendor due diligence summary
--------------------------------------------------
Vendor: CloudInvoice
SOC 2 Type II report: 22 months old
Penetration test: completed, no high findings
Subprocessors: 4 listed, 2 operate in another country
Business continuity evidence: not provided
Contract draft: no breach-notification window, no audit-rights clause
Question 43hardmatching
Read the full Security Program Management and Oversight explanation →

Match each requirement or instruction to the correct governance document type. Use each document type once.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Policy

Standard

Procedure

Guideline

Question 44easymultiple choice
Read the full Security Program Management and Oversight explanation →

The help desk needs a document that tells analysts exactly how to verify a caller, reset a password, and record the ticket when a user is locked out. What type of document is this?

Question 45hardmatching
Read the full Security Program Management and Oversight explanation →

Match each procurement or oversight need to the best vendor due diligence artifact or clause. Use each item once.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

SOC 2 Type II report

Data processing agreement (DPA)

Software bill of materials (SBOM)

Right-to-audit clause

Disaster recovery test report

Question 46hardmultiple choice
Read the full Security Program Management and Oversight explanation →

Based on the exhibit, which artifact is the strongest evidence that the firewall change was reviewed and approved before implementation?

Exhibit

Change control evidence:
- CHG-8842: "Allow vendor IP range for maintenance window"
- Requested: 2026-04-18 09:10
- Reviewed by CAB: Approved 2026-04-18 11:40
- Implemented: 2026-04-18 22:05
- Post-change validation: Firewall logs show only the approved destination was opened
- Separate email: "Looks fine to me" from engineer after implementation
Question 47hardmatching
Read the full Security Program Management and Oversight explanation →

Match each risk-register description to the correct risk term. Use each term once.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Likelihood

Impact

Inherent risk

Residual risk

Risk appetite

Question 48mediummatching
Read the full Security Program Management and Oversight explanation →

Match each business scenario to the most appropriate risk treatment. 1. A legacy reporting server is expensive to replace, and leadership is willing to monitor the low expected loss for now. 2. A public web portal is being hit by credential stuffing, so the team adds MFA and rate limiting. 3. The organization wants protection from a costly third-party outage by purchasing cyber insurance. 4. A proposed project would collect regulated data that the business has decided not to process at all.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Accept

Mitigate

Transfer

Avoid

Question 49mediummatching
Read the full Security Program Management and Oversight explanation →

Match each data example to the most appropriate classification label. 1. A public marketing flyer approved for external posting. 2. An internal org chart and office directory meant only for employees. 3. A customer case file with contact details and order history. 4. A vault export containing API keys and encryption secrets.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Public

Internal

Confidential

Restricted

Question 50hardmultiple choice
Read the full Security Program Management and Oversight explanation →

Based on the exhibit, what should the security team add before approving the vendor's requested change?

Exhibit

Supplier diligence summary:
- Vendor: Northstar Payroll Services
- SOC 2 Type II report received; one low-severity exception noted for delayed log review
- Subprocessor change notice: Vendor plans to move backup processing to SkyCove Hosting next month
- Contract terms: No clause requiring prior approval for new subprocessors
- Security team concern: Customer bank details will be included in the backup set
Question 51hardmultiple choice
Read the full Security Program Management and Oversight explanation →

Based on the exhibit, which risk treatment should the security manager recommend first?

Exhibit

Risk register excerpt:
- Risk ID: R-22
- Asset: Internet-facing file transfer appliance
- Finding: Unsupported firmware; vendor end-of-support was announced 9 months ago
- Likelihood: High
- Impact: High
- Current control: Basic password policy only
- Estimated cost to replace: $9,500 one-time
- Estimated cost to add WAF rules: $2,000
- Business note: The system processes customer tax documents and cannot be left exposed for a full quarter.
Question 52hardmultiple choice
Read the full Security Program Management and Oversight explanation →

Based on the exhibit, what is the best data-handling action before sharing the file with the third party?

Exhibit

Data extract request:
- Fields in spreadsheet: employee name, home address, email, bank routing number, bank account number, government ID number, benefits selections
- Requester: Third-party benefits administrator
- Business purpose: Test import mapping; only name, email, and benefits selections are required
- Policy note: Government IDs and bank data must not leave HR systems unless explicitly approved
Question 53mediummultiple choice
Read the full Security Program Management and Oversight explanation →

Based on the exhibit, which missing control best improves oversight of the supplier?

Exhibit

Supplier security scorecard
--------------------------------------------------
Supplier: DeltaPrint Services
New subcontractor added last week: Yes
Data processing agreement: Signed
Breach-notification window: 30 days
Right-to-audit clause: Not included
Annual attestation: Self-certified by supplier only
Question 54hardmultiple choice
Read the full Security Program Management and Oversight explanation →

Based on the exhibit, which metric best shows that employees are recognizing and escalating phishing attempts more quickly?

Exhibit

Phishing simulation results:
- Quarter 1: 1,000 employees tested; 84 clicked; 219 reported within 15 minutes; median report time 8 minutes
- Quarter 2: 1,000 employees tested; 71 clicked; 401 reported within 15 minutes; median report time 3 minutes
- Repeat clickers: 11 in Quarter 1; 3 in Quarter 2
Question 55mediummultiple choice
Read the full Security Program Management and Oversight explanation →

Based on the exhibit, which metric best indicates improved phishing resistance?

Exhibit

Awareness dashboard
--------------------------------------------------
Quarter 1 -> Quarter 2
Phish click rate: 14% -> 9%
Phish report rate: 21% -> 34%
Median time to report: 16 min -> 7 min
Training completion: 98% -> 99%
Question 56mediummultiple choice
Read the full Security Program Management and Oversight explanation →

A payroll SaaS provider has passed initial review, but before contract signing it announces that customer data will be processed by a new subcontractor in another country. The business wants to keep the onboarding timeline short, but security still needs assurance that the change does not increase exposure. What is the BEST next step?

Question 57mediummultiple choice
Read the full Security Program Management and Oversight explanation →

An external auditor asks for proof that quarterly privileged access reviews were completed and that any exceptions were tracked to closure during the last year. Which evidence is MOST appropriate to provide?

Question 58mediummultiple choice
Read the full Security Program Management and Oversight explanation →

Based on the exhibit, what is the best risk treatment recommendation for the security manager?

Exhibit

Risk register excerpt
--------------------------------------------------
Risk ID: R-19
Asset: Partner self-service portal on legacy VM
Likelihood: 4/5
Impact: 5/5
Current controls: firewall ACL, nightly backups
Business note: Portal must remain online for 90 more days until migration completes
Available budget: Compensating controls approved for this quarter
Question 59easymultiple choice
Read the full Security Program Management and Oversight explanation →

A company wants to state that customer data must not be emailed externally unless a manager approves the exception. Which document type should contain this rule?

Question 60hardmultiple choice
Read the full Security Program Management and Oversight explanation →

Based on the exhibit, which document type should the service desk use for the locked-account workflow?

Exhibit

Service desk draft:
- Verify caller using employee ID and manager callback
- Reset password in the IAM portal
- Record ticket number and recovery method
- Ask user to confirm no sensitive applications are open
Management request: "Turn this draft into the document analysts must follow exactly when a user is locked out."
Question 61mediummultiple choice
Read the full Security Program Management and Oversight explanation →

A business-critical internal reporting portal is exposed to all employees. A scan finds a high-severity vulnerability, but the vendor says a fix will not be available for 30 days. The application is only used by finance once a month, and the business can tolerate a brief outage if needed. Which risk treatment is the BEST immediate action?

Question 62easymultiple choice
Read the full Security Program Management and Oversight explanation →

After a phishing-awareness campaign, which metric best shows that employees are becoming more resistant to phishing attempts?

Question 63easymultiple choice
Read the full Security Program Management and Oversight explanation →

A business wants to keep operating even if a supplier-related loss occurs, so it purchases cyber insurance to offset possible costs. Which risk treatment is being used?

Question 64mediummultiple choice
Read the full Security Program Management and Oversight explanation →

A software supplier used by your organization begins subcontracting a critical part of its service to an unknown hosting company. Which contractual control would BEST help manage this supply chain risk?

Question 65hardmatching
Read the full NAT/PAT explanation →

Match each awareness-program metric or pattern to the best interpretation. Use each interpretation once.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Improved phishing resistance

Better escalation culture

Faster detection and triage

Targeted refresher coaching needed

Question 66hardmatching
Read the full Security Program Management and Oversight explanation →

Match each business situation to the best risk treatment. Use each treatment once.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Accept risk

Mitigate risk

Transfer risk

Avoid risk

Question 67mediummulti select
Read the full Security Program Management and Oversight explanation →

An external auditor asks for proof that emergency firewall changes were reviewed and approved before implementation last quarter. Which two artifacts are the best evidence? Select two.

Question 68easymultiple choice
Read the full Security Program Management and Oversight explanation →

A small internal reporting server has a low-severity vulnerability. Fixing it now would require several hours of downtime, while the business impact of exploitation is considered low. What is the BEST risk treatment for this situation?

Question 69mediummulti select
Read the full Security Program Management and Oversight explanation →

A software supplier is adding a new subcontractor to process your company's customer data. The security team wants to understand the new exposure before allowing the change. Which three items should it request or review first? Select three.

Question 70mediummultiple choice
Read the full Security Program Management and Oversight explanation →

A desktop engineering team asks for the document that specifies the exact minimum encryption setting, screen-lock timer, and password length for company laptops. Which type of document should they follow?

Question 71mediummultiple choice
Read the full Security Program Management and Oversight explanation →

Based on the exhibit, which item is the strongest evidence that quarterly privileged access reviews occurred?

Exhibit

External audit request
--------------------------------------------------
Request: Provide proof of quarterly privileged access reviews for FY2025.
Evidence package received:
1. Signed access review spreadsheet with reviewer name, review date, and exceptions
2. SIEM export of administrator logins
3. Help desk ticket for a password reset
4. Screenshot of the access review policy
Question 72mediummultiple choice
Read the full Security Program Management and Oversight explanation →

After a phishing simulation, many users still almost submitted credentials to a fake Microsoft login page. Security wants to reduce repeat mistakes quickly without interrupting daily work. Which approach is best?

Question 73mediummulti select
Read the full Security Program Management and Oversight explanation →

An HR analyst must share a spreadsheet with an external auditor. The spreadsheet includes employee names, Social Security numbers, bank account numbers, and salary data, but the auditor only needs employee names and total payroll. Which three actions best protect the data? Select three.

Question 74easymultiple choice
Read the full Security Program Management and Oversight explanation →

Paper onboarding forms have reached the end of their retention period, and no legal hold applies. What should happen next?

Question 75easymulti select
Read the full Security Program Management and Oversight explanation →

A manager asks how to decide whether a new security issue is worth spending money on. Which two factors should be reviewed first? Select two.

Question 76easymultiple choice
Read the full Security Program Management and Oversight explanation →

A small company has two security issues and can fix only one this week. Which should be prioritized first? One issue is an internal lab server with a medium-severity flaw. The other is an internet-facing login portal using default administrator credentials.

Question 77easymultiple choice
Read the full Security Program Management and Oversight explanation →

Which document should define mandatory settings such as full-disk encryption, a 10-minute screen-lock timeout, and removal of local administrator rights on company laptops?

Question 78mediummultiple choice
Read the full Security Program Management and Oversight explanation →

Several employees nearly entered credentials into a fake mailbox login page. The security team wants to reduce repeat mistakes quickly without overwhelming the whole company. What is the best communication approach?

Question 79easymulti select
Read the full Security Program Management and Oversight explanation →

After a phishing simulation, many users still nearly entered credentials. Leadership wants to reduce repeat mistakes without causing long training sessions. Which two actions are the best balance of security and usability? Select two.

Question 80mediummultiple choice
Read the full Security Program Management and Oversight explanation →

An HR analyst needs to send a payroll reconciliation file to an external auditor. The file contains employee names, SSNs, bank account numbers, and salary details, but the auditor only needs employee IDs, payment totals, and a control total. What should the analyst do first?

Question 81mediummultiple choice
Read the full Security Program Management and Oversight explanation →

An HR analyst must send a compensation spreadsheet to an external auditor. The auditor only needs employee names, departments, and salary totals; Social Security numbers and bank account fields are not required. What should the analyst do before sharing the file?

Question 82mediummultiple choice
Read the full Security Program Management and Oversight explanation →

A vendor-supported legacy application can run only with a deprecated browser plug-in on two engineering workstations for 30 days while a replacement is tested. Management wants to allow the exception without weakening the security program. What is the best action?

Question 83mediummulti select
Read the full Security Program Management and Oversight explanation →

After several near-miss phishing attempts, leadership wants to reduce mistakes quickly without disrupting daily work. Which three measures are the best balance of security and usability? Select three.

Question 84easymulti select
Read the full Security Program Management and Oversight explanation →

A records clerk finds paper forms containing customer identifiers. The retention period has expired, and no legal hold applies. Which two actions are appropriate next? Select two.

Question 85mediummultiple choice
Read the full Security Program Management and Oversight explanation →

An engineering team requests a 30-day exception to use an unsupported browser plug-in on two workstations so a customer deliverable can be finished. Security agrees the business need is legitimate, but wants to reduce exposure. What must be included before the exception is approved?

Question 86hardmulti select
Read the full Security Program Management and Oversight explanation →

The exhibit shows a weekly risk register for a small enterprise. Which three findings should be remediated first based on likelihood of exploitation and business impact? Select three.

Exhibit

Finding 1: Customer portal admin access lacks MFA. Internet-facing, moderate exploitability, high business impact.
Finding 2: Internal training wiki uses default template permissions. Intranet only, low exploitability, low business impact.
Finding 3: Payroll file share inherits broad write permissions. Internal network, easy lateral movement, high business impact.
Finding 4: Conference-room printer uses the default admin password. Internal network, moderate exploitability, medium business impact.
Finding 5: Isolated lab VM runs an outdated package. No production connectivity, contained, low business impact.
Question 87easymultiple choice
Read the full Security Program Management and Oversight explanation →

An HR spreadsheet contains employee names, Social Security numbers, and bank account numbers. Which label is most appropriate under a Public, Internal, Confidential, and Restricted scheme?

Question 88easymulti select
Read the full Security Program Management and Oversight explanation →

A help desk team is writing a procedure for resetting MFA after a user loses a phone. Which two details belong in the procedure rather than in the policy? Select two.

Question 89mediummultiple choice
Read the full Security Program Management and Oversight explanation →

A vulnerability scan identifies four issues across a small company. Which item should the operations team remediate first?

Question 90mediummulti select
Read the full Security Program Management and Oversight explanation →

A business unit asks for a 30-day exception to use an unsupported browser plug-in on two engineering workstations while a replacement is tested. Which three conditions should be required before approval? Select three.

Question 91hardmulti select
Read the full NAT/PAT explanation →

An accounts payable specialist receives an email inside an existing vendor thread that asks for a last-minute bank-account change before a payment run. The wording is professional, the signature matches, and the request is urgent. Which three actions should the specialist take? Select three.

Question 92hardmulti select
Read the full Security Program Management and Oversight explanation →

After a phishing simulation, many employees still almost entered credentials into a fake login page. Leadership wants the fastest improvement without creating training fatigue or disrupting daily work. Which three measures are the best balance of security and usability? Select three.

Question 93mediummultiple choice
Read the full VPN explanation →

A company can patch only one of two internet-facing systems this week. System 1 has a critical vulnerability but is reachable only through the corporate VPN during maintenance windows. System 2 has a medium vulnerability and supports the public payment site, which shows active attack traffic every day. Which system should be prioritized first?

Question 94mediummultiple choice
Read the full Security Program Management and Oversight explanation →

An engineering tool runs on an unsupported operating system, but the tool is used only occasionally and can be replaced by a supported cloud service with little workflow impact. Which risk treatment is best?

Question 95hardmulti select
Read the full NAT/PAT explanation →

A customer portal team must keep an unsupported Linux appliance online for 60 days while a replacement is built. The appliance processes payment tokens and cannot be patched until the vendor certifies the new image. Which two actions best reduce the residual risk during the 60-day window? Select two.

Question 96mediummultiple choice
Read the full Security Program Management and Oversight explanation →

A records manager discovers 18-month-old paper onboarding forms stored in a cabinet. The retention schedule says the forms must be destroyed after 12 months unless legal hold applies, and no hold has been issued. What is the best next step?

Question 97easymulti select
Read the full Security Program Management and Oversight explanation →

A security manager wants one document that states employees must protect company laptops and another that defines exact required settings such as disk encryption and a 10-minute screen lock. Which two document types are the best fit? Select two.

Question 98hardmulti select
Read the full Security Program Management and Oversight explanation →

A developer requests a 45-day exception to use an unsupported browser plug-in on two engineering workstations so a legacy design tool can finish a customer deliverable. Which three conditions should be required before approving the exception? Select three.

Question 99mediummultiple choice
Read the full Security Program Management and Oversight explanation →

A project team must share a spreadsheet containing customer names, account numbers, and purchase history with an external auditor. The auditor only needs account numbers and totals. What is the best privacy control?

Question 100easymulti select
Read the full Security Program Management and Oversight explanation →

An HR analyst must send a salary file to an external auditor. The auditor only needs names, departments, and salary totals, not Social Security numbers or bank account details. Which two actions should the analyst take first? Select two.

Question 101mediummultiple choice
Read the full Security Program Management and Oversight explanation →

A project team needs to use an unapproved file-sharing application for two weeks because the approved platform cannot support an external client collaboration feature. What is the best security action?

Question 102mediummultiple choice
Read the full NAT/PAT explanation →

A legacy payroll server contains a critical vulnerability. The vendor says a patch is 45 days away, and the system must remain available for payroll processing. Which risk treatment is the best short-term choice?

Question 103mediummultiple choice
Read the full Security Program Management and Oversight explanation →

A business owner asks whether to proceed with a medium-risk issue on an internal reporting system. The vulnerability is unlikely to be exploited because the system is reachable only from a segmented admin network, and no sensitive data is stored there. The owner wants to postpone remediation until the next planned upgrade window. Which risk treatment is being chosen?

Question 104mediummulti select
Read the full Security Program Management and Oversight explanation →

A weekly risk review lists several findings. Which two should be addressed first based on likelihood of exploitation and business impact? Select two.

Question 105mediummulti select
Read the full Security Program Management and Oversight explanation →

A security manager is writing baseline requirements for all corporate laptops. Which three statements belong in the standard rather than in a policy or guideline? Select three.

Question 106mediummultiple choice
Read the full NAT/PAT explanation →

A hospital's claims portal has two open risks. Risk A is an internet-facing login page with a low-severity software flaw, but monitoring shows a steady increase in automated login attempts. Risk B is an internal file share with a medium-severity patch gap, but only a small admin group can access it and no exploitation is observed. Leadership can fund only one remediation this month. Which risk should be prioritized first?

Question 107easymultiple choice
Read the full Security Program Management and Oversight explanation →

A file contains employee Social Security numbers and bank account details. The company uses the labels Public, Internal, Confidential, and Restricted. Which label is most appropriate?

Question 108easymulti select
Read the full Security Program Management and Oversight explanation →

A small company can only remediate two findings this week. Which two should be fixed first based on risk to the business? Select two.

Question 109mediummulti select
Read the full Security Program Management and Oversight explanation →

A records manager confirms that paper onboarding forms containing government IDs are past retention, no legal hold exists, and the files are no longer needed. Which three actions should happen next? Select three.

Question 110mediummulti select
Read the full Security Program Management and Oversight explanation →

A manufacturing company must keep a legacy scheduling application running for 60 days while replacement testing finishes. The application supports production orders, and the business cannot tolerate a shutdown. Which three conditions should be required before approving the temporary exception? Select three.

Question 111mediummultiple choice
Read the full Security Program Management and Oversight explanation →

A development manager wants to copy a production customer database into a test environment so testers can reproduce a bug. The database contains names, addresses, and payment tokens. What is the best security practice before the copy is made?

Question 112mediummultiple choice
Read the full NAT/PAT explanation →

A cloud-hosted invoicing app has a critical vulnerability, but the vendor says a patch will not be available for six weeks. The team adds a web application firewall rule, restricts access to the app subnet, and increases monitoring until the patch arrives. What is this best described as?

Question 113easymultiple choice
Read the full Security Program Management and Oversight explanation →

An employee receives an email that appears to be from the CEO and asks for gift cards before a meeting. What should the employee do first?

Question 114easymultiple choice
Read the full Security Program Management and Oversight explanation →

A company wants every corporate laptop to use the same required screen-lock timeout, disk encryption setting, and local administrator restriction. Which document should define these mandatory settings?

Question 115easymultiple choice
Read the full NAT/PAT explanation →

A vendor-supported application cannot be patched for 30 days, but the business must keep it online. What is the best short-term risk treatment?

Question 116easymultiple choice
Read the full Security Program Management and Oversight explanation →

After a phishing simulation, many users still nearly entered credentials on the fake page. Security wants the fastest improvement without scheduling long training sessions. What is the best response?

Question 117mediummultiple choice
Read the full Security Program Management and Oversight explanation →

A security manager wants every corporate laptop to use the same mandatory settings, including disk encryption, a 10-minute screen lock, and removal of local administrator rights. Which document should define these specific requirements?

Question 118easymulti select
Read the full Security Program Management and Oversight explanation →

An employee receives a text message claiming their email password expired and asks them to tap a link and confirm a one-time code. Which two responses are appropriate? Select two.

Question 119easymultiple choice
Read the full Security Program Management and Oversight explanation →

A company has two security issues to address this week. One is a public-facing login portal that uses default administrator credentials. The other is an internal lab system used only by one tester. Which issue should be prioritized first?

Question 120easymultiple choice
Read the full Security Program Management and Oversight explanation →

A security team wants to reduce repeated user mistakes after a phishing campaign without overwhelming employees with long training sessions. Which approach is best?

Question 121easymultiple choice
Read the full Security Program Management and Oversight explanation →

A department finished using paper forms that contain customer information, and the retention period has expired. What is the best next step?

Question 122easymultiple choice
Read the full NAT/PAT explanation →

A vendor says a patch for a critical flaw in a public-facing application will not be available for 30 days, but the service must stay online. What is the best short-term risk treatment?

Question 123hardmulti select
Read the full Security Program Management and Oversight explanation →

A records manager finds paper onboarding forms and scanned copies that contain government ID numbers. The retention period has expired, no legal hold exists, and the forms are no longer needed. Which three actions should occur before disposal? Select three.

Question 124mediummulti select
Read the full Security Program Management and Oversight explanation →

A help desk technician receives a call from someone claiming to be a contractor whose MFA device was lost during travel. The caller knows the company org chart and asks for a new device enrollment. Which three responses are appropriate? Select three.

Question 125easymultiple choice
Read the full Security Program Management and Oversight explanation →

An employee receives an email that says, 'This is the CEO. Buy gift cards now and reply with the codes before the meeting starts.' What should the employee do?

Question 126mediummultiple choice
Read the full Security Program Management and Oversight explanation →

HR stores scanned government IDs collected during onboarding. The retention policy says the files may be kept for 90 days after employment verification, then destroyed. What should security require?

Question 127hardmatching
Read the full Security Program Management and Oversight explanation →

Match each excerpt from a small enterprise security program to the correct governance artifact.

Exhibit

1. All company laptops must use full-disk encryption, automatic screen locking after 10 minutes, and the approved EDR agent.
2. To replace a lost MFA token, the help desk must verify identity, disable the old token, and re-enroll the user before access is restored.
3. Users should avoid storing confidential files on removable media unless there is a documented business need.
4. The engineering team may use one unsupported browser plug-in on two workstations for 30 days while a redesign is completed.
5. Remote access is allowed only through the approved VPN with MFA.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Standard

Procedure

Guideline

Exception

Policy

Question 128mediummultiple choice
Read the full NAT/PAT explanation →

A manufacturer identifies a rare but very costly ransomware risk. Executives decide not to eliminate the activity, but to purchase cyber insurance and formally acknowledge the remaining exposure. Which risk treatment is being used?

Question 129mediummultiple choice
Read the full Security Program Management and Oversight explanation →

A Linux operations team is building a new production gold image for database servers. Security requires every build to disable password-based SSH, enable audit logging, use the company NTP servers, and remove the desktop package set. The admins need a document that defines these exact required settings and allows exceptions only through formal approval. Which artifact should be used?

Question 130mediummultiple choice
Read the full Security Program Management and Oversight explanation →

A business unit is worried about the financial impact of a rare but severe data center outage. After reviewing the risk register, leadership decides to purchase cyber insurance and document the remaining exposure rather than redesign the entire platform. Which risk treatment is this?

Question 131mediummultiple choice
Read the full Security Program Management and Oversight explanation →

Leadership is deciding between two security controls for a customer portal outage risk. Finance wants to compare the options in dollars, using expected loss, not just a high/medium/low rating. Which approach should the analyst use?

Question 132mediummultiple choice
Read the full Security Program Management and Oversight explanation →

A support team wants to export customer tickets into a test analytics environment so developers can search real examples while minimizing privacy exposure. The exported data includes names, email addresses, and account IDs that are not needed for the test. What is the best first step?

Question 133mediummultiple choice
Read the full Security Program Management and Oversight explanation →

A business owner asks the security team to compare the cost of two controls for a legacy application in dollar terms. The team estimates the annual chance of a breach, the potential loss per event, and the expected yearly loss after each control is applied. Which risk analysis approach is being used?

Question 134mediummultiple choice
Read the full Security Program Management and Oversight explanation →

A help desk manager wants sample customer tickets copied into a test environment so developers can reproduce support issues. The tickets include names, phone numbers, and account details. Which action best reduces privacy exposure while still supporting testing?

Question 135easymultiple choice
Read the full Security Program Management and Oversight explanation →

Based on the exhibit, which governance artifact is the security team reviewing?

Exhibit

Document title: Linux Server Baseline v3.2
Approval: Infrastructure Manager
Scope: All production Linux servers
Requirements:
- SSH enabled
- Telnet disabled
- Unused services removed
- Central logging enabled
Purpose: Define the minimum approved configuration for new builds and rebuilds.
Question 136mediummultiple choice
Read the full Security Program Management and Oversight explanation →

A procurement team is evaluating a payroll SaaS vendor. They want independent evidence that the vendor's controls were designed and operating effectively over the last six months, not just at a single point in time. Which report should they request?

Question 137hardmultiple choice
Read the full Security Program Management and Oversight explanation →

Based on the exhibit, which system should be restored first after a total site outage?

Exhibit

Business impact analysis excerpt:

System A - Payroll
Maximum tolerable downtime: 8 hours
Recovery time objective: 4 hours
Recovery point objective: 1 hour
Impact note: regulatory penalties begin after one missed payroll cycle

System B - Customer portal
Maximum tolerable downtime: 24 hours
Recovery time objective: 8 hours
Recovery point objective: 15 minutes
Impact note: revenue loss approx. $240,000/day

System C - Email
Maximum tolerable downtime: 72 hours
Recovery time objective: 24 hours
Recovery point objective: 8 hours

System D - Dev test lab
Maximum tolerable downtime: 30 days
Recovery time objective: 7 days
Recovery point objective: 24 hours
Question 138mediummultiple choice
Read the full Security Program Management and Oversight explanation →

Leadership wants to compare two controls for protecting a customer portal. Option A costs $40,000 and reduces annual loss expectancy from $120,000 to $30,000. Option B costs $15,000 and reduces annual loss expectancy to $70,000. Which analysis method best supports this decision?

Question 139easymulti select
Read the full Security Program Management and Oversight explanation →

A developer finds a critical bug in a customer portal on Friday afternoon. The fix must be released quickly, but the team needs a way to reverse the change if testing reveals a problem and wants the release to follow the normal approval process. Which two practices should be used? Select two.

Question 140easymultiple choice
Read the full Security Program Management and Oversight explanation →

Based on the exhibit, what should management implement next?

Exhibit

Phishing simulation results for Q1:
Finance: 22% clicked
HR: 19% clicked
Executive assistants: 28% clicked
Users who reported the message using the reporting button: 41%

Management goal: Reduce click rates and increase reporting over the next quarter.
Question 141mediummultiple choice
Read the full Security Program Management and Oversight explanation →

An HR manager wants to share employee data with a benefits analytics vendor. The dataset includes names, employee IDs, home addresses, and medical leave codes. Security wants to reduce privacy exposure while still allowing the vendor to complete the analysis. What is the best first step?

Question 142mediummultiple choice
Study the full ACL explanation →

A network engineer needs to change an ACL on a production firewall so a new SaaS integration works. The business cannot tolerate an extended outage, and the change must be reversible if testing fails. Which practice best fits?

Question 143easymulti select
Read the full Security Program Management and Oversight explanation →

Before approving a new payroll SaaS provider, the security team wants independent evidence that the vendor's controls operated effectively during the last year and wants the contract to clearly define security responsibilities. Which two items should they request or review? Select two.

Question 144mediummultiple choice
Read the full Security Program Management and Oversight explanation →

A help desk team needs sample customer tickets in a lower environment for testing. The records contain names, phone numbers, and case details. Which approach best reduces privacy risk while still allowing useful testing?

Question 145mediummultiple choice
Read the full Security Program Management and Oversight explanation →

A developer finds a production bug on Friday afternoon. The fix has already passed staging, but the business wants the release to be reversible if the hotfix causes trouble. Which change-management practice best satisfies both speed and control?

Question 146easymulti select
Read the full Security Program Management and Oversight explanation →

During business impact analysis interviews, the team needs two inputs that help determine which business services must recover first after an outage. Which two inputs are the most useful? Select two.

Question 147mediummultiple choice
Read the full Security Program Management and Oversight explanation →

Procurement is reviewing a new payroll SaaS provider. The business wants independent evidence that the vendor's controls were designed and operating effectively over the last six months. Which document should the security team request?

Question 148mediummultiple choice
Read the full Security Program Management and Oversight explanation →

A records manager is preparing to delete old HR emails next week under the retention schedule. Legal notifies the team that those messages may be needed for an active investigation. What should the records manager do first?

Question 149easymulti select
Read the full NAT/PAT explanation →

A business unit keeps a low-priority legacy tool but adds extra monitoring and patching. The company also buys cyber insurance to reduce the financial effect of a loss. Which two risk treatment strategies are being used? Select two.

Question 150mediummultiple choice
Read the full Security Program Management and Oversight explanation →

After several employees clicked on a realistic phishing email, management wants a control that both improves user behavior and gives the security team a way to measure improvement over time. Which approach is best?

Question 151mediummultiple choice
Read the full Security Program Management and Oversight explanation →

A development team needs to release a security fix to a customer portal, but the change must not introduce a new outage or bypass review controls. Which practice best supports a secure and repeatable release?

Question 152mediummultiple choice
Read the full Security Program Management and Oversight explanation →

A records manager learns that emails related to a harassment investigation are scheduled for deletion next week under the retention policy. Legal issues a hold because the case may go to court. What should the records manager do?

Question 153easymultiple choice
Read the full Security Program Management and Oversight explanation →

Based on the exhibit, what should the security team recommend before sharing the report?

Exhibit

Data sharing request:
Recipient: Outside analytics vendor
Requested file: Monthly absenteeism report
Fields requested: employee name, home address, phone number, badge ID, medical leave code, department
Purpose stated by requester: Trend analysis for staffing patterns

Internal note: The vendor only needs department-level trends for the project.
Question 154mediummultiple choice
Read the full Security Program Management and Oversight explanation →

After several employees clicked on phishing emails, management wants to reduce future click rates and show measurable improvement across finance, HR, and executive assistants. Which control best meets that goal?

Question 155mediummultiple choice
Read the full Security Program Management and Oversight explanation →

The SOC is writing step-by-step instructions for responding to a suspected malware infection on a laptop. The document should tell analysts exactly what to do first, second, and third during triage and containment. Which governance artifact should they create?

Question 156hardmultiple choice
Read the full Security Program Management and Oversight explanation →

Based on the exhibit, which control option provides the greatest net annual financial benefit for the organization?

Exhibit

Risk register excerpt for the public payment API
Current estimated annual loss expectancy without additional controls: $260,000

Option A: Tighten change approvals and require admin MFA
Control cost: $40,000
Residual annual loss expectancy: $160,000

Option B: Implement active-active failover between regions
Control cost: $120,000
Residual annual loss expectancy: $40,000

Option C: Purchase cyber insurance for the service
Control cost: $25,000
Residual annual loss expectancy: $220,000

Option D: Add manual fallback processing and user training
Control cost: $10,000
Residual annual loss expectancy: $210,000
Question 157mediummultiple choice
Read the full Security Program Management and Oversight explanation →

A development team needs to release an urgent fix for a customer portal on Friday evening. The business wants the change to be reversible if something breaks, and security does not want the team to skip release controls. Which requirement should be part of the change process?

Question 158mediummultiple choice
Read the full VPN explanation →

Several employees reported a text message that looked like it came from the VPN support team and linked to a fake sign-in page. Management wants to reduce future success of these attacks and improve how quickly users report suspicious messages. What should the security team implement?

Question 159hardmultiple choice
Read the full Security Program Management and Oversight explanation →

Based on the exhibit, what is the best next step before the hotfix is released?

Exhibit

Emergency change request CHG-8841
Service: Customer portal login API
Reason: critical authentication bug causing lockouts

Pipeline status:
- Code review: pending
- Automated unit tests: skipped to save time
- Integration tests: failed once and were not rerun
- Rollback plan: not documented
- Approval: verbal yes from operations supervisor
- Deployment window: 21:30-22:00 tonight
Question 160easymulti select
Read the full Security Program Management and Oversight explanation →

After a phishing campaign, several employees entered credentials on a fake login page. Management wants a control that both improves user behavior and gives the security team a way to measure whether click rates are going down. Which two actions best meet that goal? Select two.

Question 161mediummultiple choice
Read the full Security Program Management and Oversight explanation →

The CIO wants to compare two mitigation options for a payment system outage and justify the budget request in dollars. The team already knows the likely downtime window, annual incident frequency, and estimated revenue loss per hour. Which approach would best support the decision?

Question 162hardmultiple choice
Read the full Security Program Management and Oversight explanation →

Based on the exhibit, what should the records manager do next?

Exhibit

Records schedule excerpt:
- Incident investigation emails: retain 2 years, then delete
- HR complaint records: retain 5 years, then delete

Legal notice received today:
"Preserve all messages, chat transcripts, attachments, and ticket notes related to case HR-2024-118 until further notice. Do not delete, alter, or auto-archive any related records."

System status:
- Auto-deletion job for the affected mailbox will run tonight at 23:00
Question 163mediummultiple choice
Read the full Security Program Management and Oversight explanation →

A security manager issues a mandatory document that requires all corporate laptops to use full-disk encryption, automatic screen lock after 10 minutes, and approved endpoint protection software. The document will be checked during compliance reviews. Which governance artifact is this?

Question 164hardmultiple choice
Read the full Security Program Management and Oversight explanation →

Based on the exhibit, which governance artifact is being described?

Exhibit

Document ID: BAS-014
Title: Windows 11 Laptop Minimum Configuration
Scope: All corporate laptops
Requirements: Full-disk encryption enabled; screen lock after 10 minutes; approved EDR installed; USB mass storage blocked; local administrator rights removed
Approval: Security manager and endpoint engineering lead
Review cycle: annually or after major OS changes
Question 165easymulti select
Read the full Security Program Management and Oversight explanation →

A security manager is creating a document that requires every corporate laptop to use full-disk encryption, automatic screen locking after 10 minutes, and approved antivirus software. Which two governance artifacts best fit those requirements? Select two.

Question 166mediummultiple choice
Read the full Security Program Management and Oversight explanation →

A company is signing a contract with a SaaS expense platform. Security wants the vendor to notify the company within 24 hours of a confirmed incident, maintain customer data segregation, and allow the company to verify security commitments if required. Which control should be added to the agreement?

Question 167mediummultiple choice
Read the full Security Program Management and Oversight explanation →

After a phishing campaign, 18 employees entered credentials on a fake login page. Management wants a program that both reduces future click rates and provides measurable improvement over time. What should security implement?

Question 168mediummultiple choice
Read the full Security Program Management and Oversight explanation →

A records manager finds a folder of payroll reports on a shared drive. The business says the reports are no longer active, but legal retention rules require keeping them for another two years. What is the best action?

Question 169mediummultiple choice
Read the full Security Program Management and Oversight explanation →

A security manager is creating a company-wide requirement that all Windows laptops must have full-disk encryption, screen lock after 10 minutes, and approved antivirus enabled. Administrators can choose the exact implementation details, but the minimum settings must be mandatory across the fleet. Which governance artifact should the manager update?

Question 170hardmultiple choice
Read the full Security Program Management and Oversight explanation →

Based on the exhibit, what is the best next request before approving the vendor?

Exhibit

Vendor onboarding packet:
- SOC 2 Type I report: issued 14 months ago
- Penetration test summary: performed by the vendor's internal security team
- Shared responsibility matrix: included
- Contract: no breach notification SLA, no right-to-audit clause

Business requirement:
"We need independent evidence that the vendor's controls were operating effectively during the last six months before procurement approval."
Question 171mediummultiple choice
Read the full Security Program Management and Oversight explanation →

A project lead needs to send a spreadsheet labeled confidential to an external auditor. The file contains employee names, salaries, and performance notes. Which handling step best protects the data while still supporting the business need?

Question 172hardmultiple choice
Read the full Security Program Management and Oversight explanation →

Based on the exhibit, what is the best handling decision for the requested file?

Exhibit

Data request:
File: customer_export.csv
Contents: full name, street address, SSN last 4, account balance, support notes
Requestor: external troubleshooting contractor

Policy excerpt:
- Internal: company staff only
- Confidential: encrypt in transit, approved recipients only
- Restricted: minimize, mask where possible, owner approval required, time-limited access, logged sharing
- Public: may be shared externally without restriction
Question 173hardmultiple choice
Read the full Security Program Management and Oversight explanation →

Based on the exhibit, which action should the security team prioritize next?

Exhibit

Phishing simulation results by department

Finance: 31% clicked invoice lure, 9% reported it
HR: 28% clicked policy-update lure, 8% reported it
Executive Assistants: 39% clicked calendar-invite lure, 4% reported it
Help Desk: 12% clicked, 29% reported

Observation:
Most missed messages closely match each team's daily workflow and terminology.
Question 174mediummultiple choice
Read the full Security Program Management and Oversight explanation →

A security team is defining the minimum approved configuration for all new Linux web servers. The document must require specific logging settings, approved packages, and disabled services, and administrators must check servers against it during audits. Which governance artifact best fits this need?

Question 175mediummultiple choice
Read the full Security Program Management and Oversight explanation →

An organization is evaluating a payroll SaaS provider after the procurement team asks for evidence that the vendor's security controls were designed and operating effectively during the past year. Which document should the security team review first?

Question 176easymulti select
Read the full Security Program Management and Oversight explanation →

A manager needs to send a spreadsheet containing employee names, salaries, and performance notes to an external auditor. Which two actions best support proper data handling? Select two.

Question 177mediummultiple choice
Read the full Security Program Management and Oversight explanation →

A security manager publishes a document that tells help desk staff exactly how to verify identity, reset an admin password, record the ticket number, and close out the request during a maintenance window. What type of governance artifact is this?

Question 178easymulti select
Read the full Security Program Management and Oversight explanation →

A records manager is told that some HR emails may be needed for an active investigation, while unrelated messages are still due for deletion under the retention schedule. Which two actions should the manager take? Select two.

Question 179easymultiple choice
Read the full Security Program Management and Oversight explanation →

A project team needs to use a temporary file-sharing service for two weeks because the approved platform is under maintenance. The security manager wants the exception to be reviewed, time-limited, and documented with the business reason. Which governance document should be created?

Question 180mediummultiple choice
Read the full Security Program Management and Oversight explanation →

Based on the exhibit, which awareness action should the security manager prioritize next?

Exhibit

Phishing simulation results from the last 30 days:
- Executives: 24% clicked, 0% reported
- Customer Support: 19% clicked, 1% reported
- Finance: 11% clicked, 3% reported
- IT: 6% clicked, 8% reported

Program note:
- The organization wants to reduce user clicks and improve reporting of suspicious messages.
Question 181mediummultiple choice
Read the full Security Program Management and Oversight explanation →

Based on the exhibit, what should the security team recommend for the finance workstation pilot?

Exhibit

Procurement review notes:
- Vendor provides a desktop application for invoice reconciliation
- Installer is signed, but the vendor cannot provide a software bill of materials this quarter
- The application will run on 12 finance workstations only
- Access will be limited to read-only invoice data from a nonproduction export
- Proposed controls: application allowlisting, standard user accounts, and network segmentation
- Security concern: The business wants to approve the pilot immediately
Question 182easymultiple choice
Read the full Security Program Management and Oversight explanation →

An employee notices that a contractor left a printed report containing customer data on a conference room table. What should the employee do first?

Question 183mediummultiple choice
Read the full Security Program Management and Oversight explanation →

Based on the exhibit, what is the best governance action before the sales team uses the legacy portal without MFA?

Exhibit

Policy excerpt:
- All privileged remote access must use MFA.

Standard excerpt:
- Approved MFA methods are authenticator app or FIDO2 security key.

Procedure excerpt:
- Service desk validates identity, enrolls the device, and closes the ticket.

Exception request:
- The legacy partner portal supports only password authentication for 60 days until migration completes.
- The business owner asked for a quick email approval so the team can proceed today.
Question 184mediummultiple choice
Read the full Security Program Management and Oversight explanation →

Based on the exhibit, what is the best next step before the marketing SaaS platform goes live?

Exhibit

Risk register excerpt:
- Third-party service: CampaignInsight SaaS
- Data stored: Campaign names, business contact emails, and campaign performance metrics
- Known gaps: No customer-managed encryption keys, SOC report is current but lists two low-severity findings, and the vendor cannot support custom log export this quarter
- Compensating controls: SSO, SCIM deprovisioning, monthly access review, and export restrictions
- Business impact if delayed: Launch slips by 45 days and a contract penalty may apply
- Residual risk rating after controls: Medium
Question 185mediummultiple choice
Read the full Security Program Management and Oversight explanation →

Based on the exhibit, which contract change would most directly reduce the organization's third-party response risk?

Exhibit

Vendor onboarding summary:
- Service: Cloud-based document translation platform
- Data handled: Internal policy drafts and limited employee contact details
- Existing contract terms: Standard uptime clause only
- Security concerns: Vendor does not currently promise breach notification timing, security contact escalation, or the right to review independent assurance reports
- Business note: The vendor is needed for a pilot with non-sensitive documents only
Question 186easymultiple choice
Read the full Security Program Management and Oversight explanation →

A policy states that sensitive data must be encrypted, but it does not say which encryption strength to use. The security architect wants a document that lists the exact approved encryption settings for systems to follow. What document is needed?

Question 187mediummultiple choice
Read the full Security Program Management and Oversight explanation →

Based on the exhibit, what is the best response to the facilities manager's request?

Exhibit

Corporate privacy notice excerpt:
- Employee home addresses, personal phone numbers, and emergency contacts are collected for payroll, benefits, tax reporting, and emergency notification only.
- Access is limited to HR and Payroll unless a privacy review approves another purpose.

Ticket:
- Facilities manager requests an export of all employee home addresses and personal phone numbers to mail holiday gifts and parking passes.
Question 188easymultiple choice
Read the full Security Program Management and Oversight explanation →

A coworker asks for a spreadsheet containing employee home addresses and personal phone numbers so they can build a team contact list. What is the best response?

Question 189mediummultiple choice
Read the full Security Program Management and Oversight explanation →

Based on the exhibit, which document should be updated first to reflect the new ticketing platform while keeping approval requirements unchanged?

Exhibit

Current governance set:
- Policy: Security changes must be approved and recorded.
- Standard: All change requests must use the enterprise ITSM platform.
- Procedure: Step-by-step instructions show screenshots from the old ITSM tool.
- Guideline: Teams may add helpful notes, but the content is optional.

Change note:
- The company replaced the ITSM platform last week.
- Approval workflow, evidence requirements, and retention rules did not change.
Question 190easymultiple choice
Read the full Security Program Management and Oversight explanation →

A security team wants every company laptop to have the same screen-lock timeout, disk encryption setting, and local firewall configuration. Which type of document should define these mandatory settings?

Question 191easymultiple choice
Read the full Security Program Management and Oversight explanation →

After reviewing a risk memo, the operations director signs off on continuing to use an older application because the cost of replacement is too high right now. Which risk management action did the director take?

Question 192easymultiple choice
Read the full Security Program Management and Oversight explanation →

A department wants to keep using a cloud printing service even though the vendor has not yet completed the company's security questionnaire. The business owner agrees to add extra log monitoring until the review is finished. What is the best term for the added monitoring?

Question 193easymultiple choice
Read the full Security Program Management and Oversight explanation →

A help desk technician receives a ticket asking for a password reset on a manager's account. The requester says the manager is traveling and cannot be reached. What is the best action before making any change?

Question 194easymultiple choice
Read the full Security Program Management and Oversight explanation →

The executive team wants to know which payment services are most critical and how long each can be offline before the business is seriously harmed. Which activity should security support?

Question 195easymultiple choice
Read the full Security Program Management and Oversight explanation →

An operations manager states that the customer portal may be unavailable for no more than 15 minutes in a month before the issue must be escalated to executives. Which risk management concept does this statement describe?

Question 196easymultiple choice
Read the full Security Program Management and Oversight explanation →

An auditor asks for evidence that the new workstation hardening baseline is actually applied across all finance laptops. Which evidence is the best to provide?

Question 197easymultiple choice
Read the full Security Program Management and Oversight explanation →

A legacy production scanner cannot support MFA, but it must remain available for six months until replacement hardware arrives. What is the best security response?

Question 198easymultiple choice
Read the full Security Program Management and Oversight explanation →

After several rounds of phishing simulations, management wants a metric that best shows employees are improving at recognizing suspicious messages. Which metric should security track?

Question 199mediummultiple choice
Read the full Security Program Management and Oversight explanation →

Based on the exhibit, what is the best risk response for the security team to recommend before the customer portal goes live?

Exhibit

Risk Register Excerpt

Asset: Customer portal API
Threat: Web application vulnerability in search endpoint
Inherent likelihood: High (4/5)
Inherent impact: High (5/5)
Current control: WAF rule added after recent scan
Business note: Patch is available and estimated at 3 developer days
Policy note: Internet-facing systems with a known critical vulnerability may not be accepted if a fix is available before release
Target go-live: 14 days
Residual risk owner: Application manager
Question 200easymultiple choice
Read the full Security Program Management and Oversight explanation →

During a tabletop exercise, the team realizes no one has a list of who to notify if the online ordering system goes down. Which continuity planning element is missing?

Question 201easymultiple choice
Read the full Security Program Management and Oversight explanation →

A development team wants to skip testing and deploy a major application change directly to production to meet a release date. What should the security team require?

Question 202mediummultiple choice
Read the full Security Program Management and Oversight explanation →

Based on the exhibit, what should the organization do before approving this SaaS vendor to process employee HR records?

Exhibit

Third-Party Security Review Summary

Vendor: BluePeak HR Cloud
Data type: Employee PII and payroll identifiers

Assessment results:
- SOC 2 Type II report: Not available
- Last independent penetration test: 18 months ago
- Breach notification clause: "As soon as practical"
- Data deletion after termination: 180 days
- Subprocessor list: Not maintained
- Admin MFA: Enabled
- Backup encryption: Not documented

Procurement note: Business unit wants to sign this week to meet HR onboarding deadlines.
Question 203easymultiple choice
Read the full Security Program Management and Oversight explanation →

Before contracting with a cloud-based payroll provider, the security team requests a security questionnaire, proof of controls, and an independent audit report. What activity is this?

Question 204mediummulti select
Read the full Security Program Management and Oversight explanation →

A security manager is designing a security program to align with business goals. Which three of the following are essential components of a security program that directly support governance and oversight? (Choose three.)

Question 205mediummulti select
Read the full Security Program Management and Oversight explanation →

An organization is implementing a third-party vendor risk management program. Which three of the following should be included as key activities to maintain oversight of vendor security? (Choose three.)

Question 206mediummulti select
Read the full Security Program Management and Oversight explanation →

A security analyst is reviewing the organization’s security awareness program. Which three of the following are key metrics that demonstrate the effectiveness of the program? (Choose three.)

Question 207mediummulti select
Read the full Security Program Management and Oversight explanation →

An organization is developing a business continuity and disaster recovery (BC/DR) plan. Which three of the following are essential elements that should be included to ensure proper management and oversight? (Choose three.)

Question 208mediummulti select
Read the full Security Program Management and Oversight explanation →

Which four of the following are key components of a successful security awareness and training program within an organization? (Choose four.)

Question 209mediummulti select
Read the full Security Program Management and Oversight explanation →

Which four of the following are essential elements of an effective business continuity plan (BCP) that a security manager should oversee? (Choose four.)

Question 210mediumdrag order
Read the full Security Program Management and Oversight explanation →

Drag and drop the steps to perform a factory reset on a managed switch into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 211mediumdrag order
Read the full Security Program Management and Oversight explanation →

Drag and drop the steps to perform a password reset for a user in Active Directory into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Practice tests

Scored 10-question sessions with instant feedback and explanations.

SY0-701 Practice Test 1 — 10 Questions→SY0-701 Practice Test 2 — 10 Questions→SY0-701 Practice Test 3 — 10 Questions→SY0-701 Practice Test 4 — 10 Questions→SY0-701 Practice Test 5 — 10 Questions→SY0-701 Practice Exam 1 — 20 Questions→SY0-701 Practice Exam 2 — 20 Questions→SY0-701 Practice Exam 3 — 20 Questions→SY0-701 Practice Exam 4 — 20 Questions→Free SY0-701 Practice Test 1 — 30 Questions→Free SY0-701 Practice Test 2 — 30 Questions→Free SY0-701 Practice Test 3 — 30 Questions→SY0-701 Practice Questions 1 — 50 Questions→SY0-701 Practice Questions 2 — 50 Questions→SY0-701 Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

General Security ConceptsThreats, Vulnerabilities, and MitigationsSecurity ArchitectureSecurity OperationsSecurity Program Management and Oversight

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Security Program Management and Oversight setsAll Security Program Management and Oversight questionsSY0-701 Practice Hub