- A
Deploy a SIEM with anomaly detection for unusual VPN login locations.
Why wrong: This would detect but not prevent; the attacker would still gain access before an alert is generated.
- B
Implement multi-factor authentication on all VPN accounts.
Why wrong: MFA would have helped if the account was active, but the account was unused and could have been used with MFA if the attacker had the second factor? Actually, MFA would have blocked the attacker if the second factor was not available. However, the account was disabled? Actually, it was not disabled. But MFA is a strong control; however, the scenario says the account was compromised, possibly with stolen credentials including MFA token? The question asks 'most effectively prevented' given the root cause. The account was inactive, so the best prevention is disabling it.
- C
Increase the frequency of log reviews to daily.
Why wrong: Even if logs were reviewed daily, the breach occurred over a weekend, and the account would still be active.
- D
Automate the de-provisioning of user accounts upon employee termination.
This directly addresses the root cause: the account should have been disabled when the employee left.
Quick Answer
The answer is to automate the de-provisioning of user accounts upon employee termination. This directly addresses the root cause of the breach—a former employee’s VPN account remained active for six months, providing an entry point for the attacker. Automating identity lifecycle management offboarding ensures that access rights are revoked immediately when an employee leaves, eliminating the attack vector and enforcing the principle of least privilege. On the Cisco CyberOps Associate 200-201 exam, this scenario tests your understanding of access control policies and the critical role of automated deprovisioning in preventing insider and external threats. A common trap is focusing on monitoring or alerting improvements, but those only detect an active threat rather than prevent it; the core lesson is that disabling accounts at termination is a preventive control. Remember the mnemonic: “Offboard to onboard security—disable before they disable you.”
200-201 Security Policies and Procedures Practice Question
This 200-201 practice question tests your understanding of security policies and procedures. Examine the command output carefully: the correct answer depends on what the output actually shows, not on general recall alone. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.
You are a security analyst at a mid-sized company that uses a mix of on-premises servers and cloud services. The company's security policy requires all sensitive data to be encrypted at rest and in transit, and all access to be logged and monitored. Recently, the company experienced a data breach where an attacker exfiltrated a database containing customer PII. The investigation revealed that the attacker gained access using a compromised VPN account that had been inactive for 6 months. The account belonged to a former employee who left the company but the account was never disabled. The VPN logs show that the account was used from an unusual IP address, but no alert was triggered because the account was not on any watchlist. The breach occurred over a weekend when the security team was not monitoring. Which of the following would have most effectively prevented this breach?
Clue words in this question
Noticing these words before you look at the options changes how you read each choice.
Clue:
"never"Why it matters: Absolute qualifier. True only if the statement has zero exceptions — be cautious of options that seem obvious but break down in edge cases.
Answer choices
Why each option matters
Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.
Correct answer & explanation
Automate the de-provisioning of user accounts upon employee termination.
The root cause of the breach was that the former employee's VPN account remained active after termination, allowing the attacker to use it. Automating the de-provisioning of user accounts upon employee termination (Option D) directly addresses this by ensuring that accounts are disabled or removed as part of the offboarding process, eliminating the attack vector entirely. This aligns with the principle of least privilege and identity lifecycle management, which are foundational to access control policies.
Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.
Answer analysis
Option-by-option breakdown
For each option: why learners choose it and why it is or isn't the right answer here.
- ✗
Deploy a SIEM with anomaly detection for unusual VPN login locations.
Why it's wrong here
This would detect but not prevent; the attacker would still gain access before an alert is generated.
- ✗
Implement multi-factor authentication on all VPN accounts.
Why it's wrong here
MFA would have helped if the account was active, but the account was unused and could have been used with MFA if the attacker had the second factor? Actually, MFA would have blocked the attacker if the second factor was not available. However, the account was disabled? Actually, it was not disabled. But MFA is a strong control; however, the scenario says the account was compromised, possibly with stolen credentials including MFA token? The question asks 'most effectively prevented' given the root cause. The account was inactive, so the best prevention is disabling it.
- ✗
Increase the frequency of log reviews to daily.
Why it's wrong here
Even if logs were reviewed daily, the breach occurred over a weekend, and the account would still be active.
- ✓
Automate the de-provisioning of user accounts upon employee termination.
Why this is correct
This directly addresses the root cause: the account should have been disabled when the employee left.
Clue confirmation
The clue word "never" in the question point toward this answer.
Related concept
Read the scenario before looking for a memorised answer.
Common exam traps
Common exam trap: answer the scenario, not the keyword
Cisco often tests the distinction between preventive and detective controls, and the trap here is that candidates choose a detective solution (like SIEM or log review) because it sounds more technical, overlooking the fundamental preventive control of account lifecycle management that would have stopped the breach at its source.
Trap categories for this question
Scenario analysis trap
MFA would have helped if the account was active, but the account was unused and could have been used with MFA if the attacker had the second factor? Actually, MFA would have blocked the attacker if the second factor was not available. However, the account was disabled? Actually, it was not disabled. But MFA is a strong control; however, the scenario says the account was compromised, possibly with stolen credentials including MFA token? The question asks 'most effectively prevented' given the root cause. The account was inactive, so the best prevention is disabling it.
Detailed technical explanation
How to think about this question
Account de-provisioning is a critical part of the identity lifecycle management (ILM) process, often automated via integration with HR systems using SCIM (System for Cross-domain Identity Management) or LDAP directory synchronization. In real-world scenarios, a common failure is the 'orphaned account'—an account that remains active in Active Directory or a cloud IAM after an employee leaves, which can be exploited by attackers using credential stuffing or brute force. The 200-201 exam emphasizes that preventive controls (like disabling accounts) are more effective than detective controls (like log review) for such identity-based attacks.
KKey Concepts to Remember
- Read the scenario before looking for a memorised answer.
- Find the constraint that changes the correct option.
- Eliminate answers that are true in general but not in this case.
TExam Day Tips
- Watch for words such as best, first, most likely and least administrative effort.
- Review why wrong options are wrong, not only why the correct option is correct.
Key takeaway
Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.
Real-world example
How this comes up in practice
A small business has 20 workstations on the 192.168.1.0/24 network and one public IP from its ISP. The router uses PAT (NAT overload) so all 20 devices share one public address using different source ports. NAT questions test whether you understand the four address terms and which direction each translation applies.
What to study next
Got this wrong? Here's your next step.
Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.
- →
Security Policies and Procedures — study guide chapter
Learn the concepts, then practise the questions
- →
Security Policies and Procedures practice questions
Targeted practice on this topic area only
- →
All 200-201 questions
507 questions across all exam domains
- →
Cisco CyberOps Associate 200-201 study guide
Full concept coverage aligned to exam objectives
- →
200-201 practice test guide
How to use practice tests most effectively before exam day
Related practice questions
Related 200-201 practice-question pages
Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.
Security Policies and Procedures practice questions
Practise 200-201 questions linked to Security Policies and Procedures.
Security Concepts practice questions
Practise 200-201 questions linked to Security Concepts.
Security Monitoring practice questions
Practise 200-201 questions linked to Security Monitoring.
Host-Based Analysis practice questions
Practise 200-201 questions linked to Host-Based Analysis.
Network Intrusion Analysis practice questions
Practise 200-201 questions linked to Network Intrusion Analysis.
200-201 fundamentals practice questions
Practise 200-201 questions linked to 200-201 fundamentals.
200-201 scenario practice questions
Practise 200-201 questions linked to 200-201 scenario.
200-201 troubleshooting practice questions
Practise 200-201 questions linked to 200-201 troubleshooting.
Practice this exam
Start a free 200-201 practice session
Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.
FAQ
Questions learners often ask
What does this 200-201 question test?
Security Policies and Procedures — This question tests Security Policies and Procedures — Read the scenario before looking for a memorised answer..
What is the correct answer to this question?
The correct answer is: Automate the de-provisioning of user accounts upon employee termination. — The root cause of the breach was that the former employee's VPN account remained active after termination, allowing the attacker to use it. Automating the de-provisioning of user accounts upon employee termination (Option D) directly addresses this by ensuring that accounts are disabled or removed as part of the offboarding process, eliminating the attack vector entirely. This aligns with the principle of least privilege and identity lifecycle management, which are foundational to access control policies.
What should I do if I get this 200-201 question wrong?
Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.
Are there clue words in this question I should notice?
Yes — watch for: "never". Absolute qualifier. True only if the statement has zero exceptions — be cautious of options that seem obvious but break down in edge cases.
What is the key concept behind this question?
Read the scenario before looking for a memorised answer.
About these practice questions
Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →
Last reviewed: Jun 11, 2026
This 200-201 practice question is part of Courseiva's free Cisco certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the 200-201 exam.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.