200-201 · topic practice

Security Policies and Procedures practice questions

Practise Cisco CyberOps Associate 200-201 Security Policies and Procedures practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: Security Policies and Procedures

What the exam tests

What to know about Security Policies and Procedures

Security Policies and Procedures questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Watch out for

Common Security Policies and Procedures exam traps

  • Answering from memory before reading the full scenario.
  • Missing a constraint such as cost, availability, security, scope or command context.
  • Choosing a broad answer when the question asks for the most specific fix.
  • Ignoring why the wrong options are tempting.

Practice set

Security Policies and Procedures questions

20 questions · select your answer, then reveal the explanation

During which phase of the NIST SP 800-61 Rev 2 incident response process should an organization develop and exercise the incident response plan?

A security analyst receives an alert from the SIEM indicating a large number of failed login attempts from an external IP address targeting a user account. According to the incident response process, what should be the analyst's first action?

An organization's incident response team has identified a malware infection on a critical server. They need to collect evidence for potential legal action. Which of the following is the most important step to ensure the admissibility of the evidence?

Which role in the incident response process is primarily responsible for determining the business impact of an incident and making strategic decisions?

An employee is suspected of using company resources to access inappropriate websites. Which security policy most directly addresses this behavior?

During a risk assessment, a company identifies that the annualized loss expectancy (ALE) for a specific threat is $50,000. The cost to implement a mitigation control is $30,000 with an annual maintenance cost of $5,000. According to risk management principles, what is the most appropriate risk treatment option?

A SOC analyst at Tier 1 receives an alert for a known malware signature. After initial investigation, the analyst finds that the alert is a false positive caused by an outdated signature. What should the analyst do next?

Which threat intelligence sharing standard defines a language and format for representing structured threat information, such as indicators and campaigns?

During the containment phase of an incident, the IR team decides to power off a compromised server to prevent further damage. However, they later realize that this action may have destroyed volatile evidence. According to best practices, what should the team have done instead?

A company's security policy requires that all data classified as 'Confidential' must be encrypted at rest and in transit. This requirement is part of which policy?

Which SOC tier is responsible for threat hunting and advanced forensic analysis?

An incident handler needs to preserve a hard drive from a compromised system. Which two actions are essential to maintain the integrity of the evidence?

Which of the following are responsibilities of the legal counsel role during incident response? (Choose two.)

An organization is implementing a threat intelligence sharing program. They want to exchange both structured indicators and full reports with other members of their ISAC. Which combination of standards/protocols should they choose? (Choose two.)

After resolving a security incident, the IR team conducts a lessons learned meeting. Which of the following are typical outputs of this post-incident activity? (Choose three.)

During the Detection and Analysis phase of incident response, a SOC Tier 1 analyst identifies a potential malware infection on a critical server. What is the FIRST action the analyst should take according to NIST SP 800-61 Rev 2?

An organization is implementing an AUP that prohibits personal use of corporate resources. However, an employee uses a company laptop to access personal email, which leads to a malware infection. Which policy violation is most directly implicated?

In the NIST SP 800-61 Rev 2 incident response process, which phase involves documenting lessons learned and updating the incident response plan?

A SOC analyst is investigating a suspected data exfiltration. The analyst needs to preserve evidence from a compromised workstation. Which of the following is the CORRECT procedure to ensure evidence integrity?

During a security incident, the CISO decides to contain a compromised server by isolating it from the network. Which role is primarily responsible for making this containment decision based on business impact?

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Security Policies and Procedures sessions

Start a Security Policies and Procedures only practice session

Every question in these sessions is drawn from the Security Policies and Procedures domain — nothing else.

Related practice questions

Related 200-201 topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the 200-201 exam test about Security Policies and Procedures?
Security Policies and Procedures questions test whether you can apply the concept in context, not just recognise a definition.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Security Policies and Procedures questions in a focused session?
Yes — the session launcher on this page draws every question from the Security Policies and Procedures domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other 200-201 topics?
Use the topic links above to move to related areas, or go back to the 200-201 question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the 200-201 exam covers. They are not copied from any real exam or dump site.
Cisco CyberOps Associate 200-201 Security Policies and Procedures Practice Questions with Explanations | Courseiva