CCNA Security Policies Procedures Questions

75 of 145 questions · Page 1/2 · Security Policies Procedures topic · Answers revealed

1
MCQhard

During a security audit, an analyst finds that a third-party vendor has access to sensitive customer data beyond what is necessary for their services. Which principle of least privilege should the policy enforce?

A.Implement an incident response plan for data leaks
B.Update the end-user license agreement
C.Enforce a data classification and access control policy
D.Invoke a service-level agreement
AnswerC

This policy limits vendor access to only necessary data.

Why this answer

The principle of least privilege means granting only the minimum rights needed. The policy should enforce a data classification and access control policy that restricts vendor access to only required data sets. Option C is correct.

Option A (end-user license agreement) is between vendor and customer. Option B (SLA) defines service levels. Option D (incident response) is after-the-fact.

2
MCQmedium

A company's security policy requires that all servers have host-based intrusion detection (HIDS) installed and configured to send alerts to the SIEM. During a routine check, you find that a critical database server has HIDS installed but is not sending alerts because the agent service is stopped. The server administrator says he stopped the service because it was using too much CPU. The policy requires that any deviation from baseline must be approved by the security team. What should you do?

A.Restart the service on the server and submit a change request for CPU optimization.
B.Accept the server administrator's justification and document it.
C.Recommend setting the HIDS process priority to low to reduce CPU impact.
D.Report the non-compliance to the security manager and disable the server until compliance is restored.
AnswerA

This restores compliance and initiates the proper process for a permanent fix.

Why this answer

Option A is correct because restarting the service and submitting a change request for CPU optimization addresses the immediate non-compliance while working on a solution. Option B is too lenient; Option C is too harsh; Option D may not solve the CPU issue and bypasses approval.

3
MCQhard

A security auditor reviews the SNMP configuration. Which security concern should be reported?

A.The location and contact information is exposed
B.SNMP is disabled on the router
C.The community strings are set to default values
D.The private community string is read-only
AnswerC

Default community strings are easily guessed.

Why this answer

Option C is correct because default SNMP community strings (e.g., 'public' for read-only, 'private' for read-write) are well-known and widely documented. An attacker who discovers these defaults can query or modify the device's MIB, leading to information disclosure or unauthorized configuration changes. This is a critical security concern that must be reported.

Exam trap

Cisco often tests the distinction between the existence of a default community string (a critical vulnerability) versus the access level (read-only vs. read-write) or the exposure of non-sensitive MIB objects like sysLocation.

How to eliminate wrong answers

Option A is wrong because exposing location and contact information is a low-severity information disclosure issue, not the primary security concern when default community strings are in use. Option B is wrong because disabling SNMP is actually a security best practice, not a security concern. Option D is wrong because a read-only private community string is actually more secure than a read-write one; the problem is that the string itself is set to a default value, not its access level.

4
MCQhard

An investigator seizes a laptop as evidence from a crime scene. At the scene, the laptop is turned on and a log file is open. What should the investigator do to preserve evidence according to chain of custody procedures?

A.Close the log file and copy it to a USB drive
B.Shut down the laptop and remove the hard drive
C.Execute the log file to ensure it is legitimate
D.Photograph the screen and create a forensic image
AnswerD

This captures the current state and preserves the evidence.

Why this answer

Option A is correct because photographing the screen captures the state, and creating a forensic image preserves the data. Option B is wrong because closing the file may alter metadata or memory. Option C is wrong because shutting down may lose volatile data.

Option D is wrong because executing the file could modify evidence.

5
MCQhard

A company's security policy states that all network traffic must be inspected by an IPS. However, encrypted traffic (SSL/TLS) is bypassing inspection. The network team wants to implement SSL decryption. What is the primary policy consideration before implementing?

A.Configure the firewall to block SSL traffic that cannot be decrypted.
B.Notify all users that their traffic will be inspected.
C.Create a certificate authority to issue certificates to all internal servers.
D.Ensure that the SSL decryption device has enough CPU capacity.
E.Obtain legal approval for decryption of user traffic.
AnswerE

Decryption raises privacy and legal issues.

Why this answer

Option B is correct because legal and policy approval for traffic decryption is paramount. Options A, C, E are technical steps after approval. Option D is important but secondary to legal approval.

6
Multi-Selectmedium

Which TWO incident types must be reported within 1 hour under the company's incident response policy?

Select 2 answers
A.Unauthorized access
B.Malware outbreak
C.Phishing simulation failure
D.Spam campaign
E.Policy violation
AnswersA, B

Unauthorized access is a security breach requiring immediate action.

Why this answer

Option A (malware outbreak) and Option C (unauthorized access) are critical incidents requiring immediate reporting. Options B, D, and E are less severe and may have longer reporting windows.

7
Multi-Selectmedium

An organization is implementing a security policy that requires all remote access to the corporate network to be authenticated using multi-factor authentication (MFA). Which TWO of the following are valid MFA factors?

Select 2 answers
A.IP address whitelist
B.Smart card
C.Password
D.Fingerprint scan
E.Security question
AnswersB, D

Smart card is a possession factor.

Why this answer

Smart card (Option B) is a valid MFA factor because it falls under the 'something you have' category. Multi-factor authentication requires at least two different categories from 'something you know' (e.g., password), 'something you have' (e.g., smart card, token), and 'something you are' (e.g., biometric). A smart card stores a digital certificate and private key, used for cryptographic authentication, typically requiring a PIN (knowledge factor) to unlock it, thus providing two-factor authentication when combined.

Exam trap

Cisco often tests the distinction between authentication factors and access control lists; the trap here is that candidates mistake an IP address whitelist (a security policy control) for an authentication factor, or think a security question counts as a separate factor when it is merely another form of 'something you know'.

8
MCQmedium

A security policy requires that all mobile devices connecting to corporate email must have a screen lock and be able to be remotely wiped. An employee's personal phone is lost. The employee reports the loss immediately. The phone is enrolled in MDM with remote wipe capability. However, the employee has not set a screen lock, violating policy. The phone contains synced email and contacts. What should the security team do?

A.Remotely wipe the phone immediately.
B.Ask the employee to set a screen lock remotely.
C.Accept the risk since the phone is lost and wipe is possible.
D.Report the violation and suspend the employee's email access until compliance.
AnswerA

This prevents unauthorized access to corporate data.

Why this answer

Option A is correct because remote wipe is the most critical action to protect corporate data. Option B is wrong because wiping should be done; Option C delays protection; Option D is impossible as the phone is lost.

9
MCQmedium

Refer to the exhibit. A security analyst observes a SIEM alert and a firewall log. The firewall allowed the traffic. According to the company's security policy, which action should the analyst take first?

A.Check if the firewall blocked the traffic.
B.Investigate the user's recent activity.
C.Ignore the alert as it is a false positive.
D.Create a firewall rule to block the source IP.
AnswerD

Immediate containment by blocking the IP is appropriate.

Why this answer

The correct answer is D because the firewall log shows the traffic was allowed, and the SIEM alert indicates a security event. According to the security policy, the immediate action is to block the source IP to prevent further potential malicious activity. Creating a firewall rule to block the source IP is a direct and effective response to mitigate the threat.

Exam trap

Cisco often tests the candidate's ability to prioritize containment over investigation, leading them to mistakenly choose 'investigate the user's recent activity' instead of immediately blocking the malicious source IP.

How to eliminate wrong answers

Option A is wrong because the firewall log explicitly shows the traffic was allowed, so checking if it was blocked is redundant and wastes time. Option B is wrong because while investigating user activity may be necessary later, the first priority under the security policy is to contain the threat by blocking the source IP. Option C is wrong because the SIEM alert and firewall log together indicate a real security event, not a false positive, so ignoring it would violate security policy.

10
Multi-Selecteasy

An organization's security policy defines acceptable use of corporate email. Which THREE of the following actions are typically prohibited?

Select 3 answers
A.Using email to subscribe to personal newsletters.
B.Emailing the IT support for assistance.
C.Sending personal emails using the corporate account.
D.Forwarding corporate emails to personal external accounts.
E.Using email to send sensitive customer data without encryption.
AnswersC, D, E

Often restricted to incidental use only.

Why this answer

Options A, B, and C are typically prohibited. Option A: personal emails are often restricted. Option B: forwarding to personal accounts raises data loss risk.

Option C: sending sensitive data unencrypted violates policy. Option D: emailing IT support is allowed. Option E: subscribing to newsletters is often discouraged but not always prohibited; however, here it is not selected.

11
Multi-Selecteasy

A security analyst is creating a procedure for responding to a phishing email reported by a user. Which TWO steps should be included?

Select 2 answers
A.Delete the email from the user's inbox remotely.
B.Ask the user to forward the original email to the security team.
C.Immediately block the sender's email address at the gateway.
D.Require the user to change their password.
E.Investigate if any other users received similar emails.
AnswersC, E

Blocking prevents further phishing attempts from that sender.

Why this answer

Blocking the sender (B) and investigating if others received similar emails (D) are standard initial steps. Forwarding original email (A) may alter headers; deleting remotely (C) is not always possible or needed; password change (E) is premature without evidence of compromise.

12
Multi-Selecthard

A company's security policy requires that all changes to firewall rules must be approved by the change advisory board (CAB). Which THREE of the following are valid reasons to bypass this process?

Select 3 answers
A.Removing a rule for a decommissioned application during maintenance.
B.Adding a new server to the DMZ for a planned project.
C.Troubleshooting a network connectivity issue causing downtime.
D.Implementing a temporary rule for a scheduled penetration test.
E.Critical security vulnerability zero-day exploit requiring immediate block.
AnswersC, D, E

Restoring service during an outage is often allowed as an emergency change.

Why this answer

Emergency fixes for critical vulnerabilities (A), connectivity issues causing downtime (C), and pre-approved penetration tests (D) are common exceptions. Planned additions (B) and removals (E) should follow standard change management.

13
MCQmedium

During a security incident, a security analyst isolates an affected host and collects a memory dump. According to incident response procedures, what is the next step the analyst should take?

A.Reboot the host to clear any malware from memory
B.Notify the public relations team immediately
C.Restore the host from a known good backup
D.Analyze the memory dump to identify indicators of compromise
AnswerD

Analysis is the logical next step after data collection to determine the cause and extent.

Why this answer

Option A is correct because after containment (isolation) and data collection (memory dump), the next step is analysis to understand the scope and impact. Option B is premature before analysis. Option C is not a standard incident response step.

Option D happens after analysis and eradication.

14
MCQmedium

An incident response plan specifies that containment must be completed before eradication. A security analyst identifies a malware infection on a critical server. What should be done first?

A.Disconnect the server from the network
B.Run antivirus scans
C.Notify law enforcement
D.Reinstall the operating system
AnswerA

Disconnecting is a containment action that prevents further spread.

Why this answer

According to the incident response plan, containment must be completed before eradication. Disconnecting the server from the network (Option A) is the immediate containment action that prevents the malware from spreading laterally to other hosts, preserving the integrity of the network and allowing for forensic analysis. This step aligns with the NIST SP 800-61 incident response lifecycle, where containment is prioritized to limit damage before any eradication or recovery steps are taken.

Exam trap

Cisco often tests the strict ordering of the incident response phases (Preparation, Detection & Analysis, Containment, Eradication, Recovery, Post-Incident Activity), and the trap here is that candidates confuse eradication actions (like running antivirus or reinstalling the OS) with the required first containment step, leading them to choose a technically plausible but procedurally incorrect answer.

How to eliminate wrong answers

Option B is wrong because running antivirus scans is an eradication or detection step, not a containment action; performing scans before containment could alert the malware or cause it to spread further. Option C is wrong because notifying law enforcement is a post-containment notification step that occurs after the scope of the incident is understood and evidence is preserved, not the first action. Option D is wrong because reinstalling the operating system is a recovery/eradication step that should only occur after containment is complete and forensic evidence has been collected; doing so first would destroy volatile data and potentially violate chain of custody.

15
MCQhard

Refer to the exhibit. A network administrator notices that remote SSH logins to the router succeed, but the router is not sending accounting records. Based on the configuration, what is the most likely cause?

A.The AAA authorization method is set to local, not TACACS+.
B.The TACACS+ server key is not configured correctly.
C.The AAA authentication method uses local database instead of TACACS+.
D.The accounting command references a TACACS+ group that is not defined.
AnswerD

The group 'tacacs+' is not defined; only a server is configured.

Why this answer

The correct answer is D because the `accounting exec default` command references a TACACS+ server group named 'tacacs_server_group' that is not defined in the configuration. Without a defined server group, the router cannot send accounting records to any TACACS+ server, even though SSH authentication succeeds via the local database.

Exam trap

Cisco often tests the distinction between authentication, authorization, and accounting (AAA) components, and the trap here is that candidates assume a working authentication implies accounting is also functional, overlooking that accounting requires a correctly defined and referenced server group.

How to eliminate wrong answers

Option A is wrong because the AAA authorization method is not the issue; authorization controls what commands or services a user can execute, not whether accounting records are sent. Option B is wrong because the TACACS+ server key is configured correctly with the `key cisco123` command under the TACACS+ server definition, so key mismatch is not the cause. Option C is wrong because the AAA authentication method uses the local database for login, which allows SSH access to succeed, but accounting is independent of authentication; the problem is that the accounting method references an undefined server group, not that authentication uses local.

16
MCQeasy

A security analyst reviews the firewall log. What is the most likely reason for the denied connection?

A.The destination port is blocked by default
B.The source IP address is an external threat
C.The destination IP is a known malicious host
D.The access control list does not permit the traffic
AnswerD

Denied by access-group indicates ACL blocking.

Why this answer

The firewall log shows a denied connection, and the most likely reason is that the access control list (ACL) does not permit the traffic. Firewalls enforce security policies by evaluating traffic against ACL rules; if no rule explicitly allows the packet (based on source/destination IP, port, and protocol), the implicit deny at the end of the ACL drops the connection. This is the default behavior for stateful firewalls and is the most common cause of denied connections in logs.

Exam trap

Cisco often tests the concept that the implicit deny at the end of an ACL is the most common reason for denied traffic, tempting candidates to overthink with threat-based answers like external IPs or malicious hosts.

How to eliminate wrong answers

Option A is wrong because destination ports are not 'blocked by default' in a generic sense; firewalls block traffic based on ACL rules, not a default port blocklist, and many ports (e.g., 80, 443) are often permitted unless explicitly denied. Option B is wrong because the source IP being an external threat is a specific threat intelligence match, not the most likely reason for a denied connection; firewalls deny traffic primarily due to ACL mismatches, not because of external threat lists unless a rule explicitly references them. Option C is wrong because the destination IP being a known malicious host would require the firewall to have a threat intelligence feed or a specific block rule; without such a rule, the firewall would not deny traffic based solely on reputation, and the log entry would typically indicate a threat block, not a generic ACL deny.

17
MCQmedium

During a change management process, a security administrator approves a firewall rule change. After implementation, a critical application becomes unreachable. Which step in the change process was likely missed?

A.Post-implementation documentation
B.Backout plan development
C.Testing in a staging environment
D.Peer review of the change
AnswerB

Without a backout plan, reverting changes is delayed.

Why this answer

A thorough backout plan should be prepared before change implementation so that if issues occur, the change can be reversed. Option D is correct. Option A (peer review) helps but is not the direct cause.

Option B (testing) might have been done but not the immediate issue. Option C (documentation) is important but not the direct cause of unreachability.

18
MCQeasy

Refer to the exhibit. A network administrator applies this ACL to the WAN interface. What is the effect on BitTorrent traffic (which typically uses ports 6881-6889)?

A.All TCP traffic is blocked
B.Only outgoing BitTorrent traffic is blocked
C.Incoming BitTorrent traffic using ports 6881-6889 is blocked
D.All BitTorrent traffic is permitted
AnswerC

The ACL denies those ports inbound, blocking incoming BitTorrent connections.

Why this answer

Option D is correct. The ACL denies TCP and UDP on ports 6881-6889 and permits everything else. BitTorrent uses these ports, so it is blocked in the inbound direction.

Option A is wrong because it only denies those ports. Option B is wrong because it blocks only those specific ports. Option C is wrong because the permit any any allows all other traffic.

19
MCQmedium

A security policy requires that all privileged access be logged and monitored. A junior admin uses a shared service account to perform maintenance. The logs show the account logged in from multiple IPs at the same time. What does this indicate?

A.There is a network issue causing duplicate logs.
B.The account is compromised.
C.The account is being used by multiple administrators simultaneously.
D.The account is being used by an automated script.
E.The logging system is malfunctioning.
AnswerC

Shared accounts lead to loss of accountability.

Why this answer

Option B is correct because a shared account used by multiple admins explains simultaneous logins. Option A is possible but less likely than policy violation. Options C, D, E are less plausible.

20
MCQmedium

Refer to the exhibit. An administrator configured AAA on a Cisco router. What is the expected outcome when a user tries to access privileged EXEC mode (enable) with the username 'admin' and password 'cisco123'?

A.The user is granted access to user EXEC mode only
B.The user is denied all access because no enable secret is set
C.The user is granted full privileged EXEC access
D.The user enters user EXEC mode but is denied enable access due to missing enable secret
AnswerD

Correct: local-case works for login, but enable authentication fails.

Why this answer

The configuration uses 'enable' authentication for enable mode, which means it uses the enable password (not set) or if not set, the local user database? Actually 'enable' method uses the enable secret/password. Since no enable secret is configured, authentication fails. However, the user must first log in to user EXEC mode.

For user EXEC, it uses local-case authentication, so 'admin' with password 'cisco123' works there. But for enable, it uses 'enable' method, which requires the enable password. Since no enable password is set, the user is denied enable access.

Option D is correct. Option A is wrong because user EXEC works. Option B is wrong because enable access fails.

Option C is wrong because the user cannot even enter enable mode.

21
MCQmedium

A company's remote access policy requires VPN connections to use two-factor authentication (2FA). An employee reports they cannot connect because their token is not syncing. What is the best course of action?

A.Disable 2FA for the employee
B.Replace the token and allow access anyway
C.Temporarily allow connections without 2FA
D.Provide a new token and synchronize it correctly
AnswerD

This resolves the issue while maintaining policy compliance.

Why this answer

Option D is correct because the core issue is a synchronization problem between the employee's token and the authentication server. Two-factor authentication (2FA) relies on time-based one-time passwords (TOTP) or event-based (HOTP) algorithms; if the token's clock drifts or the counter becomes out of sync, authentication fails. Providing a new token and correctly synchronizing it (e.g., via NTP time alignment or reseeding the HMAC-based OTP counter) restores secure access without bypassing the security policy.

Exam trap

Cisco often tests the misconception that any token failure should be resolved by temporarily disabling security controls (like 2FA) rather than fixing the underlying technical issue, tempting candidates to choose options that weaken security instead of following proper troubleshooting procedures.

How to eliminate wrong answers

Option A is wrong because disabling 2FA for the employee violates the remote access policy and eliminates the second authentication factor, leaving the VPN connection protected only by a password, which is a security downgrade. Option B is wrong because replacing the token without ensuring proper synchronization will likely result in the same sync failure; simply allowing access anyway bypasses authentication controls and undermines the 2FA requirement. Option C is wrong because temporarily allowing connections without 2FA creates a window of vulnerability where an attacker could exploit the lack of a second factor, and it violates the explicit policy requiring 2FA for all VPN connections.

22
Multi-Selecteasy

A company is creating an incident response policy. Which TWO elements should be included to ensure proper handling of security incidents?

Select 2 answers
A.Contact information for law enforcement
B.A list of employee performance metrics
C.A step-by-step procedure for containment, eradication, and recovery
D.A schedule for quarterly vulnerability scans
E.List of approved vendors for forensic tools
AnswersA, C

Having contact information for law enforcement is a key part of an incident response communication plan.

Why this answer

Option A is correct because an incident response policy must include contact information for law enforcement to ensure timely reporting of crimes such as data breaches or ransomware attacks, as required by regulations like GDPR or state breach notification laws. This enables proper legal handling and chain-of-custody preservation. Option C is correct because a step-by-step procedure for containment, eradication, and recovery is the core operational framework of the NIST SP 800-61 incident response lifecycle, ensuring consistent and effective response actions.

Exam trap

Cisco often tests the distinction between proactive security controls (like vulnerability scans or vendor lists) and reactive incident response procedures, causing candidates to mistakenly include operational or procurement details as policy elements.

23
Matchingmedium

Match each network protocol to its well-known port number.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

22

443

53

25

3389

Why these pairings

These are standard well-known port assignments.

24
MCQhard

A multinational company has a security policy that all data at rest in cloud storage must be encrypted using company-managed keys. The cloud administrator, due to performance concerns, configured server-side encryption with AWS managed keys instead. The security team discovers this during an audit. The policy does not differentiate between encryption types. The data stored includes financial records. What should the security team do?

A.Perform a risk assessment and present options to management, including the risk of not using company-managed keys.
B.Require the administrator to migrate the data to use company-managed keys immediately.
C.Accept the current configuration and update the policy to allow AWS managed keys for performance.
D.Disable the cloud storage until compliance is achieved.
AnswerA

This informs decision-makers with proper analysis.

Why this answer

Option C is correct because a risk assessment and management decision balances security and business needs. Option A is premature; Option B might be too disruptive; Option D is extreme.

25
MCQhard

An organization's security policy requires data classification labels to be applied to all documents. A manager sends a spreadsheet containing employee PII (personally identifiable information) to the entire company without labeling. Which policy has been violated?

A.Acceptable Use Policy
B.Data Classification Policy
C.Remote Access Policy
D.Incident Response Policy
AnswerB

Data classification mandates labeling based on sensitivity.

Why this answer

The data classification policy requires proper labeling. Sending unlabeled PII violates that policy. Option A is correct.

Option B (acceptable use) might be relevant but labeling is the core. Option C (incident response) is for after detection. Option D (remote access) is not relevant.

26
Multi-Selecthard

Which TWO of the following are valid reasons to create an exception to a security policy? (Choose two.)

Select 2 answers
A.The employee finds the policy inconvenient.
B.The policy is too new and employees are not yet trained.
C.The employee is a senior executive.
D.A business-critical application cannot function with the policy control.
E.Temporary exception to avoid disrupting operations during a migration.
AnswersD, E

If the control breaks a critical app, a temporary exception with compensatory controls may be needed.

Why this answer

Option D is correct because a business-critical application that cannot function with a security policy control represents a legitimate operational need that may require a temporary exception. Security policies should support business objectives, and if a control (e.g., a firewall rule, an antivirus exclusion, or an application whitelisting policy) prevents a critical application from running, an exception can be granted after a risk assessment and compensating controls are implemented. This aligns with the principle of balancing security with business continuity.

Exam trap

Cisco often tests the misconception that seniority or personal inconvenience can justify policy exceptions, but the correct reasoning must always tie back to business continuity or technical necessity, not status or preference.

27
MCQhard

During a security awareness training session, an employee reports they clicked a link in a phishing email but did not enter credentials. Which policy violation is most likely involved?

A.Data classification policy
B.Acceptable use policy
C.Incident reporting policy
D.Password policy
AnswerC

Employees should report suspicious activity; failing to do so is a policy violation.

Why this answer

Option C is correct because clicking a suspected phishing link without reporting it violates the incident reporting policy. Option A is wrong because the employee did not enter credentials, so password policy is intact. Option B is wrong because the link itself is not necessarily prohibited by AUP unless it involves inappropriate content.

Option D is wrong because data classification policy is about handling data, not email links.

28
Multi-Selectmedium

Which TWO of the following are key components of a security policy framework according to Cisco? (Choose two.)

Select 2 answers
A.Guidelines
B.Standards
C.Incident Response Plan
D.Audit Logs
E.Firewalls
AnswersA, B

Guidelines offer best practices for policies.

Why this answer

In Cisco's security policy framework, guidelines and standards are foundational components. Guidelines offer recommended practices and flexible advice for implementing security controls, while standards define mandatory, specific technical requirements (e.g., encryption algorithms, password complexity) that must be followed. Together, they provide the structure for consistent security enforcement across an organization.

Exam trap

Cisco often tests the distinction between policy framework components (guidelines, standards) and operational or technical elements (incident response plans, audit logs, firewalls), leading candidates to confuse procedural or tool-based answers with the written policy structure.

29
MCQeasy

A security policy mandates that all administrative access to network devices must be encrypted. Which of the following protocols should be used to comply with this policy?

B.SSH
D.SNMPv2c
AnswerB

SSH provides strong encryption for remote administrative sessions, ensuring compliance.

Why this answer

SSH provides encrypted remote access, meeting the policy requirement. Telnet sends passwords in clear text. TFTP and SNMPv2c are not used for administrative access.

30
MCQeasy

A company's security policy requires that all laptops accessing the corporate network must have full-disk encryption enabled. During a routine audit, an analyst discovers that a manager's laptop does not have encryption enabled. What is the most appropriate first step according to standard security incident response procedures?

A.Disconnect the laptop from the network immediately.
B.Document the finding and escalate to the incident response team.
C.Install encryption software on the laptop without notifying the user.
D.Wipe the laptop and reinstall the operating system.
AnswerB

Proper procedure is to document and escalate; the IR team will handle remediation.

Why this answer

Option B is correct because the first step in standard incident response procedures (as defined by NIST SP 800-61 and Cisco's IR framework) is to document the finding and escalate to the incident response team. This ensures that the potential policy violation is formally recorded and that trained responders can assess the risk, determine if sensitive data was exposed, and coordinate remediation without prematurely destroying evidence or causing operational disruption.

Exam trap

Cisco often tests the distinction between 'immediate containment' and 'proper escalation' in incident response, trapping candidates who confuse a policy violation with an active security breach requiring urgent network disconnection.

How to eliminate wrong answers

Option A is wrong because immediately disconnecting the laptop from the network is a reactive containment step that should only be taken after the incident response team has assessed the situation; doing so prematurely could destroy volatile evidence (e.g., active network connections, running processes) and disrupt legitimate business operations. Option C is wrong because installing encryption software without notifying the user violates change management policies and could overwrite existing data or trigger unintended system behavior, bypassing proper authorization and documentation. Option D is wrong because wiping the laptop and reinstalling the OS is a destructive remediation step that destroys all forensic evidence and should only be performed after a full investigation and data preservation have been completed.

31
MCQhard

A company's security policy includes a clause that all software installed on company devices must be approved by the IT department. An employee installs an unapproved application that later causes a malware infection. Which policy was violated?

A.Incident Response Policy
B.Acceptable Use Policy
C.Data Retention Policy
D.Remote Access Policy
AnswerB

Software installation rules are part of acceptable use.

Why this answer

The Acceptable Use Policy (AUP) defines what activities and software are permitted on company devices. By installing an unapproved application without IT authorization, the employee violated the AUP, which directly led to the malware infection. This policy is the primary control for preventing unauthorized software installations that bypass security baselines.

Exam trap

Cisco often tests the distinction between a proactive policy (AUP) that prevents unauthorized actions and a reactive policy (Incident Response) that handles the aftermath, causing candidates to confuse the policy that was violated with the policy that describes the response to the violation.

How to eliminate wrong answers

Option A is wrong because the Incident Response Policy governs the procedures for detecting, containing, and remediating security incidents after they occur, not the prohibition of unauthorized software installations. Option C is wrong because the Data Retention Policy specifies how long data must be kept and when it should be deleted, and has no relation to software installation approvals. Option D is wrong because the Remote Access Policy controls how external users connect to the internal network (e.g., VPN authentication, split tunneling rules), not the installation of local applications.

32
MCQhard

During an incident, a first responder pulls the network cable of a compromised server. Later, the incident response team is unable to collect volatile data such as running processes. Which policy or procedure was violated?

A.Chain of Custody Procedure
B.Incident Response Procedure for evidence preservation
C.Forensic Analysis Procedure
D.Escalation Procedure
AnswerB

Immediate disconnection prevented capture of volatile data.

Why this answer

Incident response procedures typically require preserving volatile data before disconnecting. Option A is correct. Option B (chain of custody) is about evidence handling.

Option C (forensic analysis) is a later step. Option D (escalation) is not the core issue.

33
MCQhard

Refer to the exhibit. A security analyst reviews the access list. Senior management has authorized SSH access (port 22) to external servers only from the 10.1.1.0/24 and 10.1.2.0/24 subnets. What is the most significant security flaw in this ACL?

A.The destination 'any' allows SSH to any external server, which is too permissive
B.The ACL permits SSH from unauthorized IP addresses
C.The ACL sequence is illogical; line 30 should be before lines 10 and 20
D.The permit ip any any at the end allows all unexamined traffic, potentially bypassing other security controls
AnswerD

A broad permit all at the end can mask unintended traffic. Better practice is to explicitly deny any traffic not permitted.

Why this answer

Option D is correct. The ACL permits all other traffic (line 40) after denying SSH from other sources. This bypasses any additional restrictions; the intent might be to allow only specific IPs for SSH, but the permit ip any any at the end allows all other traffic, which could include other unwanted protocols.

Option A is incorrect because line 40 permits everything. Option B is wrong because the source is correctly the internal subnets. Option C is wrong because ACLs are sequence-dependent, but line 30 only denies SSH from other sources.

34
Multi-Selecteasy

A security policy requires that employees use strong passwords. Which TWO of the following are characteristics of a strong password? (Select two.)

Select 2 answers
A.Uses a mix of uppercase, lowercase, numbers, and special characters
B.Is changed every 90 days
C.Is a common dictionary word
D.Contains the user's username
E.At least 8 characters
AnswersA, E

Complexity increases entropy and resistance to cracking.

Why this answer

Options A and C are correct because password length and complexity increase strength. Option B is wrong because including the username weakens the password. Option D is wrong because dictionary words are easily guessed.

Option E is about password age, not strength.

35
Drag & Dropmedium

Drag and drop the steps for initial configuration of a Cisco IOS device after booting into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

After booting, you must enter privileged mode, then global config, set hostname, set enable secret, and save.

36
MCQmedium

Refer to the exhibit. A security analyst observes these syslog messages from an ASA firewall. Based on the messages, which type of activity is most likely occurring?

A.An inside host attempting to access a web server on the outside
B.A denial of service attack flooding the firewall
C.An external host scanning internal hosts for open port 80
D.Successful web traffic from an external client
AnswerC

Multiple connection attempts to the same IP and port indicate a scan.

Why this answer

Option B is correct. The messages show multiple connection attempts from the same source IP to the same destination IP and port, with increasing source ports. This pattern indicates a port scan, specifically a TCP port scan against port 80.

Option A is about hosts inside initiating connections. Option C would show success. Option D is for DoS, which would involve many destinations or bandwidth.

37
MCQeasy

A company wants to ensure that employees report security incidents immediately. Which policy element is most important to include?

A.Specify encryption standards for data at rest
B.List acceptable uses of company resources
C.Define mandatory reporting procedures and contact information
D.Require complex passwords for all accounts
AnswerC

Clear procedures encourage timely reporting.

Why this answer

Option C is correct because the core purpose of an incident response policy is to ensure timely reporting. Without mandatory reporting procedures and clear contact information, employees may delay or fail to report security incidents, increasing dwell time and potential damage. This directly supports the incident response lifecycle (NIST SP 800-61) by establishing a clear chain of communication for initial detection and reporting.

Exam trap

Cisco often tests the distinction between preventive/technical controls (encryption, passwords, acceptable use) and procedural/response controls (reporting procedures), leading candidates to confuse a security best practice with the specific policy element needed for incident reporting.

How to eliminate wrong answers

Option A is wrong because encryption standards for data at rest are a data protection control, not a reporting mechanism; they do not address the immediate notification of security incidents. Option B is wrong because acceptable use policies govern proper resource usage, not the process for reporting incidents when they occur. Option D is wrong because requiring complex passwords is an authentication strength measure, unrelated to the procedural requirement of reporting security events.

38
MCQeasy

A security policy states that user activity logs must be retained for at least one year. What is the primary purpose of this requirement?

A.To support forensic investigations of security incidents
B.To improve system performance through log analysis
C.To comply with regulatory requirements only
D.To enable real-time monitoring of user behavior
AnswerA

Logs provide evidence for post-incident analysis.

Why this answer

The primary purpose of retaining user activity logs for at least one year is to support forensic investigations of security incidents. When a breach or policy violation occurs, security analysts need historical log data to reconstruct the timeline of events, identify the initial compromise vector, and determine the scope of damage. Without long-term retention, critical evidence may be overwritten or purged before an incident is discovered, making root cause analysis impossible.

Exam trap

Cisco often tests the distinction between the operational benefit (performance tuning) and the security purpose (forensic investigation), leading candidates to choose the compliance option because they confuse a regulatory driver with the underlying security objective.

How to eliminate wrong answers

Option B is wrong because log analysis for performance tuning is a secondary operational benefit, not the primary security-driven reason for a one-year retention mandate; performance analysis typically uses shorter-term metrics. Option C is wrong because while regulatory compliance (e.g., PCI DSS, HIPAA) often mandates retention periods, the question asks for the primary purpose, which is forensic investigation — compliance is a driver, not the purpose itself. Option D is wrong because real-time monitoring relies on current log streams, not historical data retained for a year; long-term retention is for post-incident analysis, not immediate alerting.

39
MCQmedium

An organization's security policy states that all external connections must be authenticated using multi-factor authentication. Which type of policy is this?

A.Password Policy
B.Data Classification Policy
C.Remote Access Policy
D.Acceptable Use Policy
AnswerC

Remote access policy defines secure remote connection requirements.

Why this answer

Option C is correct because a Remote Access Policy specifically governs how external users or devices connect to an internal network, and requiring multi-factor authentication (MFA) for all external connections is a standard control within this policy. This policy defines authentication methods, encryption standards (e.g., IPsec, TLS), and access controls for remote access, directly addressing the security policy's mandate for MFA on external connections.

Exam trap

Cisco often tests the distinction between a Remote Access Policy (which mandates technical controls like MFA for external connections) and an Acceptable Use Policy (which governs user behavior), causing candidates to confuse the two when the question mentions 'authentication'.

How to eliminate wrong answers

Option A is wrong because a Password Policy focuses on password complexity, length, expiration, and reuse rules, not on requiring multiple authentication factors (e.g., something you know plus something you have) for external connections. Option B is wrong because a Data Classification Policy defines how data is categorized (e.g., public, confidential, restricted) and handled based on sensitivity, not the authentication mechanisms for external network access. Option D is wrong because an Acceptable Use Policy outlines what users are allowed to do with organizational resources (e.g., browsing restrictions, software installation), not the technical authentication requirements for external connections.

40
MCQeasy

A company's security policy states that employees must not use corporate laptops for personal web browsing. An employee is found to have streamed video during work hours, consuming significant bandwidth. What is the best course of action?

A.Give a verbal warning and take no further action
B.Update the policy to allow streaming under certain conditions
C.Immediately terminate the employee
D.Report the violation to HR for disciplinary action per the existing policy
AnswerD

Following the established policy ensures consistent enforcement and deterrence.

Why this answer

Option C is correct because the policy is clear, and a violation should be addressed consistently, typically through HR for disciplinary action. Option A is too harsh for a first offense. Option B bypasses policy enforcement.

Option D ignores the policy violation entirely.

41
Multi-Selectmedium

Which TWO of the following are best practices for implementing a security policy?

Select 2 answers
A.Use technical jargon to ensure precision
B.Avoid enforcement to promote user compliance
C.Write the policy once and never change it
D.Review and update the policy annually
E.Obtain management approval and support
AnswersD, E

Periodic review keeps policy current.

Why this answer

Option D is correct because security policies must be living documents that adapt to evolving threats, regulatory changes (e.g., GDPR, PCI DSS), and organizational shifts. Annual reviews ensure the policy remains aligned with current risk posture and compliance requirements, as recommended by frameworks like NIST SP 800-53.

Exam trap

Cisco often tests the misconception that security policies are static, one-time documents, when in fact they require periodic review and management buy-in to remain effective and enforceable.

42
MCQeasy

A small retail company has a security policy that requires all point-of-sale (POS) systems to be isolated on a separate network segment with strict firewall rules. During a network audit, you discover that the POS system is connected to the same network as the office workstations, violating policy. The store manager says it was done for convenience because the network cable was too short. What is the best course of action?

A.Accept the risk because it's a small store.
B.Implement a software firewall on the POS system to compensate.
C.Purchase a longer cable and reconnect the POS to the correct segment.
D.Move the POS system to the correct network segment immediately and report the violation.
AnswerD

This restores compliance and ensures proper documentation.

Why this answer

Option D is correct because immediate remediation and reporting is required. Option A is fine but lacks reporting; Option B is not a substitute; Option C is unacceptable.

43
Multi-Selectmedium

A company's security policy mandates data encryption at rest. Which TWO of the following are acceptable methods to meet this requirement? (Choose two.)

Select 2 answers
A.Database encryption
B.Full disk encryption
C.File-level encryption
D.Hashing
E.Encryption of network traffic (TLS)
AnswersA, B

Encrypts data within database files, protecting at rest.

Why this answer

Full disk encryption and file-level encryption both protect data at rest. Database encryption also does, but only two are needed. Encryption of network traffic protects data in transit, not at rest.

44
Multi-Selecteasy

Which TWO of the following are key components of a security policy? (Choose two.)

Select 2 answers
A.Incident response procedures
B.Policy statement
C.Enforcement and compliance guidelines
D.Password complexity requirements
E.Network topology diagrams
AnswersB, C

The policy statement defines the purpose and scope of the policy.

Why this answer

A security policy is a high-level document that defines an organization's overall security posture, objectives, and guiding principles. The policy statement (B) is the core component that articulates management's commitment and the policy's scope, while enforcement and compliance guidelines (C) specify how the policy will be implemented and what consequences exist for violations. These two elements are fundamental to any security policy framework.

Exam trap

Cisco often tests the distinction between a security policy (high-level, principle-based) and operational procedures or technical standards, causing candidates to mistake detailed implementation steps like incident response or password rules as policy components.

45
MCQeasy

An organization's security policy mandates that all external media (USB drives, external hard drives) must be scanned for malware before use. An employee inserts a USB drive to transfer a presentation for a meeting. The employee runs the antivirus scan, but it fails to complete because the USB drive has a hardware write-protect switch. The employee is in a hurry. What should the employee do?

A.Manually check each file for suspicious extensions.
B.Remove the USB drive and use a different approved method of file transfer.
C.Disable write protection and rescan.
D.Proceed with the file transfer since the scan failed due to hardware issue.
AnswerB

This complies with policy by avoiding an unscanned medium.

Why this answer

Option C is correct because if the scan cannot be performed, the USB should not be used; using an alternative method complies with policy. Option A may still not allow a proper scan; Option B violates policy; Option D is not a substitute for scanning.

46
MCQhard

You are a security analyst at a multinational corporation. The company has implemented a security policy that requires all employees to use company-issued laptops with full disk encryption. During a routine audit, you discover that a senior executive's laptop is not encrypted. The executive claims that IT support had disabled encryption because the laptop was running slowly. The current policy does not allow exceptions without management approval. The executive's laptop contains sensitive client data. What should you do?

A.Report the violation to the security manager and advise that the laptop remain in use but monitored closely until encryption can be applied during next maintenance window.
B.Accept the executive's explanation and document it as an informal exception.
C.Escalate to the incident response team to treat this as a data breach because data may have been exposed.
D.Immediately re-enable encryption on the laptop and submit an exception request after the fact.
AnswerA

This ensures compliance while minimizing business disruption and follows proper escalation.

Why this answer

Option B is correct because reporting the violation and monitoring the laptop until encryption can be applied is a balanced approach. Option A violates policy by making changes without approval; Option C overreacts without evidence of breach; Option D ignores policy entirely.

47
MCQeasy

Refer to the exhibit. A security policy states that all remote desktop (RDP) and Telnet access from external networks must be blocked. Does the above access-list comply with the policy?

A.Yes, because it denies RDP and Telnet.
B.Yes, because it denies TCP ports 3389 and 23.
C.No, because it permits all other traffic.
D.No, because it should deny HTTP traffic as well.
AnswerA

The ACL denies both services required by policy.

Why this answer

The ACL explicitly denies RDP (port 3389) and Telnet (port 23) and permits all other traffic, which fully meets the policy requirement. The policy does not require blocking other services.

48
MCQmedium

A security analyst discovers that an employee has been sharing login credentials with coworkers. Which policy violation is this?

A.Remote Access Policy violation
B.Incident Response Policy violation
C.Data Classification Policy violation
D.Acceptable Use Policy violation
AnswerD

Sharing credentials is a misuse of company resources, violating the Acceptable Use Policy.

Why this answer

Sharing login credentials violates the Acceptable Use Policy (AUP), which defines how employees may use company systems and data. The AUP typically prohibits password sharing because it undermines non-repudiation and access control, as each user should have unique credentials for accountability. This is a direct breach of acceptable behavior, not a failure of remote access, incident response, or data classification procedures.

Exam trap

Cisco often tests the distinction between policies by making candidates confuse a data classification violation (handling sensitive data incorrectly) with an acceptable use violation (improper use of credentials or systems).

How to eliminate wrong answers

Option A is wrong because a Remote Access Policy governs how external connections (e.g., VPN, RDP) are established and secured, not the internal sharing of credentials among coworkers. Option B is wrong because an Incident Response Policy outlines the steps to detect, contain, and remediate security incidents, not the prohibition of password sharing. Option C is wrong because a Data Classification Policy defines how data is categorized (e.g., public, confidential) and handled based on sensitivity, but does not address user authentication practices like credential sharing.

49
MCQhard

Refer to the exhibit. A network administrator applied this ACL inbound on the external interface of a firewall. An attacker sends a TCP SYN packet with source IP 192.0.2.1 to destination 10.1.1.100 port 80. Which statement accurately describes the packet's treatment?

A.The packet is permitted because the ACL only denies non-TCP traffic
B.The packet is denied by the implicit deny at the end
C.The packet is denied because there is no permit for source 192.0.2.1
D.The packet is permitted by the first ACE
AnswerD

The first line matches TCP any to host 10.1.1.100 on port 80.

Why this answer

The ACL permits TCP to 10.1.1.100 on port 80, so the SYN packet is permitted. However, since it's inbound, the firewall will still check the state. But the ACL itself allows it.

Option A is correct. Option B is incorrect because there is an explicit deny. Option C is incorrect because it is permitted by the first line.

Option D is incorrect because it doesn't match deny before.

50
MCQmedium

A company's security policy requires that all firewall rule changes be approved through a change management process. An engineer notices an unauthorized rule that allows RDP from any external IP. What is the first step the engineer should take?

A.Wait for approval from the change management board
B.Remove the rule immediately and document the change after
C.Investigate who added the rule
D.Block all RDP access to the network
AnswerB

Emergency removal is appropriate to stop immediate risk, with documentation per policy.

Why this answer

Option A is correct because the rule represents an active threat, so immediate removal is justified as an emergency change, followed by documentation. Option B is wrong because waiting for approval delays protection. Option C is wrong because investigation can follow removal.

Option D is wrong because blocking all RDP is too broad.

51
MCQmedium

Refer to the exhibit. This syslog message is generated from a Cisco firewall. According to the security policy, all traffic from the 10.10.10.0/24 network to the internal 192.168.1.0/24 network must be denied except for HTTP traffic from specific IPs. Which of the following should be investigated?

A.The packet was permitted but logged.
B.The packet was denied because it was HTTP traffic from 10.10.10.5.
C.The destination IP 192.168.1.10 is compromised.
D.The source IP 10.10.10.5 should be allowed to pass HTTP traffic.
AnswerD

This IP might be one that should be permitted per policy; its denial warrants investigation.

Why this answer

The syslog message shows that a packet from 10.10.10.5 to 192.168.1.10 on port 80 (HTTP) was permitted. According to the security policy, HTTP traffic from specific IPs is allowed, so 10.10.10.5 should be one of those permitted sources. The correct answer is D because the log indicates the traffic was allowed, which aligns with the policy exception, and no compromise or misconfiguration is evident.

Exam trap

Cisco often tests the misinterpretation of syslog actions—candidates mistakenly think a 'permit' action for HTTP traffic from a denied subnet is a violation, when in fact the policy exception explicitly allows it, so no investigation is required.

How to eliminate wrong answers

Option A is wrong because the syslog message shows the packet was permitted (action 'permit'), not denied, and the log entry itself indicates it was logged; the question asks what should be investigated, and a permitted HTTP packet from a source that should be allowed does not warrant investigation. Option B is wrong because the packet was permitted, not denied, and HTTP traffic from 10.10.10.5 is exactly the type of traffic that the policy exception allows. Option C is wrong because the syslog message provides no indication that 192.168.1.10 is compromised; the destination IP is simply the target of a permitted HTTP request, and compromise would require additional evidence such as abnormal traffic patterns or alerts.

52
MCQmedium

A company's security policy prohibits the use of shared accounts. However, a legacy application requires a shared administrative account to run. What is the best approach?

A.Use a privileged access management solution to control and monitor the shared account
B.Create a policy exception
C.Disable the application
D.Ignore the policy because it's a legacy system
AnswerA

PAM enforces accountability and auditability, aligning with policy intent.

Why this answer

A privileged access management (PAM) solution can monitor and control the shared account, providing accountability while allowing the legacy application to function.

53
MCQeasy

An organization's security policy requires that all security incidents be reported within one hour of discovery. A junior analyst notices an unauthorized login attempt but is unsure if it qualifies as an incident. What should the analyst do first?

A.Delete the logs to avoid false alarms
B.Wait until the incident is confirmed
C.Investigate on their own without reporting
D.Report the suspicious activity immediately
AnswerD

Proactive reporting ensures policy compliance and allows further investigation.

Why this answer

Reporting suspicious activity immediately aligns with the policy, even if not confirmed. Waiting or deleting logs could violate reporting requirements.

54
MCQhard

GreenTech Inc. is a mid-sized company with 500 employees. The company uses Microsoft Exchange Online for email and has implemented a security policy that requires all employees to report suspicious emails to the security team. The security team uses a phishing simulation tool to train employees. In the past month, several employees have reported receiving emails that appear to be from the CEO requesting urgent wire transfers. The security team has blocked the sender domains and updated the email filters. However, one employee fell for the latest scam and transferred $50,000 to an account before reporting it. The security incident response plan states that any monetary loss must be reported to the board within 24 hours. The security analyst receives the report on Monday morning. What should the analyst do first based on the policy and best practices?

A.Disable email access for all employees to prevent further attacks
B.Launch a full forensic investigation to identify the source
C.Notify the board within the 24-hour window as per policy
D.Immediately contact the bank to attempt to reverse the wire transfer
AnswerD

Swift action can help recover the funds before they are withdrawn.

Why this answer

Option A is correct because time is critical; attempting to reverse the transfer may recover the funds. Option B is delayed and may miss the reversal window. Option C is secondary.

Option D is overly disruptive.

55
MCQhard

An analyst sees these logs. What should be the immediate course of action?

A.Investigate whether these are legitimate SSH attempts from authorized remote administrators.
B.Change the SSH port to a non-standard port.
C.Block all traffic from the 10.0.0.0/24 subnet.
D.Add an ACL permit rule for SSH from these sources.
E.Disable SSH access to the router.
AnswerA

Verify before acting.

Why this answer

Option B is correct because the attempts could be from authorized admins; investigation is needed. Option A is premature. Option C is too aggressive.

Option D is not a solution. Option E is extreme.

56
MCQmedium

A security administrator is implementing a privileged access management (PAM) solution. Which practice best enforces the principle of least privilege for administrators?

A.Create shared admin accounts for the team
B.Use Just-in-Time administration to grant temporary privileges
C.Grant permanent admin rights to all senior administrators
D.Monitor admin activity without restricting access
AnswerB

JIT grants access only for the duration of a task.

Why this answer

Option A is correct because Just-in-Time administration provides access only when needed, reducing standing privileges. Option B is wrong because sharing accounts violates accountability. Option C is wrong because permanent admin rights increase risk.

Option D is wrong because monitoring without limiting access still allows abuse.

57
MCQmedium

A security analyst at a medium-sized enterprise notices that an employee's workstation has been sending outbound traffic to a known malicious IP address at irregular intervals. The analyst runs a scan and finds no malware signatures. What should the analyst do next?

A.Block the malicious IP at the firewall and continue monitoring.
B.Escalate to the incident response team for further investigation.
C.Review the employee's recent web browsing history and email attachments.
D.Immediately disconnect the workstation from the network and reimage it.
AnswerB

Escalation ensures proper handling of a potential advanced threat that may require specialized skills.

Why this answer

Option C is correct because the situation suggests a potential advanced threat that requires specialized team. Disconnecting prematurely might destroy evidence. Blocking IP alone does not address the root cause.

Reviewing history is part of investigation but escalation is the best next step.

58
MCQeasy

A company's acceptable use policy (AUP) prohibits personal devices on the corporate network. An employee is found connecting a personal tablet to access internal resources. What should the security team do?

A.Allow the device and update the policy
B.Block the device and investigate
C.Remind the employee of the AUP and request removal
D.Disable the network port
AnswerC

Policy enforcement starts with reminding the user of the existing rules.

Why this answer

Option D is correct because the AUP clearly prohibits personal devices, so the employee should be reminded of the policy. Option A is wrong because allowing it without exception violates policy. Option B is wrong because blocking the device without communication is not in line with user education.

Option C is wrong because disabling the port is excessive without first enforcing the policy.

59
MCQeasy

A healthcare organization has a security policy that mandates immediate reporting of any potential data breach to the privacy officer. An analyst notices that an employee accidentally emailed a patient list to the wrong recipient. The recipient is known to be a trusted partner, but the email contained PHI. The analyst contacts the recipient who acknowledges receipt and agrees to delete the email. What should the analyst do next?

A.Update the access control list to prevent similar mistakes.
B.Do nothing further since the data was deleted.
C.Send a warning email to the employee without reporting.
D.Report the incident as a data breach to the privacy officer as per policy.
AnswerD

This ensures compliance and proper documentation.

Why this answer

Option B is correct because policy requires immediate reporting regardless of outcome. Option A ignores the policy; Option C circumvents the reporting requirement; Option D is not an immediate required action.

60
Multi-Selecthard

A security policy mandates that all network devices must be hardened. Which THREE of the following are common hardening best practices for routers and switches? (Select three.)

Select 3 answers
A.Implement access control lists (ACLs)
B.Disable unused services
C.Enable Telnet for remote management
D.Use default credentials for initial setup
E.Enable SNMPv3 with strong authentication
AnswersA, B, E

ACLs restrict traffic to only necessary communications.

Why this answer

Options A, B, and D are correct hardening practices. Option C is wrong as default credentials are weak. Option E is wrong because Telnet is insecure.

61
MCQmedium

A security analyst notices repeated failed login attempts from an external IP. The company has a policy for account lockout after 5 failed attempts. However, the lockout is not triggering. What is the most likely cause?

A.The failed attempts are occurring on a legacy application that does not integrate with Active Directory.
B.The lockout threshold is set to 10 attempts.
C.The lockout policy is applied to user accounts but not to administrative accounts.
D.The intrusion prevention system is blocking the lockout mechanism.
E.The firewall is allowing the traffic but not logging.
AnswerA

Legacy apps often bypass domain policy.

Why this answer

Option B is correct because legacy applications may not integrate with Active Directory domain lockout policies. Option A is plausible but not specific to external IP. Option C is unlikely.

Option D is possible but not given. Option E is irrelevant.

62
Multi-Selecteasy

Which TWO of the following are key elements that should be included in an incident response plan?

Select 2 answers
A.Requirements for antivirus software on endpoints
B.List of approved forensic tools
C.Roles and responsibilities of the incident response team
D.Step-by-step technical remediation instructions for specific attack types
E.Communication and escalation procedures
AnswersC, E

Essential for coordination during an incident.

Why this answer

Options A and D are correct. An incident response plan should include roles and responsibilities (A) and communication protocols (D). Options B and E are operational procedures, not plan elements.

Option C is a general security control.

63
MCQmedium

An analyst is reviewing this configuration. What is the most significant security concern?

A.The access-list permits all traffic to 192.168.1.100 on ports 80 and 443.
B.The access-list is missing a rule to deny all other traffic.
C.The access-list only permits traffic to a single host.
D.The access-list does not specify source IPs, allowing any source.
E.The access-list should permit traffic to the entire subnet.
AnswerD

Best practice is to restrict source addresses.

Why this answer

Option D is correct because allowing any source IP is a security risk; source restriction is missing. Option A is the purpose. Option B is present (deny any).

Option C is a design choice. Option E is not recommended.

64
MCQmedium

A security policy requires that all remote access be authenticated using a one-time password (OTP) token. Which technology should be implemented?

A.SSH key pairs
B.RADIUS with token server
C.LDAP with username and password
D.VPN with pre-shared key
AnswerB

RADIUS can authenticate users against an OTP token server, meeting the requirement.

Why this answer

Option A is correct because RADIUS can integrate with an OTP token server. Option B is wrong because LDAP with password does not provide OTP. Option C is wrong because SSH keys are not OTP.

Option D is wrong because pre-shared keys are not OTP.

65
MCQmedium

A critical security patch for a widely exploited vulnerability is released. The patch requires a system reboot during business hours. According to change management policy, what is the best procedure?

A.Deploy the patch only at the end of the business day
B.Wait for the next scheduled change window
C.Submit an emergency change request for immediate approval
D.Install the patch without approval
AnswerC

Emergency change processes are designed for critical security updates.

Why this answer

Option C is correct because when a critical security patch addresses a widely exploited vulnerability, the immediate risk to the organization outweighs standard change windows. Change management policy typically includes an emergency change process that bypasses normal scheduling to allow rapid deployment with expedited approval, even if a reboot during business hours is required. This aligns with the principle of prioritizing security over availability in high-severity scenarios.

Exam trap

Cisco often tests the misconception that change management always requires waiting for a scheduled window, but the trap here is that emergency change processes exist specifically to handle critical security patches that cannot wait.

How to eliminate wrong answers

Option A is wrong because delaying deployment until the end of the business day leaves the system exposed to active exploitation for several hours, which is unacceptable for a widely exploited vulnerability. Option B is wrong because waiting for the next scheduled change window could mean days or weeks of exposure, violating the urgency required for critical patches. Option D is wrong because installing the patch without any approval bypasses change management controls entirely, risking unauthorized changes that could lead to compliance violations or operational disruptions.

66
MCQhard

A large enterprise has a security policy that mandates data classification and strict access controls. An IT administrator, John, has been granted temporary administrative privileges to resolve a server issue. During the maintenance window, John accesses a file server and downloads a spreadsheet containing customer PII (Personally Identifiable Information) classified as 'Confidential'. John then emails the spreadsheet to his personal email account to work from home. The security team receives an alert from the DLP system indicating the email transmission. According to the company's incident response policy, which of the following is the FIRST action the security team should take?

A.Block the email transmission and restore the file from backup
B.Revoke John's network access immediately and escalate to HR for disciplinary action
C.Interview John to determine his intent and whether it was accidental
D.Preserve evidence, isolate the affected systems, and initiate the incident response process
AnswerD

This aligns with standard incident response procedures: first preserve evidence, then initiate the formal process.

Why this answer

The correct first action is to preserve evidence, isolate affected systems, and initiate the incident response process. This aligns with NIST SP 800-61 and ISO 27035, which mandate that containment and evidence preservation precede any investigative or disciplinary steps. Jumping to revocation or interviews risks spoliation of logs, email metadata, and forensic artifacts critical to determining the scope of the data exfiltration.

Exam trap

Cisco often tests the distinction between reactive containment (e.g., blocking/revoking) and the mandated first step of evidence preservation and incident initiation, causing candidates to confuse operational urgency with proper forensic procedure.

How to eliminate wrong answers

Option A is wrong because blocking the email and restoring from backup is a containment step that should occur only after evidence is preserved and the incident response plan is formally activated; premature blocking may destroy forensic data (e.g., email headers, DLP logs). Option B is wrong because revoking network access and escalating to HR before evidence preservation violates the incident response chain of custody and could alert the insider, leading to data destruction or tampering. Option C is wrong because interviewing John before preserving evidence risks contaminating the investigation and is not the first action per standard incident response frameworks; intent is determined after forensic analysis.

67
MCQmedium

A company's incident response policy defines four phases: Preparation, Detection & Analysis, Containment Eradication & Recovery, and Post-Incident Activity. During an active ransomware outbreak, the IR team is unable to contain the spread because the containment plan did not account for the malware's use of PowerShell for lateral movement. Which phase had a deficiency?

A.Containment Eradication & Recovery
B.None of the above
C.Preparation
D.Post-Incident Activity
E.Detection & Analysis
AnswerC

Preparation must anticipate attack vectors.

Why this answer

Option A is correct because Preparation should include threat modeling and playbooks for common TTPs. Options B, C, D are later phases that rely on preparation.

68
MCQhard

A security analyst is reviewing the company's incident response plan. The plan states that 'all incidents must be contained within 30 minutes.' During a recent ransomware incident, the analyst identified the affected systems but could not contain them because the containment procedures required manual steps that took over an hour. What is the most likely gap in the plan?

A.The ransomware was too sophisticated.
B.The plan does not provide automated containment options.
C.The analyst lacked proper training.
D.The analyst did not have proper authorization.
AnswerB

The manual procedures are too slow to meet the 30-minute goal; automation or simpler steps are needed.

Why this answer

The plan's requirement to contain incidents within 30 minutes is unachievable because the containment procedures rely solely on manual steps that take over an hour. The most likely gap is the absence of automated containment options, such as pre-configured firewall ACLs, host-based IPS policies, or SOAR playbooks that can isolate affected systems in seconds. Without automation, the response time objective (RTO) for containment is fundamentally mismatched with the procedural capability.

Exam trap

Cisco often tests the distinction between a plan's stated objective and the operational capability to achieve it, trapping candidates who blame the analyst's performance or the threat's complexity instead of recognizing the missing automation in the procedures.

How to eliminate wrong answers

Option A is wrong because the sophistication of the ransomware is irrelevant to the plan's procedural gap; the issue is that the plan lacks automated containment mechanisms, not that the malware was too advanced to contain. Option C is wrong because the analyst correctly identified the affected systems, indicating adequate training; the failure was in the plan's reliance on slow manual steps, not in the analyst's skill. Option D is wrong because authorization is not the bottleneck—the analyst had the authority to execute the manual steps, but those steps themselves were too slow to meet the 30-minute containment window.

69
Multi-Selecthard

According to the principles of least privilege, which THREE of the following access controls should be implemented for a typical user account? (Choose three.)

Select 3 answers
A.Administrative rights to the local machine
B.Ability to change their own password
C.Ability to install software
D.Write access to their own home directory
E.Read access to shared company calendar
AnswersB, D, E

Users need to manage their own passwords.

Why this answer

Least privilege means users get only necessary rights. Typical users need write access to home directory, read access to shared calendar, and ability to change own password. They do not need software installation rights or local administrative rights.

70
MCQmedium

An analyst discovers that an employee has been using company-issued laptops to run a personal cryptocurrency mining software. Which policy violation has occurred?

A.Incident Response Policy
B.Change Management Policy
C.Acceptable Use Policy
D.Data classification policy
AnswerC

AUP defines permitted use of company assets; mining is unauthorized.

Why this answer

Cryptocurrency mining typically violates the Acceptable Use Policy (AUP) because it consumes company resources for non-work purposes. Option B is correct. Option A (data classification policy) is about labeling data.

Option C (incident response policy) is about handling security events. Option D (change management policy) is about modifying systems.

71
MCQhard

A vendor security policy requires that all third-party remote access be limited to specific IP addresses and use multi-factor authentication. During an audit, it is discovered that a vendor's entire office subnet is allowed instead of individual IPs. The vendor argues that the broader range is necessary for redundancy. What is the best way to handle this from a policy perspective?

A.Amend the policy to allow entire subnets for vendors with multi-factor authentication
B.Accept the subnet as long as multi-factor authentication is used
C.Require the vendor to comply with the existing policy exactly as written
D.Work with the vendor to define a list of specific IPs that cover their redundancy needs while adhering to policy
AnswerD

This balances security requirements with operational needs and ensures policy compliance.

Why this answer

Option C is correct because it acknowledges the vendor's need while insisting on compliance through technical controls (e.g., restricting to specific IPs within the subnet). Option A forces the vendor to comply without flexibility. Option B risks security.

Option D allows non-compliance.

72
Drag & Dropmedium

Drag and drop the steps for the DHCP DORA process (dynamic host configuration) into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

DORA: Discover, Offer, Request, Acknowledge.

73
Multi-Selecthard

An organization's security policy requires that all security incidents be reported within 1 hour. A system administrator discovers a potential data breach but delays reporting by 3 hours because they were trying to contain it. Which TWO are the most likely consequences of this delay?

Select 2 answers
A.The incident will be automatically closed.
B.The administrator will be terminated.
C.The incident response team loses valuable time for analysis.
D.The breach may escalate due to lack of containment.
E.The organization may face regulatory fines for late reporting.
AnswersC, E

Delayed reporting reduces response effectiveness.

Why this answer

Options A and D are correct. Option A: lost time for analysis. Option D: potential regulatory fines.

Option B: termination is possible but not most likely. Option C: escalation due to lack of containment (delay may worsen, but not a direct consequence of delay itself). Option E: incident will not be automatically closed.

74
Multi-Selectmedium

Which THREE of the following are common types of security policies that organizations typically implement?

Select 3 answers
A.ISO 27001 Standard
B.Data Classification Policy
C.Password Policy
D.Patch Management Procedure
E.Acceptable Use Policy (AUP)
AnswersB, C, E

Categorizes data based on sensitivity and handling requirements.

Why this answer

Options A, C, and D are correct. Acceptable use policy (A), data classification policy (C), and password policy (D) are standard. Option B is a procedure, not a policy.

Option E is a specific framework, not a policy type.

75
MCQeasy

An analyst is verifying a VPN configuration. Which of the following is true about this configuration?

A.The VPN uses AES-128 encryption and SHA-1 authentication.
B.The VPN uses AES-256 encryption and SHA-2 authentication.
C.The VPN uses AES-256 encryption and SHA-1 authentication.
D.The VPN uses 3DES encryption and SHA-256 authentication.
E.The VPN uses DES encryption and MD5 authentication.
AnswerC

Correct interpretation of transform set.

Why this answer

Option A is correct because 'esp-aes 256' uses AES-256, and 'esp-sha-hmac' uses SHA-1. Option B uses DES/MD5. Option C uses 3DES/SHA-256.

Option D uses AES-128/SHA-1. Option E uses AES-256/SHA-2, but SHA-2 is not specified.

Page 1 of 2 · 145 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Security Policies Procedures questions.