CCNA Security Policies Procedures Questions

70 of 145 questions · Page 2/2 · Security Policies Procedures topic · Answers revealed

76
MCQmedium

An security auditor finds that the company's backup policy does not include offsite storage. The security policy requires that backups be stored in a geographically separate location. What should the company do?

A.Store backups in a fireproof safe on-site
B.Implement RAID on the backup server
C.Increase backup retention period
D.Use encrypted cloud backup in a different region
AnswerD

Encrypted cloud backup in a different region meets the requirement for geographically separate storage.

Why this answer

Option D is correct because encrypted offsite cloud storage satisfies the geographical separation requirement. Option A is wrong because onsite storage is not geographically separate. Option B is wrong because increasing retention does not change location.

Option C is wrong because RAID provides redundancy but not offsite storage.

77
MCQmedium

You are the cybersecurity analyst for a small business that has a security policy requiring all network traffic to pass through a proxy server for content filtering. Recently, employees have been complaining that some websites are not loading correctly. You check the proxy logs and see that the proxy is blocking traffic that appears to be from non-standard ports. However, upon investigation, you find that the blocked sites are legitimate business tools that use custom ports. Which action aligns with the security policy?

A.Instruct employees to access the tools via HTTP instead.
B.Configure the proxy to allow all traffic on custom ports for those specific tools.
C.Disable content filtering for the affected employees.
D.Create a security exception based on business need and document it.
AnswerD

This balances security and usability while maintaining audit trail.

Why this answer

Option C is correct because creating a documented exception addresses the legitimate need while maintaining policy control. Option A bypasses policy by allowing all traffic on custom ports; Option B disables content filtering entirely; Option D may not be feasible.

78
MCQhard

A financial services company has a security policy that all remote access must be through VPN with two-factor authentication. An employee on a business trip uses a hotel Wi-Fi to connect to the corporate network but claims the VPN client was not working, so they used RDP directly over the internet to access their desktop. The employee's manager approved this as a temporary measure. The security team discovers this during a log review. The policy has no provision for temporary exceptions. What should be the security team's first action?

A.Investigate whether any data was compromised during the session.
B.Report the violation to the security officer and recommend disciplinary action.
C.Disable RDP access from the internet for all users immediately.
D.Accept the manager's approval as sufficient authorization.
AnswerA

Understanding the risk helps guide subsequent actions appropriately.

Why this answer

Option D is correct because the first step is to investigate whether any data was compromised during the session. Option A might be too harsh without evidence; Option B is premature; Option C ignores the policy violation.

79
MCQhard

A security analyst notices that an employee is accessing the corporate network from an unauthorized device. According to the security policy, which action should the analyst take first?

A.Report the employee to human resources for disciplinary action
B.Ignore the incident because it is a minor violation
C.Disable the device's network access immediately
D.Update the security policy to allow personal devices
AnswerC

Immediate containment is a typical first step.

Why this answer

Option C is correct because the immediate priority when an unauthorized device is detected on the corporate network is to contain the threat by disabling network access. This aligns with the principle of least privilege and incident response procedures, where the first step is to stop the unauthorized access to prevent potential data breaches or malware propagation. The security policy typically mandates such immediate action to enforce access control, often implemented via 802.1X or MAC address filtering at the switch or NAC (Network Access Control) level.

Exam trap

Cisco often tests the distinction between immediate containment actions (like disabling network access) versus long-term administrative or policy changes, trapping candidates who confuse incident response phases or prioritize HR reporting over security controls.

How to eliminate wrong answers

Option A is wrong because reporting to HR for disciplinary action is a secondary step that should occur after the immediate security threat is neutralized; it does not address the active unauthorized access. Option B is wrong because ignoring the incident violates the security policy and could lead to a significant security breach, as unauthorized devices may introduce malware or bypass security controls. Option D is wrong because updating the policy to allow personal devices is a strategic decision that requires risk assessment and implementation of proper controls (e.g., MDM, VPN), not an immediate response to a violation.

80
MCQmedium

An analyst is handling a data breach involving sensitive customer information (PII) stored in a database. According to data classification policy, what is the most critical step to take first?

A.Classify the data as high impact
B.Review the data classification policy
C.Notify affected customers immediately
D.Contain the breach and preserve evidence
AnswerD

Containment and evidence preservation are the first actions in incident response.

Why this answer

Option C is correct because containing the breach and preserving evidence is the immediate priority. Option A is wrong because notifying customers before understanding the scope may cause panic. Option B is wrong while important, the policy on customer notification has specific triggers that require investigation first.

Option D is wrong because updating the data classification policy is a separate long-term action.

81
MCQmedium

A security analyst is creating a policy for handling sensitive customer data. The policy must ensure data is encrypted at rest and in transit. Which type of policy most directly addresses this requirement?

A.Incident Response Policy
B.Data Protection Policy
C.Access Control Policy
D.Physical Security Policy
AnswerB

Data protection policy mandates encryption at rest and in transit.

Why this answer

A data protection policy specifically covers encryption, storage, and transmission controls. Option B is correct. Option A (access control) is about permissions.

Option C (incident response) is about breaches. Option D (physical security) is about facilities.

82
MCQeasy

An organization's security policy requires that all data at rest on laptops be encrypted. An employee reports that their laptop was stolen. Which control would most likely prevent data exposure?

A.Remote wipe
B.Biometric authentication
C.Full disk encryption
D.Screen lock with password
AnswerC

Full disk encryption encrypts all data on the drive, preventing access even if the drive is removed.

Why this answer

Option B is correct because full disk encryption ensures data cannot be read from the drive. Option A is wrong because remote wipe requires network connectivity. Option C is wrong because screen lock only protects while unattended.

Option D is wrong because biometric authentication does not encrypt data.

83
MCQhard

A company is implementing a security policy that requires all employees to use multi-factor authentication (MFA) when accessing corporate resources remotely. However, during a recent security audit, it was found that several employees have been using app passwords for legacy applications that do not support MFA. What is the best practice under this policy?

A.Allow app passwords as they provide a second factor.
B.Implement a VPN requirement for legacy application access.
C.Discontinue use of legacy applications until they support MFA.
D.Create a separate policy for legacy applications with compensating controls.
AnswerD

This balances security and business needs by applying additional controls like network isolation and monitoring.

Why this answer

Option C is correct because a separate policy with compensating controls (like network segmentation, monitoring) is appropriate. App passwords are not true MFA and can bypass security. Discontinuing legacy apps is too disruptive, allowing app passwords violates the policy, and VPN does not address the MFA requirement.

84
Matchingmedium

Match each network attack type to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Social engineering via email to steal credentials

Overwhelming a target with traffic from multiple sources

Intercepting communications between two parties

Injecting malicious SQL queries into input fields

Associating attacker's MAC with victim's IP

Why these pairings

These are common attack techniques.

85
MCQhard

A company's security policy requires that all network devices be managed using SSHv2. An auditor finds that some older switches are still using Telnet. The network team claims they cannot upgrade due to budget constraints. What is the best immediate action to mitigate risk?

A.Implement an ACL to restrict Telnet access to only the management subnet.
B.Use SSHv1 as a compromise.
C.Create a VLAN for management and enforce Telnet only on that VLAN.
D.Implement port security on the switches.
E.Disable Telnet and rely on console access only.
AnswerA

Compensating control reduces attack surface.

Why this answer

Option A is correct because an ACL restricting Telnet to the management subnet reduces exposure. Option B is impractical for remote management. Option C still uses Telnet.

Option D uses insecure SSHv1. Option E is unrelated.

86
Multi-Selectmedium

Which TWO of the following are essential components of an effective security policy framework according to Cisco best practices?

Select 2 answers
A.A high-level security policy that defines management's intent.
B.A network diagram showing all security devices.
C.Standards that define mandatory rules for technology use.
D.A password policy that specifies minimum length and complexity.
E.A log analysis procedure for detecting anomalies.
AnswersA, C

This is the top-level document that sets direction.

Why this answer

A high-level security policy is essential because it defines management's intent, establishes the organization's security philosophy, and provides the authoritative foundation for all subordinate policies, standards, and procedures. According to Cisco best practices, this top-tier document must be approved by senior leadership and sets the strategic direction for the entire security program, ensuring alignment with business objectives and regulatory requirements.

Exam trap

Cisco often tests the distinction between policy framework components (high-level intent and mandatory standards) versus operational or procedural documents, leading candidates to mistakenly select specific technical controls (like password policies or log procedures) as essential framework elements.

87
MCQmedium

A network administrator is implementing a new security policy that requires all employees to use multi-factor authentication (MFA) when accessing email from external networks. However, several employees report that they cannot receive SMS codes while traveling internationally. Which design change best balances security and usability?

A.Allow the use of authenticator apps that generate time-based one-time passwords (TOTP).
B.Allow email access without MFA from trusted countries.
C.Provide hardware tokens to all traveling employees.
D.Disable MFA for users who travel frequently.
AnswerA

TOTP apps work offline and are a common alternative to SMS.

Why this answer

Option A is correct because TOTP authenticator apps (e.g., Google Authenticator, Microsoft Authenticator) generate one-time passwords locally on the user's device without requiring cellular network connectivity. This solves the international SMS delivery problem while maintaining strong MFA security, as the TOTP algorithm (RFC 6238) uses a shared secret and the current time to produce codes that are valid for a short window (typically 30 seconds).

Exam trap

Cisco often tests the distinction between 'something you have' (phone/authenticator app) and 'something you receive' (SMS), where candidates mistakenly think SMS is the only 'something you have' factor, missing that TOTP apps provide the same factor without network dependency.

How to eliminate wrong answers

Option B is wrong because allowing email access without MFA from 'trusted countries' violates the core security policy of requiring MFA for all external access and introduces risk from compromised accounts in those regions. Option C is wrong because hardware tokens (e.g., YubiKey) require physical distribution, management, and replacement logistics that are impractical for all traveling employees, and they still rely on USB/NFC compatibility which may not be available on all devices. Option D is wrong because disabling MFA for frequent travelers completely removes the second authentication factor, exposing the organization to credential theft and unauthorized access from any external network.

88
MCQeasy

A company's data classification policy defines "Confidential" data. Which of the following is an example of Confidential data?

A.Public marketing brochures
B.Customer payment card information
C.Company cafeteria menu
D.Employee phone numbers
AnswerB

Such data is sensitive and protected by regulations, thus Confidential.

Why this answer

Customer payment card information is typically classified as Confidential due to regulatory requirements like PCI DSS. The other options are lower sensitivity.

89
Multi-Selectmedium

Which THREE of the following are best practices for creating and maintaining security policies? (Choose three.)

Select 3 answers
A.Develop policies in isolation by the security team.
B.Obtain approval from senior management.
C.Provide training on policies to all employees.
D.Review and update policies annually.
E.Store policies in a secure location accessible only to security staff.
AnswersB, C, D

Management support is critical for enforcement.

Why this answer

Option B is correct because security policies require executive endorsement to ensure organization-wide compliance and resource allocation. Senior management approval establishes authority and accountability, making the policy enforceable across all departments, not just IT. Without this buy-in, policies lack the legal and organizational weight needed for disciplinary actions or budget justification.

Exam trap

Cisco often tests the misconception that security policies should be restricted to security staff only, but the correct approach is that policies must be accessible to all employees to ensure awareness and compliance.

90
MCQeasy

An organization's security policy specifies that all configuration changes must be approved through a change management process. An analyst discovers that a firewall rule was added without approval. What is the appropriate action?

A.Remove the rule immediately.
B.Change the policy to allow emergency changes without approval.
C.Report the unauthorized change to management.
D.Document the change and ignore it.
E.Analyze the rule to see if it's needed, then either approve or remove.
AnswerC

Policy requires reporting violations.

Why this answer

Option C is correct because reporting the unauthorized change is required by policy. Option A is too hasty without impact analysis. Option B might follow reporting.

Option D violates policy. Option E is inappropriate.

91
Multi-Selectmedium

Which TWO of the following are typically included in a security policy's scope statement?

Select 2 answers
A.Threat intelligence sources to be used
B.Encryption algorithms to be used
C.List of systems and networks covered
D.User roles and responsibilities affected
E.Minimum password length requirements
AnswersC, D

Scope identifies which assets are covered.

Why this answer

The scope statement of a security policy defines the boundaries of the policy's applicability. Option C is correct because explicitly listing the systems and networks covered ensures that all stakeholders understand which assets fall under the policy's requirements, preventing gaps or overlaps in security controls.

Exam trap

Cisco often tests the distinction between a policy's scope (what it covers) and the specific technical controls or standards that implement the policy, so candidates mistakenly select granular technical details like encryption algorithms or password lengths as part of the scope statement.

92
Multi-Selecthard

Which THREE actions are mandatory in the evidence handling process according to standard forensic procedures?

Select 3 answers
A.Document the chain of custody
B.Delete any malware found immediately
C.Use a write blocker when imaging
D.Create a forensic image of the device
E.Reboot the device to clear temporary files
AnswersA, C, D

Required to maintain integrity and admissibility.

Why this answer

Options A, B, and D are mandatory: documenting chain of custody, creating a forensic image, and using write blockers. Option C (rebooting) is avoided to preserve evidence. Option E (deleting malware) destroys evidence.

93
MCQhard

A security analyst is reviewing a series of failed login attempts on a critical server. The logs show that the source IP addresses are from multiple geographic regions and the usernames tried are all valid employees. The attempts occur every 5 minutes for the past hour. According to the company's security policy, which type of attack is most likely occurring, and what is the best immediate response?

A.Password spraying; enforce multi-factor authentication immediately.
B.Credential stuffing; implement rate limiting.
C.Brute-force attack; add the IPs to a blocklist.
D.Dictionary attack; reset all employee passwords.
AnswerA

Password spraying uses a few passwords against many users; MFA mitigates this effectively.

Why this answer

The attack pattern—valid usernames with low-frequency attempts from diverse IPs—is characteristic of password spraying, where an attacker tries a single common password against many accounts to avoid lockout thresholds. The best immediate response is to enforce multi-factor authentication (MFA), which renders the stolen or guessed password insufficient for access, mitigating the attack without relying on IP-based blocking that is ineffective against distributed sources.

Exam trap

Cisco often tests the distinction between password spraying and credential stuffing by focusing on the source of credentials—password spraying uses guessed common passwords, while credential stuffing uses stolen credential pairs from data breaches.

How to eliminate wrong answers

Option B is wrong because credential stuffing uses previously leaked username/password pairs from other breaches, not a single password tried across many valid usernames; rate limiting would help but is not the best immediate response as MFA directly neutralizes the credential misuse. Option C is wrong because a brute-force attack targets a single account with many password attempts, not multiple valid usernames from diverse IPs every 5 minutes; adding IPs to a blocklist is ineffective when the source IPs are numerous and geographically distributed. Option D is wrong because a dictionary attack tries many common passwords against a single account, not a single password across many accounts; resetting all employee passwords is disruptive and unnecessary when MFA can stop the attack immediately.

94
MCQmedium

A company has implemented a role-based access control (RBAC) policy for its network devices. A network engineer needs temporary access to configure a router in a different region. According to the RBAC policy, what is the appropriate procedure?

A.Have the root password shared via encrypted email to the engineer
B.Use the shared admin account for the duration of the task
C.Ask another engineer with access to perform the configuration changes
D.Submit a request to the security team for temporary role elevation with a specified time limit
AnswerD

This follows the principle of least privilege with an approval workflow.

Why this answer

Option D is correct because RBAC policies require that any deviation from assigned roles, such as temporary access to a router in a different region, must be handled through a formal privilege elevation process. This typically involves submitting a request to the security team, who can grant temporary role elevation with a specified time limit, ensuring that access is auditable, time-bound, and revoked automatically. This aligns with the principle of least privilege and maintains the integrity of the RBAC model by avoiding permanent or shared credentials.

Exam trap

Cisco often tests the misconception that sharing credentials or using a shared admin account is acceptable for temporary access, when in reality RBAC mandates formal, auditable, and time-limited role elevation to maintain security and accountability.

How to eliminate wrong answers

Option A is wrong because sharing the root password, even via encrypted email, violates RBAC principles by granting permanent, unmonitored superuser access that bypasses role-based controls and audit trails. Option B is wrong because using a shared admin account undermines RBAC by providing non-repudiation issues and lacks the time-bound, role-specific elevation required for temporary tasks. Option C is wrong because asking another engineer to perform the changes does not resolve the need for the requesting engineer to have direct access; it also introduces potential miscommunication and still requires the other engineer to have appropriate role elevation if they lack the required permissions.

95
MCQeasy

Refer to the exhibit. A network administrator is configuring TACACS+ on a switch. Based on the configuration snippet, what is the expected behavior if the TACACS+ server becomes unreachable?

A.Users cannot log in because TACACS+ is required.
B.Users can still log in using local credentials.
C.Users can log in but accounting logs are not generated.
D.The switch falls back to no authentication.
AnswerB

The command 'aaa authentication login default local' specifies that local authentication is used by default.

Why this answer

The configuration snippet shows the 'tacacs-server host' command but does not include the 'tacacs-server directed-request' or 'aaa authentication login default group tacacs+ local' statement. By default, when 'aaa authentication login default group tacacs+' is configured without the 'local' fallback method, the switch will use local authentication if the TACACS+ server is unreachable. Option B is correct because the switch is configured to fall back to local credentials when the TACACS+ server becomes unreachable, as indicated by the presence of 'local' in the authentication list.

Exam trap

Cisco often tests the distinction between 'authentication failure' (server reachable but rejects credentials) and 'server unreachable' (no response), where fallback to local only occurs in the latter case when 'local' is explicitly configured as a secondary method.

How to eliminate wrong answers

Option A is wrong because the configuration includes 'local' as a fallback method, so TACACS+ is not required; if the server is unreachable, local authentication is used. Option C is wrong because accounting logs are generated by the 'aaa accounting' command, which is independent of authentication fallback; the question focuses on authentication behavior, not accounting. Option D is wrong because the switch does not fall back to no authentication; it explicitly falls back to local authentication as configured in the 'aaa authentication login default group tacacs+ local' command.

96
Multi-Selecteasy

A security policy requires multifactor authentication for all administrative access. Which TWO of the following are examples of factors used in MFA? (Choose two.)

Select 2 answers
B.Password
C.Fingerprint
D.Smart card
E.Username
AnswersC, D

A fingerprint is an inherence (biometric) factor.

Why this answer

MFA requires two distinct factors: something you have (smart card) and something you are (fingerprint). Password is a single factor, username and MAC address are not valid factors.

97
MCQeasy

A security analyst is reviewing the incident response plan for a small business. The plan states that after an incident is contained, the next step is to preserve evidence. The CISO wants to ensure that the plan follows NIST guidelines. Which step should be added between containment and evidence preservation according to NIST?

A.Lessons learned
B.Recovery
C.Evidence collection and analysis
D.Eradication
AnswerD

NIST places eradication after containment.

Why this answer

According to NIST SP 800-61 Rev. 2, the incident response lifecycle includes Preparation, Detection & Analysis, Containment, Eradication, Recovery, and Post-Incident Activity (Lessons Learned). Eradication (option D) must follow containment to remove artifacts such as malware, backdoors, or compromised accounts before evidence is preserved for legal or forensic purposes. Without eradication, residual threats could tamper with or destroy evidence during collection.

Exam trap

Cisco often tests the NIST incident response phase order, and the trap here is that candidates confuse 'evidence collection and analysis' with 'evidence preservation' or assume recovery immediately follows containment, when in fact eradication is the mandatory intermediate step.

How to eliminate wrong answers

Option A (Lessons learned) is wrong because it occurs after recovery in the NIST framework, not between containment and evidence preservation. Option B (Recovery) is wrong because recovery (restoring systems to normal operation) comes after eradication and before lessons learned; placing it before evidence preservation risks overwriting forensic data. Option C (Evidence collection and analysis) is wrong because evidence preservation is a prerequisite for collection and analysis; the NIST order is contain, eradicate, then preserve evidence, then collect and analyze.

98
Multi-Selectmedium

An incident response plan includes steps to contain a ransomware outbreak. Which TWO actions are typically performed during the containment phase? (Select two.)

Select 2 answers
A.Notify law enforcement
B.Identify the initial infection vector
C.Restore data from backups
D.Disconnect infected systems from the network
E.Quarantine the malware samples
AnswersD, E

Isolation prevents further spread of ransomware.

Why this answer

Options A and D are correct containment actions: disconnecting infected systems and quarantining malware. Option B is recovery, not containment. Option C is analysis.

Option E is a post-incident action.

99
MCQeasy

A company's security policy requires that all employees change their passwords every 90 days. Which type of security control does this policy enforce?

A.Compensating
B.Detective
C.Corrective
D.Preventive
AnswerD

Password aging reduces the chance of using stolen credentials long-term.

Why this answer

Password aging is a preventive control because it reduces the window of opportunity for credential theft. Option A is correct. Option B (detective) is incorrect because password changes do not detect attacks.

Option C (corrective) is incorrect because it does not fix a breach. Option D (compensating) is incorrect because it is not an alternative control.

100
MCQeasy

A security analyst receives an alert that an employee's workstation is generating outbound traffic to a known malware command-and-control IP address at 3:00 AM. According to the company's incident response policy, what is the FIRST action the analyst should take?

A.Isolate the workstation from the network by disabling the switch port.
B.Reimage the workstation immediately to remove the malware.
C.Apply the latest security patches to the workstation.
D.Call the employee to ask if they are working late.
AnswerA

Containment stops the malicious traffic and prevents lateral spread.

Why this answer

The first action is to isolate the workstation from the network by disabling the switch port. This immediately stops the outbound command-and-control (C2) traffic, preventing data exfiltration and further compromise, while preserving the system state for forensic analysis. According to the incident response policy, containment takes precedence over eradication or recovery to limit damage.

Exam trap

Cisco often tests the containment-first principle in incident response, and the trap here is that candidates rush to eradicate the malware (reimage) or fix the vulnerability (patch) instead of stopping the active threat by isolating the host.

How to eliminate wrong answers

Option B is wrong because reimaging destroys volatile evidence (e.g., memory, logs, malware artifacts) needed for root-cause analysis and violates the containment-first principle. Option C is wrong because applying patches does not stop active C2 communication and assumes the vulnerability is known, which may not be the case; containment must occur first. Option D is wrong because calling the employee at 3:00 AM wastes critical time, may alert the attacker if the user is compromised, and does not address the active threat.

101
MCQmedium

During a security audit, it is discovered that several users have passwords set to never expire. According to the security policy, passwords must be changed every 90 days. What is the best course of action?

A.Disable accounts that violate the policy
B.Notify users to change their passwords voluntarily
C.Immediately reset all user passwords
D.Update the password policy in Active Directory to enforce 90-day expiration
AnswerD

A Group Policy change enforces compliance automatically.

Why this answer

Option D is correct because the most efficient and enforceable way to ensure all users comply with the 90-day password expiration policy is to configure a Group Policy Object (GPO) in Active Directory that sets the 'Maximum password age' to 90 days. This automatically forces password changes at login after the expiration period, ensuring uniform enforcement without manual intervention or disruption.

Exam trap

Cisco often tests the distinction between reactive manual fixes (like resetting all passwords) and proactive policy-based enforcement, where candidates mistakenly choose a disruptive action instead of the scalable, automated solution that aligns with security policy management.

How to eliminate wrong answers

Option A is wrong because disabling accounts that violate the policy would cause unnecessary downtime and administrative overhead, and it does not address the root cause—the lack of enforced expiration—while potentially locking out legitimate users. Option B is wrong because relying on voluntary compliance is ineffective in a security audit context; users may ignore notifications, leaving the organization non-compliant and vulnerable. Option C is wrong because immediately resetting all user passwords is disruptive, does not prevent users from setting the same password again (unless complexity/history policies are enforced), and fails to implement a sustainable, automated enforcement mechanism.

102
MCQhard

During a merger, two companies have different security policies. Company A uses a discretionary access control (DAC) model, while Company B uses a mandatory access control (MAC) model. The merged entity must adopt a single policy. Which approach is most likely to be adopted and why?

A.DAC because it is more flexible
B.Both can coexist
C.MAC because it is more secure
D.A new hybrid model combining both
AnswerC

MAC offers stronger security enforcement, suitable for merged policies.

Why this answer

MAC provides stricter, system-enforced controls based on classification, which is often adopted in higher-security environments. DAC relies on user discretion and is less secure.

103
MCQeasy

A user reports that they cannot access a file server. The security policy requires that all access be logged and monitored. What is the most likely reason for the access failure?

A.The user's account is locked
B.The file server is down
C.The user's IP address is not in the allowed list
D.The user's password has expired
AnswerC

Policy might restrict access based on IP, causing failure and triggering logs.

Why this answer

Option C is correct because the user's IP address might not be in the allowed list per policy. Options A, B, and D are plausible but less directly related to the policy requirement.

104
MCQhard

During a security incident, the incident response team isolates a compromised workstation from the network. The security policy requires that all actions taken during the incident be documented and approved. However, the team lead isolates the workstation without waiting for formal approval. Which principle of incident response is being prioritized?

A.Rapid containment
B.Chain of custody
C.Speed of containment
D.Preservation of evidence
AnswerC

Immediate containment limits damage and is often prioritized over formal approval in policies.

Why this answer

Option B is correct because speed of containment is prioritized to limit damage, even if it means bypassing formal approval. Option A is wrong because isolation does preserve evidence, but the question emphasizes the lack of approval. Option C is wrong because preservation of evidence is a separate priority.

Option D is wrong because rapid containment is not a distinct principle from speed.

105
Multi-Selecthard

Which THREE of the following are common elements of an incident response policy?

Select 3 answers
A.Data classification levels
B.Procedures for containment and eradication
C.Roles and responsibilities of the incident response team
D.Acceptable use of company resources
E.Definition of what constitutes a security incident
AnswersB, C, E

Core steps in incident response.

Why this answer

Option B is correct because containment and eradication are core phases of the NIST SP 800-61 incident response lifecycle. Containment limits the scope of the incident (e.g., isolating a compromised host via VLAN access control lists), while eradication removes the root cause (e.g., deleting malware, patching vulnerabilities). These procedures are explicitly documented in an incident response policy to ensure consistent, repeatable actions during a security event.

Exam trap

Cisco often tests the distinction between an incident response policy (which includes definitions, roles, and procedures) and other security policies like data classification or acceptable use, leading candidates to mistakenly include elements from adjacent policies.

106
MCQeasy

A company's security policy requires that all system logs be retained for at least one year. A security analyst discovers that log files are being overwritten after 30 days. What is the most likely cause?

A.Logs are being manually deleted by an administrator
B.Malware infection
C.The log rotation policy is set to 30 days
D.Insufficient disk space
AnswerC

Log rotation settings control how logs are overwritten; a 30-day policy directly explains the behavior.

Why this answer

Option C is correct because the log rotation setting is likely set to 30 days, causing overwrites. Option A is wrong while disk space may contribute, the direct cause is the rotation policy. Option B is wrong because malware is less likely.

Option D is wrong because an administrator deleting logs would be a deliberate act.

107
MCQhard

An organization's security policy requires that all network traffic be inspected by an intrusion prevention system. However, encrypted traffic is bypassing inspection. Which change to the policy would best address this issue?

A.Allow encrypted traffic to bypass the IPS
B.Require all internal traffic to use unencrypted protocols
C.Implement SSL/TLS decryption at the network perimeter
D.Exclude encrypted traffic from the security policy scope
AnswerC

Decryption enables the IPS to inspect encrypted payloads.

Why this answer

Option C is correct because implementing SSL/TLS decryption at the network perimeter allows the IPS to inspect the plaintext content of encrypted traffic. By terminating the encrypted session at a dedicated decryption device (e.g., a next-generation firewall or proxy), the device can re-encrypt the traffic after inspection, ensuring that threats hidden in HTTPS, SMTPS, or other TLS-encrypted flows are detected without violating the policy's requirement that all traffic be inspected.

Exam trap

Cisco often tests the misconception that encrypted traffic is inherently safe or that bypassing inspection is acceptable, when in fact attackers commonly use encryption to hide malware, command-and-control traffic, or data exfiltration, making decryption a necessary security control.

How to eliminate wrong answers

Option A is wrong because allowing encrypted traffic to bypass the IPS directly violates the security policy's requirement that all network traffic be inspected, leaving a blind spot for threats hidden in encrypted tunnels. Option B is wrong because requiring all internal traffic to use unencrypted protocols would severely degrade security by exposing sensitive data to eavesdropping and tampering, contradicting best practices and likely violating compliance standards. Option D is wrong because excluding encrypted traffic from the security policy scope simply ignores the problem, failing to address the inspection gap and leaving the organization vulnerable to attacks that leverage encryption to evade detection.

108
MCQeasy

Refer to the exhibit. An ASA security policy is configured as shown. A user from the internet tries to access 192.168.1.5 via HTTP. What will happen?

A.Traffic will be allowed, but logged
B.Traffic will be denied
C.Traffic will be allowed only if it matches the subnet
D.Traffic will be permitted
AnswerB

The access list does not permit traffic to 192.168.1.5.

Why this answer

The ASA security policy shown uses an access control list (ACL) that implicitly denies all traffic unless explicitly permitted. Since the exhibit does not show any ACL entry permitting HTTP traffic from the internet to 192.168.1.5, the traffic is denied by default. The correct answer is B because the ASA's default behavior for inbound traffic on an interface is to deny it unless a matching permit ACE exists.

Exam trap

Cisco often tests the implicit deny principle in ASA ACLs, where candidates mistakenly assume that traffic is allowed by default or that a missing permit statement still allows traffic if it matches a subnet or is logged.

How to eliminate wrong answers

Option A is wrong because traffic is not allowed; the ACL does not contain a permit statement for HTTP from any source to 192.168.1.5, so logging is irrelevant. Option C is wrong because the ACL does not specify a subnet match for HTTP traffic; even if it did, the implicit deny would still apply to non-matching traffic. Option D is wrong because the ASA does not permit traffic by default; it requires an explicit permit rule in the ACL to allow inbound HTTP traffic.

109
Multi-Selecteasy

Which TWO components are essential in a well-written security policy?

Select 2 answers
A.Scope
B.Cost estimates
C.Enforcement
D.Technology stack
E.Vendor names
AnswersA, C

Defines who and what the policy covers.

Why this answer

A security policy must define its scope to specify which systems, users, and data are covered. Without a clear scope, the policy cannot be consistently applied, leading to gaps in enforcement. The scope ensures that all relevant assets are protected and that the policy's boundaries are understood by all stakeholders.

Exam trap

Cisco often tests the distinction between a policy (high-level, principle-based) and a procedure or standard (detailed, implementation-specific), leading candidates to mistakenly include technical details like technology stacks or vendor names as essential policy components.

110
MCQhard

A business impact analysis (BIA) for a critical enterprise application reveals a maximum tolerable downtime (MTD) of 4 hours and a recovery time objective (RTO) of 2 hours. The current backup solution can restore the application in 3 hours under optimal conditions. Which of the following is the most appropriate action from a policy perspective?

A.Upgrade the backup solution to achieve a restore time of 2 hours or less
B.Accept the current restore time because it is within the MTD of 4 hours
C.Reduce the RTO to 1 hour to make the backup solution acceptable
D.Increase the MTD to 5 hours to match the backup restore time
AnswerA

This aligns the recovery capability with the defined RTO, meeting policy requirements.

Why this answer

Option C is correct because the backup restore time (3 hours) exceeds the RTO (2 hours), so the plan fails. The MTD is 4 hours, but RTO must be met to avoid significant impact. Option A is incorrect because the RTO is not satisfied.

Option B might not address the core issue. Option D ignores the policy requirement.

111
MCQeasy

A security policy requires that all remote access be through a VPN using strong authentication. A user calls the help desk saying they cannot connect to the VPN. The analyst checks and sees that the user's token is not synchronized. What should the analyst do?

A.Disable VPN access for the user.
B.Provide a temporary static password.
C.Reset the user's token and have them re-sync.
D.Escalate to the security team.
E.Have the user connect without a token.
AnswerC

Resolves token sync issue.

Why this answer

Option A is correct because resetting the token is standard procedure. Option B is too severe. Option C compromises strong auth.

Option D violates policy. Option E is unnecessary.

112
MCQhard

Refer to the exhibit. A security policy requires that network traffic be classified and prioritized to ensure critical applications get bandwidth. A network engineer implements this QoS policy. However, after deployment, a security scanner reports that SSH traffic is starved. Which of the following is the most likely cause?

A.The priority percent for VOIP is too high.
B.The fair-queue algorithm does not work with this policy.
C.The critical data class includes SSH traffic.
D.SSH traffic is not classified and falls into class-default, which may not get enough bandwidth.
AnswerD

Since SSH is not in a priority class, it competes with other default traffic.

Why this answer

Option D is correct because SSH traffic is not explicitly matched by any class map in the policy, so it falls into the class-default. The class-default in this policy uses fair-queue, which does not guarantee a minimum bandwidth; if higher-priority classes (like VOIP and critical data) consume most of the link, class-default can be starved. This results in SSH sessions timing out or experiencing severe packet loss.

Exam trap

Cisco often tests the misconception that traffic not explicitly classified will still get fair treatment, when in reality class-default can be starved if higher-priority classes consume all bandwidth, especially when priority is used without proper policing or shaping.

How to eliminate wrong answers

Option A is wrong because the priority percent for VOIP is set to 30%, which is a reasonable allocation for voice traffic and would not inherently starve SSH unless the link is fully saturated by VOIP alone—but the policy also allocates bandwidth to critical data, so the starvation is more likely due to SSH not being classified. Option B is wrong because the fair-queue algorithm does work with this policy; it is applied to the class-default, which is a standard behavior for class-default when no explicit bandwidth is configured, and it does not prevent other classes from functioning. Option C is wrong because the critical data class is explicitly defined to match traffic with DSCP AF21, which is typically used for mission-critical data, not SSH (which uses TCP port 22 and is not marked with AF21 by default); thus SSH is not included in that class.

113
MCQeasy

A security policy mandates that all employees complete annual security awareness training. Which of the following metrics best demonstrates the effectiveness of this training?

A.Results of a post-training quiz
B.Percentage of employees who completed the training
C.Number of help desk tickets related to phishing
D.Decrease in security incidents attributed to user error
AnswerD

A decline in user-caused incidents is a direct indicator that training is modifying behavior.

Why this answer

Option D is correct because a reduction in incidents caused by user error directly indicates improved awareness. Option A may reflect adherence but not effectiveness. Option B measures volume, not effectiveness.

Option C could be due to other factors.

114
MCQmedium

Refer to the exhibit. A security analyst sees this syslog message from the ASA. Which statement best describes what is occurring?

A.An inside host is initiating a connection to a web server
B.Traffic is being denied by the access list
C.An external host is connecting to an internal host
D.The connection is being torn down
AnswerC

The log shows the connection from outside to inside.

Why this answer

Option C is correct because the log shows a connection built from an outside host (203.0.113.1) to an inside host (192.168.1.100). This indicates a normal outbound connection from the internal host to the external web server. Option A is wrong because the source is outside.

Option B is wrong because the destination is inside. Option D is wrong because the connection is allowed (built), not denied.

115
MCQhard

MedSecure is a healthcare organization with a security policy that requires all security incidents to be handled following the NIST framework. A system administrator discovers that an unauthorized user has accessed a database containing patient records. The administrator immediately disconnects the server from the network. The security analyst is called to investigate. The analyst finds that the server was not part of the centralized logging system, and the only logs available are the database audit logs. The security policy mandates preservation of evidence and chain of custody. The analyst needs to collect the database audit logs. Which action should the analyst take to ensure proper evidence collection?

A.Make a bit-for-bit copy of the audit log files using a forensic tool, hash the original and copy, and document the process
B.Export the logs to a CSV file and email them to the security team
C.Use a write-blocker to create a forensic image of the entire hard drive
D.Copy the audit logs to a USB drive and store it in a locked drawer
AnswerA

This ensures integrity, authenticity, and proper chain of custody.

Why this answer

Option C is correct because creating a forensic copy with hashing preserves integrity and chain of custody. Option A lacks chain of custody. Option B is overkill for log files.

Option D does not preserve integrity.

116
MCQhard

A company operating in the EU experiences a data breach involving personal data of EU citizens. Under GDPR, what is the maximum timeframe to notify the supervisory authority?

A.96 hours
B.72 hours
C.24 hours
D.48 hours
AnswerB

GDPR Article 33 requires notification within 72 hours.

Why this answer

Option B is correct because GDPR requires notification within 72 hours of becoming aware of the breach. Option A is wrong because 24 hours is too short. Option C is wrong because 48 hours is not the specified timeframe.

Option D is wrong because 96 hours exceeds the allowed period.

117
MCQeasy

A company's security policy states that all employees must use multi-factor authentication (MFA) when accessing the corporate network remotely. Which policy is being applied?

A.Incident Response Policy
B.Remote Access Policy
C.Acceptable Use Policy
D.Access Control Policy
AnswerD

Access Control Policy defines authentication requirements like MFA.

Why this answer

MFA is an authentication control, often part of an Access Control Policy. Option B is correct. Option A (remote access policy) is a subset but the stem directly says 'accessing the corporate network.' Option C (acceptable use) is about behavior.

Option D (incident response) is about handling incidents.

118
MCQhard

An organization's security policy requires that all traffic between the corporate network and the internet be inspected by an IPS. However, encrypted traffic (HTTPS) cannot be inspected without breaking encryption. Which solution best meets the policy requirement?

A.Allow all HTTPS traffic without inspection
B.Implement SSL/TLS interception using a proxy with a trusted certificate
C.Rely on endpoint security only
D.Disable HTTPS for internal users
AnswerB

SSL inspection decrypts, inspects, and re-encrypts traffic, enabling IPS visibility.

Why this answer

SSL/TLS interception using a trusted proxy allows inspection of encrypted traffic while maintaining security, though it requires careful implementation and user acceptance.

119
MCQeasy

Refer to the exhibit. A security analyst views these log entries from a Cisco router. What conclusion can be drawn about ACL 101?

A.ACL 101 blocks HTTP traffic
B.ACL 101 applies only to inbound traffic
C.ACL 101 denies Telnet and permits HTTP
D.ACL 101 permits all traffic
AnswerC

Denied to port 23, permitted to port 80.

Why this answer

The log shows a denied packet to port 23 (Telnet) and a permitted packet to port 80 (HTTP). This indicates the ACL denies Telnet and permits HTTP. Option B is correct.

Option A is incorrect because some traffic is denied. Option C is incorrect because the ACL likely allows other ports. Option D is incorrect because HTTP is permitted.

120
Multi-Selecthard

Which TWO of the following are essential requirements for a security policy to be effective?

Select 2 answers
A.It should be as long and detailed as possible
B.It must be communicated to all relevant parties
C.It must be enforceable
D.It must comply with all applicable laws
E.It should be updated only when an incident occurs
AnswersB, C

Effective policies require awareness and understanding.

Why this answer

Options B and E are correct. A policy must be enforceable (B) and communicated (E). Option A may be helpful but not essential.

Option C is often legally required but not a policy effectiveness requirement. Option D reduces motivation.

121
MCQeasy

During a security audit, an analyst discovers that several employees have shared their login credentials with colleagues to expedite work. Which policy enforcement mechanism would be most effective in preventing this behavior?

A.Implement a password complexity policy.
C.Enforce a password change policy every 30 days.
D.Conduct annual security awareness training.
AnswerB

MFA requires a physical token or biometric, making sharing impractical.

Why this answer

Multi-factor authentication (MFA) is the most effective enforcement mechanism because it requires a second factor (e.g., a one-time passcode from an authenticator app, a hardware token, or a biometric) in addition to the password. Even if employees share their passwords, MFA prevents unauthorized access because the second factor is tied to the individual's device or identity and cannot be easily shared. This directly addresses the root cause of credential sharing by making shared credentials useless without the additional factor.

Exam trap

The trap here is that candidates often choose security awareness training (Option D) because it seems like a logical educational fix, but Cisco tests the distinction between administrative controls (training) and technical enforcement mechanisms (MFA) that actually prevent the behavior at the authentication layer.

How to eliminate wrong answers

Option A is wrong because a password complexity policy only enforces the strength of the password (e.g., length, character types) but does nothing to prevent users from voluntarily sharing those strong passwords with colleagues. Option C is wrong because enforcing a password change every 30 days may reduce the window of exposure but does not prevent sharing; users can simply share the new password after each change. Option D is wrong because annual security awareness training educates users about policy but relies on voluntary compliance and does not technically enforce or prevent the behavior; users may still share credentials despite knowing the policy.

122
MCQmedium

Refer to the exhibit. A security analyst reviews the configuration of a router and notices the access list applied to the internal interface. Which traffic from the source network 10.0.0.0/8 will be permitted? (Assume typical web traffic.)

A.HTTP and HTTPS traffic only
B.All TCP traffic
C.All IP traffic from 10.0.0.0/8
D.Only HTTP traffic
AnswerA

The ACL explicitly permits TCP traffic to ports 80 and 443.

Why this answer

Option A is correct because the ACL permits TCP traffic from 10.0.0.0/8 to any destination on ports 80 (HTTP) and 443 (HTTPS). Option B is wrong because only these two ports are permitted. Option C is wrong because it permits only HTTP and HTTPS.

Option D is wrong because both HTTP and HTTPS are allowed.

123
MCQmedium

A change management policy requires that all network configuration changes be approved by a change advisory board (CAB) before implementation. An urgent security vulnerability requires an immediate firewall rule change to block an active exploit. What should the network administrator do?

A.Convene an emergency CAB meeting before making the change
B.Apply the change immediately and then submit an emergency change request for post-approval
C.Ignore the vulnerability until the next scheduled CAB meeting
D.Wait for CAB approval to ensure compliance with policy
AnswerB

Emergency changes are permitted with later documentation and approval.

Why this answer

Option A is correct because emergency change procedures should allow immediate action with retroactive approval. Option B violates policy. Option C is unnecessary if emergency procedure exists.

Option D is unrealistic for an urgent fix.

124
MCQmedium

Refer to the exhibit. A security analyst notices repeated login failures. According to the company's security policy, what action should be taken?

A.Block the source IP at the firewall
B.Ignore because it's only three failures
C.Investigate for brute force attack
D.Disable the user account
AnswerC

The pattern suggests a brute-force attempt; investigation is the first step per incident response procedures.

Why this answer

Repeated login failures are a classic indicator of a brute-force attack, where an attacker attempts to guess credentials by trying many passwords. The security policy should require investigation to confirm the attack pattern (e.g., frequency, source, target accounts) before taking irreversible actions like blocking or disabling. Option C is correct because it follows the principle of verify-then-act, aligning with incident response procedures.

Exam trap

Cisco often tests the candidate's ability to distinguish between reactive actions (block, disable) and proper incident response steps (investigate first), where the trap is to jump to a technical fix without following the security policy's investigation requirement.

How to eliminate wrong answers

Option A is wrong because blocking the source IP at the firewall may be premature without confirming the attack is malicious (e.g., a user with a forgotten password could trigger failures) and could cause denial of service to legitimate users. Option B is wrong because three failures can be part of a larger brute-force attempt; security policies typically define thresholds (e.g., 5 failures in 5 minutes) that trigger investigation, not dismissal. Option D is wrong because disabling the user account without investigation could lock out a legitimate user and does not address the root cause (e.g., the account may not be the target; the attacker could be targeting multiple accounts).

125
MCQmedium

A security policy requires that all changes to firewall rules be approved by two administrators. This is an example of which security principle?

A.Need to know
B.Defense in depth
C.Separation of duties
D.Least privilege
AnswerC

Two-person rule prevents unauthorized changes.

Why this answer

The requirement that two administrators must approve firewall rule changes enforces separation of duties, a security principle that prevents any single individual from having exclusive control over a critical operation. This reduces the risk of unauthorized or malicious rule modifications by ensuring collusion or independent review is required. In firewall management, this is often implemented via change management workflows with distinct approval and implementation roles.

Exam trap

Cisco often tests separation of duties by contrasting it with least privilege, where candidates mistakenly think limiting who can change rules is the same as limiting what they can access, but the key difference is that separation of duties focuses on dividing critical tasks among multiple people to prevent fraud or error.

How to eliminate wrong answers

Option A is wrong because 'need to know' restricts access to information based on job requirements, not the approval process for changes. Option B is wrong because 'defense in depth' involves multiple layers of security controls (e.g., firewall, IDS, antivirus), not a procedural check on administrative actions. Option D is wrong because 'least privilege' limits user permissions to the minimum necessary for their role, whereas this policy controls how changes are authorized, not the baseline access level.

126
MCQmedium

A company's security policy states that all remote access must be through a VPN. An employee complains that the VPN is too slow and asks for an exception to access a specific internal server directly over the internet. What should the security analyst recommend?

A.Configure a separate VPN profile with lower encryption.
B.Allow direct access but only from the employee's home IP.
C.Grant the exception temporarily and monitor the connection.
D.Investigate the VPN performance issue and optimize if possible.
AnswerD

Performance issues should be resolved; exceptions should be a last resort with formal risk acceptance.

Why this answer

Option D is correct because the security policy mandates VPN for all remote access, and bypassing it would violate the principle of least privilege and expose the internal server directly to the internet. The analyst should first investigate the VPN performance issue—common causes include MTU mismatch, high latency, or encryption overhead—and optimize it (e.g., adjusting MTU, using split tunneling, or upgrading hardware) rather than granting an exception that undermines security.

Exam trap

Cisco often tests the principle that security policies must be enforced consistently, and the trap here is that candidates think a temporary or IP-based exception is acceptable, when in fact any direct access bypasses the VPN's encryption and authentication, violating the core security requirement.

How to eliminate wrong answers

Option A is wrong because lowering encryption (e.g., from AES-256 to AES-128 or disabling PFS) weakens confidentiality and integrity, violating security policy and potentially compliance requirements like PCI DSS. Option B is wrong because allowing direct access from the employee's home IP still exposes the internal server to the public internet, bypassing the VPN's authentication and encryption, and the home IP can change or be spoofed. Option C is wrong because a temporary exception still creates a security gap—attackers could exploit the window, and monitoring does not prevent a direct attack on the exposed server.

127
MCQhard

A security auditor reviews a company's security policies and finds that the password policy requires a minimum length of 8 characters and complexity including uppercase, lowercase, digit, and special character. However, the policy does not mandate password expiration. Which of the following is the most significant risk due to this omission?

A.Stolen credentials could be used for extended periods without detection
B.Users may choose weak passwords that are easy to guess
C.Help desk will receive an increased number of password reset requests
D.Users might reuse passwords across different systems
AnswerA

No expiration means compromised passwords stay valid until changed, allowing prolonged unauthorized access.

Why this answer

Option B is correct because without expiration, compromised credentials remain valid indefinitely, increasing risk. Option A is less likely if complexity is enforced. Option C is not directly related.

Option D is a minor inconvenience compared to credential theft.

128
MCQmedium

You are a security operations analyst for a medium-sized enterprise. The company's security policy requires that all endpoint devices have antivirus software installed and updated. During a routine check, you find that a group of 50 laptops used by the sales team have not received antivirus updates for over three months. The policy also states that any non-compliant devices must be quarantined from the network until they are remediated. The sales team manager argues that quarantining the laptops will disrupt critical sales activities. The company's incident response policy has a clause that allows for temporary exceptions in business-critical situations, but requires approval from the CISO. What is the best course of action?

A.Ignore the issue to avoid disrupting sales activities
B.Quarantine the laptops immediately as per policy
C.Request a temporary exception from the CISO while expediting the updates
D.Update the antivirus without quarantining, then report to management
AnswerC

The exception process allows business continuity while addressing the issue.

Why this answer

Option C is correct because it balances security policy compliance with business continuity. The incident response policy explicitly allows temporary exceptions for business-critical situations with CISO approval, and expediting the updates ensures the 50 laptops are remediated quickly. Quarantining without considering the business impact could violate the company's own exception clause, while ignoring the issue or updating without quarantining bypasses the security controls required by policy.

Exam trap

Cisco often tests the balance between strict policy enforcement and business continuity, trapping candidates who choose immediate quarantine (Option B) without considering documented exception processes, or who choose to update without quarantine (Option D) thinking it's a practical workaround.

How to eliminate wrong answers

Option A is wrong because ignoring the issue violates the security policy requiring quarantine of non-compliant devices, leaving the network exposed to potential malware outbreaks from outdated antivirus definitions. Option B is wrong because while quarantine is the default policy, it fails to leverage the incident response policy's exception clause for business-critical situations, potentially causing unnecessary disruption without CISO oversight. Option D is wrong because updating antivirus without quarantining bypasses the policy's quarantine requirement and does not address the root cause of non-compliance; reporting after the fact does not obtain the required prior approval for an exception.

129
Multi-Selectmedium

A security policy mandates that all network devices must have logging enabled and that logs must be reviewed regularly. Which TWO practices are essential for effective log review?

Select 2 answers
A.Aggregating logs from all devices into a central server.
B.Reviewing logs only when an incident occurs.
C.Automated log analysis with correlation tools.
D.Storing logs for at least one year.
E.Ensuring logs are in a common format like Syslog.
AnswersA, C

Centralization enables comprehensive analysis and correlation across the network.

Why this answer

Automated log analysis (A) and central aggregation (E) are essential for effective and efficient log review. Retention (B) and format (C) are supporting but not core to review process. Reactive review (D) is not effective.

130
MCQeasy

An organization's data classification policy defines four levels: Public, Internal, Confidential, and Restricted. An employee accidentally sends an email containing customer payment card information (PCI) to the entire company mailing list. The data should have been classified as which level?

A.Public
B.Restricted
C.Internal
D.Confidential
AnswerB

Restricted is for data whose disclosure would cause severe harm, such as PCI data.

Why this answer

Option D is correct because PCI data is highly sensitive and legally protected, warranting Restricted classification. Option A is for non-sensitive data. Option B is for internal use but not as sensitive.

Option C is sensitive but not as high as Restricted.

131
Multi-Selecthard

Which THREE are required steps in a proper incident response procedure? (Choose three.)

Select 3 answers
A.Change Management Processing
B.Containment, Eradication, and Recovery
C.Post-Incident Activity (Lessons Learned)
D.Detection and Analysis
E.System Hardening
AnswersB, C, D

These are core phases of IR.

Why this answer

The IR process includes preparation, detection, containment, eradication, recovery, and lessons learned. Options A, C, and D are direct steps. Option B (system hardening) is a preventive measure.

Option E (change management) is a separate process.

132
MCQhard

A security policy states that all portable media must be encrypted. An employee loses a USB drive containing customer data. The drive was encrypted with AES-256. Which of the following is true regarding policy compliance?

A.The policy was followed, but the incident still needs to be reported per incident response procedures
B.The employee violated policy because the drive was lost
C.The policy was followed because the data was encrypted, so a breach is not reportable
D.Encryption is not sufficient, the employee should have used a different media
AnswerA

Encryption mitigates exposure but does not negate the need for incident reporting.

Why this answer

Option A is correct because the security policy mandates encryption for portable media, and AES-256 encryption was applied to the USB drive, so the policy was technically followed. However, the loss of a device containing customer data still triggers incident response procedures, as the encryption key or the possibility of decryption could be compromised, and reporting is required to assess risk and comply with breach notification laws.

Exam trap

Cisco often tests the distinction between policy compliance and incident response obligations, trapping candidates who assume encryption alone eliminates the need to report a lost device.

How to eliminate wrong answers

Option B is wrong because the policy does not prohibit loss of media; it requires encryption, which was applied, so the employee did not violate the policy itself. Option C is wrong because encryption does not automatically exempt an incident from reporting; many regulations (e.g., GDPR, HIPAA) require breach notification if there is any risk of data exposure, and the loss of the drive must be evaluated. Option D is wrong because AES-256 is a strong, approved encryption standard, and the policy does not specify a different media type; the issue is not the encryption strength but the physical loss and reporting obligation.

133
MCQhard

You are a security analyst at a mid-sized company that uses a mix of on-premises servers and cloud services. The company's security policy requires all sensitive data to be encrypted at rest and in transit, and all access to be logged and monitored. Recently, the company experienced a data breach where an attacker exfiltrated a database containing customer PII. The investigation revealed that the attacker gained access using a compromised VPN account that had been inactive for 6 months. The account belonged to a former employee who left the company but the account was never disabled. The VPN logs show that the account was used from an unusual IP address, but no alert was triggered because the account was not on any watchlist. The breach occurred over a weekend when the security team was not monitoring. Which of the following would have most effectively prevented this breach?

A.Deploy a SIEM with anomaly detection for unusual VPN login locations.
B.Implement multi-factor authentication on all VPN accounts.
C.Increase the frequency of log reviews to daily.
D.Automate the de-provisioning of user accounts upon employee termination.
AnswerD

This directly addresses the root cause: the account should have been disabled when the employee left.

Why this answer

The root cause of the breach was that the former employee's VPN account remained active after termination, allowing the attacker to use it. Automating the de-provisioning of user accounts upon employee termination (Option D) directly addresses this by ensuring that accounts are disabled or removed as part of the offboarding process, eliminating the attack vector entirely. This aligns with the principle of least privilege and identity lifecycle management, which are foundational to access control policies.

Exam trap

Cisco often tests the distinction between preventive and detective controls, and the trap here is that candidates choose a detective solution (like SIEM or log review) because it sounds more technical, overlooking the fundamental preventive control of account lifecycle management that would have stopped the breach at its source.

How to eliminate wrong answers

Option A is wrong because deploying a SIEM with anomaly detection would only alert on unusual login locations after the fact; it does not prevent the use of an inactive account that should have been disabled. Option B is wrong because multi-factor authentication (MFA) would not have prevented the breach if the attacker already had the compromised VPN credentials and the account was still active; MFA can be bypassed if the attacker has access to the second factor (e.g., via phishing or session hijacking), and the core issue is the account's existence, not the authentication method. Option C is wrong because increasing the frequency of log reviews to daily would still leave a window of opportunity (e.g., over a weekend) and relies on human analysis, which is reactive and does not prevent the initial compromise; the account should have been disabled before the attacker could use it.

134
MCQhard

You are a security analyst at a financial services company. The company's security policy mandates that all sensitive data must be encrypted at rest and in transit. A recent internal audit reveals that a database containing customer personally identifiable information (PII) is stored on a server that uses unencrypted storage volumes. The database is accessed by internal applications via unencrypted connections. The policy also requires quarterly vulnerability scans, and the latest scan shows that the server has a critical vulnerability in the database software. Additionally, the server's firewall rules permit inbound traffic from the entire corporate network to the database port. The company's incident response policy requires that any violation of data protection policies be escalated within 24 hours. The IT manager asks you to prioritize actions. What should you do first?

A.Enable encryption on the storage volumes and database connections
B.Apply the critical security patch to the database software
C.Escalate the violation to management within 24 hours
D.Restrict firewall access to only authorized application servers
AnswerB

Patching the critical vulnerability reduces immediate risk of exploitation.

Why this answer

The most immediate threat is the critical vulnerability in the database software, which could allow remote code execution or data exfiltration without any authentication. Patching this vulnerability directly reduces the risk of exploitation, which is the highest priority in a security incident. Encryption and firewall restrictions are important but do not address an actively exploitable software flaw.

Exam trap

Cisco often tests the concept that patching a critical vulnerability takes precedence over other security controls, even when policy mandates encryption or escalation, because the vulnerability represents an active, exploitable risk that can bypass all other defenses.

How to eliminate wrong answers

Option A is wrong because enabling encryption on storage volumes and database connections protects data at rest and in transit but does not remediate the critical software vulnerability that could allow an attacker to bypass those controls entirely. Option C is wrong because while escalation is required by policy, it is a procedural step that should occur after or in parallel with immediate technical remediation; the priority is to stop the active threat first. Option D is wrong because restricting firewall access reduces the attack surface but does not fix the underlying vulnerable software that could be exploited from any allowed source, including authorized application servers.

135
MCQmedium

A company is developing a new security policy for cloud storage. Which principle should be the foundation of the policy to ensure data confidentiality and integrity?

A.Access logs must be retained for at least one year.
B.Only authorized users can access the cloud storage.
C.All data must be encrypted at rest and in transit.
D.Data must be backed up daily.
AnswerC

Encryption provides confidentiality and integrity regardless of location.

Why this answer

Option C is correct because encryption at rest and in transit directly protects data confidentiality and integrity by rendering data unreadable without the proper decryption keys and by ensuring data is not tampered with during transmission. In cloud storage, encryption at rest (e.g., AES-256) safeguards data stored on disk, while encryption in transit (e.g., TLS 1.2/1.3) prevents interception or modification during upload/download. This dual-layer approach is the foundational security control for meeting confidentiality and integrity objectives, as defined in the CIA triad.

Exam trap

Cisco often tests the distinction between foundational security principles (encryption) and supporting controls (logging, access control, backups), trapping candidates who confuse a necessary but insufficient measure like 'only authorized users' with the core requirement for confidentiality and integrity.

How to eliminate wrong answers

Option A is wrong because retaining access logs for one year supports auditing and incident response but does not directly enforce data confidentiality or integrity; logs are a detective control, not a preventive or protective measure. Option B is wrong because only allowing authorized users to access cloud storage addresses confidentiality through access control, but it does not ensure integrity (e.g., authorized users could still modify data) and provides no protection against data exposure if the storage medium is compromised. Option D is wrong because daily backups ensure availability and disaster recovery, not confidentiality or integrity; backups can be encrypted, but the act of backing up alone does not protect data from unauthorized access or tampering.

136
MCQeasy

A security analyst detects a host infected with ransomware on the corporate network. According to incident response procedures, what should be the first action?

A.Reimage the host immediately
B.Update antivirus signatures
C.Notify the IT management team
D.Isolate the host from the network
AnswerD

Isolation stops lateral movement and is the first containment step.

Why this answer

Option A is correct because isolating the host prevents the ransomware from spreading to other systems. Option B is wrong because reimaging without isolation could fail if network propagation continues. Option C is wrong because notifying management is important but not the immediate technical first step.

Option D is wrong because updating signatures is a preventive measure, not a containment step.

137
MCQhard

Refer to the exhibit. A Cisco router is configured with the shown access list applied inbound on the external interface. An external attacker sends a packet with source IP 10.0.0.1, destination IP 192.168.1.100, destination port 22. What will the router do?

A.Forward the packet to the next hop
B.Permit the packet only if it is HTTP
C.Permit the packet
D.Drop the packet
AnswerD

The packet is denied by the first ACE.

Why this answer

Option A is correct because the ACL has a specific deny for SSH (port 22) to host 192.168.1.100, which matches this packet. The packet will be dropped. Option B is wrong because the permit any any only applies if no previous deny matches.

Option C is wrong because there is no such rule about port 80. Option D is wrong because the packet is not forwarded.

138
MCQhard

An organization is developing a new cloud-based application. The security policy requires that all data be encrypted in transit and at rest. Which combination of controls meets this requirement?

A.Use a VPN for all connections
B.Encrypt the database using Transparent Data Encryption (TDE)
C.Use HTTPS for all communication
D.Use HTTPS and encrypt the database with TDE
AnswerD

Combining HTTPS (transit) and TDE (at rest) satisfies both requirements.

Why this answer

Option D is correct because HTTPS encrypts data in transit and TDE encrypts data at rest. Option A is wrong because HTTPS alone does not encrypt data at rest. Option B is wrong because database encryption alone does not encrypt in transit.

Option C is wrong because VPN encrypts in transit but not at rest.

139
Multi-Selectmedium

A security policy requires that all data at rest be encrypted. Which TWO of the following are considered best practices for implementing encryption?

Select 2 answers
A.Implement encryption at the application layer only.
B.Store encryption keys separately from the encrypted data.
C.Use weak encryption algorithms to reduce performance impact.
D.Use hardware-based encryption if available.
E.Use the same key for all data to simplify management.
AnswersB, D

Essential for key security.

Why this answer

Options A and C are correct. Option A: hardware-based encryption is more secure. Option C: separate key storage.

Option B: same key weakens security. Option D: weak encryption is poor practice. Option E: encryption should be at multiple layers.

140
MCQeasy

A network administrator is tasked with creating a security policy for handling sensitive data. Which of the following is the most critical element to include?

A.Detailed network topology diagrams.
B.List of antivirus software versions.
C.Data classification and handling procedures.
D.Vendor contact information.
AnswerC

This defines how data should be categorized and protected, which is essential for any data security policy.

Why this answer

Data classification and handling procedures are fundamental to any data security policy. Topology, antivirus, and contacts are supporting but not the most critical.

141
Multi-Selecteasy

Which TWO activities are typically part of a security policy review cycle? (Choose two.)

Select 2 answers
A.Reviewing regulatory updates
B.Delivering security awareness training
C.Conducting periodic policy audits
D.Handling a security incident
E.Applying system patches
AnswersA, C

Laws change, policies must adapt.

Why this answer

Policy review includes identifying changes in regulatory requirements and periodic audits. Options A and B are correct. Option C (patching) is operational.

Option D (user training) is part of awareness, not review. Option E (incident handling) is not review.

142
MCQeasy

Which security policy defines the process for reporting discovered security vulnerabilities to the organization?

A.Vulnerability Disclosure Policy
B.Acceptable Use Policy
C.Incident Response Policy
D.Change Management Policy
AnswerA

This policy guides reporting of vulnerabilities.

Why this answer

A vulnerability disclosure policy outlines how to report and handle security weaknesses. Option C is correct. Option A (incident response) is for active attacks.

Option B (acceptable use) is for employee behavior. Option D (change management) is for changes.

143
MCQeasy

A security policy requires that all email attachments be scanned for malware. An employee receives a legitimate PDF from a customer that is flagged as malicious. What should the analyst do first?

A.Allow the email through since it's from a known sender.
B.Contact the customer to verify the file is intended.
C.Quarantine the email and delete the attachment.
D.Escalate to the incident response team.
E.Update the antivirus signatures and rescan.
AnswerB

Verification with sender is the appropriate first step.

Why this answer

Option C is correct because verifying with the sender prevents unnecessary actions. Option A is too aggressive without confirmation. Option B escalates prematurely.

Option D might be done later. Option E violates policy.

144
MCQhard

A security policy requires that all endpoints have host-based firewalls enabled. A user reports that an application stopped working after a recent update. What should the analyst do?

A.Escalate to the application vendor.
B.Create an exception rule for the application.
C.Roll back the update.
D.Disable the host firewall for that user.
E.Reinstall the application.
AnswerB

Aligns with policy while solving issue.

Why this answer

Option B is correct because creating an exception maintains firewall policy while allowing the app. Option A violates policy. Option C may revert security patches.

Options D and E are less direct.

145
MCQhard

A company is implementing a new data classification policy. The policy defines three levels: Public, Internal, and Confidential. An employee accidentally emails a spreadsheet marked 'Confidential' to an external partner. The email system automatically encrypts all outbound emails containing 'Confidential' classification. Which security control is being demonstrated?

A.Auditing
B.Encryption at rest
C.Data Loss Prevention (DLP)
D.Access control
AnswerC

DLP controls can automatically encrypt outbound emails containing sensitive data based on classification.

Why this answer

Option D is correct because the email system is automatically encrypting outbound emails based on classification, which is a type of data loss prevention (DLP). Option A is wrong because access control restricts who can access data, not how it is transmitted. Option B is wrong because encryption at rest occurs when data is stored.

Option C is wrong because auditing records events but does not prevent data loss.

← PreviousPage 2 of 2 · 145 questions total

Ready to test yourself?

Try a timed practice session using only Security Policies Procedures questions.