Question 466 of 507
Security Policies and ProcedureshardMultiple ChoiceObjective-mapped

Quick Answer

The answer is to automate the de-provisioning of user accounts upon employee termination. This directly addresses the root cause of the breach—a former employee’s VPN account remained active for six months, providing an entry point for the attacker. Automating identity lifecycle management offboarding ensures that access rights are revoked immediately when an employee leaves, eliminating the attack vector and enforcing the principle of least privilege. On the Cisco CyberOps Associate 200-201 exam, this scenario tests your understanding of access control policies and the critical role of automated deprovisioning in preventing insider and external threats. A common trap is focusing on monitoring or alerting improvements, but those only detect an active threat rather than prevent it; the core lesson is that disabling accounts at termination is a preventive control. Remember the mnemonic: “Offboard to onboard security—disable before they disable you.”

200-201 Security Policies and Procedures Practice Question

This 200-201 practice question tests your understanding of security policies and procedures. Examine the command output carefully: the correct answer depends on what the output actually shows, not on general recall alone. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

You are a security analyst at a mid-sized company that uses a mix of on-premises servers and cloud services. The company's security policy requires all sensitive data to be encrypted at rest and in transit, and all access to be logged and monitored. Recently, the company experienced a data breach where an attacker exfiltrated a database containing customer PII. The investigation revealed that the attacker gained access using a compromised VPN account that had been inactive for 6 months. The account belonged to a former employee who left the company but the account was never disabled. The VPN logs show that the account was used from an unusual IP address, but no alert was triggered because the account was not on any watchlist. The breach occurred over a weekend when the security team was not monitoring. Which of the following would have most effectively prevented this breach?

Clue words in this question

Noticing these words before you look at the options changes how you read each choice.

  • Clue: "never"

    Why it matters: Absolute qualifier. True only if the statement has zero exceptions — be cautious of options that seem obvious but break down in edge cases.

Question 1hardmultiple choice
Read the full VPN explanation →

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

Automate the de-provisioning of user accounts upon employee termination.

The root cause of the breach was that the former employee's VPN account remained active after termination, allowing the attacker to use it. Automating the de-provisioning of user accounts upon employee termination (Option D) directly addresses this by ensuring that accounts are disabled or removed as part of the offboarding process, eliminating the attack vector entirely. This aligns with the principle of least privilege and identity lifecycle management, which are foundational to access control policies.

Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • Deploy a SIEM with anomaly detection for unusual VPN login locations.

    Why it's wrong here

    This would detect but not prevent; the attacker would still gain access before an alert is generated.

  • Implement multi-factor authentication on all VPN accounts.

    Why it's wrong here

    MFA would have helped if the account was active, but the account was unused and could have been used with MFA if the attacker had the second factor? Actually, MFA would have blocked the attacker if the second factor was not available. However, the account was disabled? Actually, it was not disabled. But MFA is a strong control; however, the scenario says the account was compromised, possibly with stolen credentials including MFA token? The question asks 'most effectively prevented' given the root cause. The account was inactive, so the best prevention is disabling it.

  • Increase the frequency of log reviews to daily.

    Why it's wrong here

    Even if logs were reviewed daily, the breach occurred over a weekend, and the account would still be active.

  • Automate the de-provisioning of user accounts upon employee termination.

    Why this is correct

    This directly addresses the root cause: the account should have been disabled when the employee left.

    Clue confirmation

    The clue word "never" in the question point toward this answer.

    Related concept

    Read the scenario before looking for a memorised answer.

Common exam traps

Common exam trap: answer the scenario, not the keyword

Cisco often tests the distinction between preventive and detective controls, and the trap here is that candidates choose a detective solution (like SIEM or log review) because it sounds more technical, overlooking the fundamental preventive control of account lifecycle management that would have stopped the breach at its source.

Trap categories for this question

  • Scenario analysis trap

    MFA would have helped if the account was active, but the account was unused and could have been used with MFA if the attacker had the second factor? Actually, MFA would have blocked the attacker if the second factor was not available. However, the account was disabled? Actually, it was not disabled. But MFA is a strong control; however, the scenario says the account was compromised, possibly with stolen credentials including MFA token? The question asks 'most effectively prevented' given the root cause. The account was inactive, so the best prevention is disabling it.

Detailed technical explanation

How to think about this question

Account de-provisioning is a critical part of the identity lifecycle management (ILM) process, often automated via integration with HR systems using SCIM (System for Cross-domain Identity Management) or LDAP directory synchronization. In real-world scenarios, a common failure is the 'orphaned account'—an account that remains active in Active Directory or a cloud IAM after an employee leaves, which can be exploited by attackers using credential stuffing or brute force. The 200-201 exam emphasizes that preventive controls (like disabling accounts) are more effective than detective controls (like log review) for such identity-based attacks.

KKey Concepts to Remember

  • Read the scenario before looking for a memorised answer.
  • Find the constraint that changes the correct option.
  • Eliminate answers that are true in general but not in this case.

TExam Day Tips

  • Watch for words such as best, first, most likely and least administrative effort.
  • Review why wrong options are wrong, not only why the correct option is correct.

Key takeaway

Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Real-world example

How this comes up in practice

A small business has 20 workstations on the 192.168.1.0/24 network and one public IP from its ISP. The router uses PAT (NAT overload) so all 20 devices share one public address using different source ports. NAT questions test whether you understand the four address terms and which direction each translation applies.

What to study next

Got this wrong? Here's your next step.

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

Related practice questions

Related 200-201 practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free 200-201 practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this 200-201 question test?

Security Policies and Procedures — This question tests Security Policies and Procedures — Read the scenario before looking for a memorised answer..

What is the correct answer to this question?

The correct answer is: Automate the de-provisioning of user accounts upon employee termination. — The root cause of the breach was that the former employee's VPN account remained active after termination, allowing the attacker to use it. Automating the de-provisioning of user accounts upon employee termination (Option D) directly addresses this by ensuring that accounts are disabled or removed as part of the offboarding process, eliminating the attack vector entirely. This aligns with the principle of least privilege and identity lifecycle management, which are foundational to access control policies.

What should I do if I get this 200-201 question wrong?

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

Are there clue words in this question I should notice?

Yes — watch for: "never". Absolute qualifier. True only if the statement has zero exceptions — be cautious of options that seem obvious but break down in edge cases.

What is the key concept behind this question?

Read the scenario before looking for a memorised answer.

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Last reviewed: Jun 11, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This 200-201 practice question is part of Courseiva's free Cisco certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the 200-201 exam.