CCNA Physical Security Controls Questions

30 questions · Physical Security Controls · All types, answers revealed

1
MCQeasy

A customer reports that their laptop was stolen from their desk over the weekend. The laptop contained sensitive client data. Which physical security control should have been implemented to prevent this theft?

A.Biometric authentication
B.Cable lock
C.Full disk encryption
D.Smart card reader
AnswerB

A cable lock physically secures the laptop to a desk, making theft much more difficult and time-consuming.

Why this answer

A cable lock is a physical security control that physically secures the laptop to a desk or immovable object, preventing unauthorized removal. In this scenario, the laptop was stolen from the desk, so a cable lock would have directly prevented the theft by tethering the device in place.

Exam trap

CompTIA often tests the distinction between physical security controls that prevent theft (like cable locks) versus controls that protect data after theft (like encryption), leading candidates to confuse data protection with physical prevention.

How to eliminate wrong answers

Option A is wrong because biometric authentication (e.g., fingerprint or facial recognition) is an access control mechanism that verifies identity, but it does not physically prevent the laptop from being taken. Option C is wrong because full disk encryption protects data confidentiality if the laptop is stolen, but it does not prevent the theft itself. Option D is wrong because a smart card reader is an authentication device that requires a smart card for access, but it does not physically secure the laptop to a location.

2
MCQhard

An organization experiences a data breach when an attacker physically removes hard drives from a decommissioned server that was placed in a storage area without being properly sanitized. What physical security control should have been implemented?

A.Install a surveillance camera in the storage area.
B.Require a smart card to access the storage area.
C.Use a degausser to erase the hard drives before disposal.
D.Apply tamper-evident seals to the server chassis.
AnswerC

Degaussing renders the data unrecoverable, eliminating the risk even if drives are stolen.

Why this answer

Option C is correct because the core issue is that the hard drives were not properly sanitized before disposal, allowing an attacker to recover data from them. A degausser is a physical security control that uses a strong magnetic field to erase data on magnetic media, such as hard disk drives (HDDs), rendering the drives unreadable and unrecoverable. This directly addresses the root cause of the breach by ensuring data is destroyed before the hardware leaves a secure environment.

Exam trap

CompTIA often tests the distinction between preventive controls (like sanitization) and detective or deterrent controls (like cameras or seals), leading candidates to choose a control that monitors or restricts access rather than the one that directly eliminates the data vulnerability.

How to eliminate wrong answers

Option A is wrong because installing a surveillance camera is a detective control that records activity but does not prevent an attacker from physically removing and reading data from unsanitized drives; it only provides evidence after the fact. Option B is wrong because requiring a smart card to access the storage area is an access control that restricts entry but does not address the fundamental failure to sanitize the drives; an authorized person with access could still remove and exploit the drives. Option D is wrong because applying tamper-evident seals to the server chassis is a deterrent that indicates if the server has been opened, but it does not prevent data recovery from the drives themselves, nor does it sanitize the data; the attacker could still remove the drives and bypass the seals.

3
MCQeasy

During a security audit, you find that a company's server room door is propped open with a trash can to allow airflow. What is the most immediate physical security risk in this scenario?

A.Increased dust entering the server room
B.Fire suppression system may not work
C.Unauthorized personnel can enter the server room
D.The door closer will wear out faster
AnswerC

An unsecured door allows anyone to walk in, defeating the purpose of access controls and posing a serious security threat.

Why this answer

Option C is correct because the most immediate physical security risk of a propped-open server room door is that it completely bypasses access control mechanisms (e.g., badge readers, PIN pads, biometric scanners). This allows any unauthorized person—whether an employee without clearance, a visitor, or an intruder—to enter the server room undetected, potentially leading to theft, vandalism, or data breaches. Physical security controls are the first line of defense, and an open door nullifies them instantly.

Exam trap

This question tests the ability to prioritize immediate security risks over environmental or maintenance issues; the trap is choosing a plausible but less critical concern (like dust or fire suppression) instead of the direct breach of physical access control.

How to eliminate wrong answers

Option A is wrong because while increased dust can be a concern for equipment longevity, it is not the most immediate security risk; dust accumulation is a gradual environmental issue, not an instant security breach. Option B is wrong because a propped-open door does not directly affect the fire suppression system (e.g., FM-200 or inert gas systems) unless the door is part of the room's containment strategy, but the immediate risk is still unauthorized access, not suppression failure. Option D is wrong because door closer wear is a maintenance concern, not a security risk; it is a long-term mechanical issue that does not pose an immediate threat to assets or data.

4
MCQhard

A small business wants to secure its network switch located in a shared office area. The switch has no built-in lock. Which combination of physical controls provides the best protection against unauthorized tampering?

A.Place the switch in a lockable cabinet and enable MAC address filtering.
B.Use a cable lock to secure the switch to the desk.
C.Install a privacy filter on the switch's LED display.
D.Apply tamper-evident tape over the switch's vents.
AnswerA

The cabinet prevents physical access, and MAC filtering restricts which devices can connect logically.

Why this answer

A lockable cabinet prevents physical access to the switch, and port security prevents unauthorized devices from connecting to the network. This question tests layered physical and logical security for network infrastructure.

5
MCQmedium

A company is deploying new laptops to remote workers. They need to ensure that if a laptop is stolen, the data on it cannot be accessed. Which two physical security controls should be configured before shipment?

A.Cable lock and privacy filter.
B.Full-disk encryption and a BIOS/UEFI password.
C.Smart card reader and biometric scanner.
D.Asset tracking tag and a Kensington lock slot.
AnswerB

Encryption secures data, and a BIOS password prevents booting from unauthorized media or changing settings.

Why this answer

Full-disk encryption protects data at rest, and a BIOS/UEFI password prevents unauthorized booting or tampering with boot settings. This question tests the combination of controls needed for remote device security.

6
MCQhard

A company experiences a data breach after an attacker physically removes a hard drive from an unsecured workstation. The workstation was in a public area. Which combination of physical and logical controls would have best prevented this?

A.Cable lock and BIOS password
B.Cable lock and full-disk encryption
C.Security camera and Windows password
D.Proximity card reader and screen lock
AnswerB

The cable lock deters theft; full-disk encryption ensures data is unreadable if the drive is stolen.

Why this answer

Option B is correct because a cable lock physically secures the workstation to a fixed object, preventing the attacker from removing the hard drive, while full-disk encryption (FDE) renders the data on the drive unreadable even if the drive is physically removed. Together, they address both the physical theft vector and the data exposure risk, which a single control cannot achieve. Without FDE, a BIOS password or Windows password can be bypassed by removing the drive and reading it from another system.

Exam trap

A common trap in this question is that candidates think a BIOS password or OS login password protects data at rest, when in fact these controls only protect the system while it is running and can be bypassed by removing the storage device.

How to eliminate wrong answers

Option A is wrong because a cable lock prevents physical removal, but a BIOS password only protects the boot process; an attacker can remove the hard drive and access its data by connecting it to another machine, bypassing the BIOS password entirely. Option C is wrong because a security camera only provides after-the-fact identification, not prevention, and a Windows password can be bypassed by removing the hard drive and reading it from another system. Option D is wrong because a proximity card reader controls access to the area, but if the workstation is already in a public area, it does not prevent the attacker from physically removing the hard drive, and a screen lock is easily bypassed by removing the drive.

7
MCQeasy

A small business wants to prevent unauthorized individuals from following employees through a secure entrance after badge access is granted. Which physical security control is specifically designed to address this threat?

A.Install a biometric fingerprint scanner
B.Use a proximity card reader
C.Deploy a mantrap
D.Add a security guard
AnswerC

A mantrap physically isolates each person, ensuring only one authenticated individual passes through at a time.

Why this answer

A mantrap is a physical security control consisting of two interlocking doors with a small vestibule between them. It prevents tailgating by allowing only one person to enter at a time; the first door must close and lock before the second door can open, ensuring that only the authenticated individual passes through.

Exam trap

The trap here is that candidates confuse authentication controls (biometrics, card readers) with access control mechanisms that prevent tailgating, failing to recognize that authentication alone does not enforce single-person entry.

How to eliminate wrong answers

Option A is wrong because a biometric fingerprint scanner authenticates identity but does not prevent an unauthorized person from following an authorized user through the door after access is granted. Option B is wrong because a proximity card reader grants access based on a card but offers no mechanism to stop tailgating once the door is opened. Option D is wrong because a security guard can monitor and intervene, but the question asks for a control specifically designed to address tailgating; a mantrap is a dedicated engineered solution, whereas a guard is a human control that may be inconsistent or bypassed.

8
MCQmedium

A user complains that their computer is running slowly and they see a USB drive they don't recognize plugged into the front port. What is the first step a technician should take to address this potential security issue?

A.Run a full antivirus scan on the computer.
B.Check the USB drive's contents to see what it contains.
C.Ask the user to unplug the USB drive immediately.
D.Disable the USB ports in the BIOS.
AnswerC

Removing the device stops any ongoing malicious activity and is the first step in containment.

Why this answer

Option C is correct because the immediate priority is to contain the potential security threat by physically removing the unknown USB drive. This follows the principle of least privilege and incident response best practices: isolate the suspect device before performing any analysis or remediation. Unplugging the drive stops any ongoing data exfiltration or malware installation, which is the first step in a security incident response.

Exam trap

The trap here is that candidates often jump to scanning or investigating the drive (options A or B) because they focus on detection rather than containment, but the CompTIA A+ 220-1102 exam emphasizes immediate isolation as the first step in security incident response.

How to eliminate wrong answers

Option A is wrong because running a full antivirus scan while the unknown USB drive is still connected could allow malware to execute or spread during the scan, and antivirus may not detect all threats (e.g., zero-day exploits or fileless malware). Option B is wrong because checking the USB drive's contents exposes the technician to potential malware (e.g., autorun.inf triggering a payload) and could compromise the system further; forensic analysis should be done in a controlled environment. Option D is wrong because disabling USB ports in the BIOS is a long-term administrative control that takes time and may affect legitimate devices; it does not address the immediate threat of the already-connected unknown drive.

9
MCQmedium

A company's server room has a door with a proximity card reader. Employees report that the door sometimes does not close fully, allowing it to be pushed open without a card. What is the best solution?

A.Replace the proximity card reader with a biometric reader
B.Install a door closer mechanism
C.Add a security camera to monitor the door
D.Increase the frequency of badge audits
AnswerB

A door closer automatically pulls the door shut and ensures it latches, preventing unauthorized entry through an unsecured door.

Why this answer

The core issue is that the door fails to close fully, bypassing the proximity card reader's access control. A door closer mechanism is a mechanical device that automatically pulls the door shut, ensuring it latches and requires card authentication to re-enter. This directly addresses the physical vulnerability without changing the authentication method.

Exam trap

The trap here is that candidates focus on the authentication technology (card reader) rather than the physical barrier integrity, mistakenly thinking a stronger authentication method (biometric) will solve a mechanical latching problem.

How to eliminate wrong answers

Option A is wrong because replacing the reader with a biometric reader does not fix the mechanical problem of the door not closing; it only changes the authentication factor, leaving the bypass vulnerability intact. Option C is wrong because adding a security camera only monitors the door after the fact, it does not prevent unauthorized entry when the door is left ajar. Option D is wrong because increasing badge audit frequency is an administrative control that detects misuse but does not physically secure the door from being pushed open without a card.

10
MCQhard

During a routine security walkthrough, you notice that an employee has propped open a secured door to the server room with a doorstop to allow easy access for a cleaning crew. What is the most immediate action you should take?

A.Remove the doorstop and close the door.
B.Document the incident and report it to the security manager.
C.Reprimand the employee who propped the door.
D.Install a door alarm that sounds if the door is open too long.
AnswerA

This immediately restores the physical security of the server room.

Why this answer

The immediate priority is to restore the physical security control by removing the doorstop and closing the door. A propped-open door bypasses the access control system (e.g., card reader, electronic lock), allowing unauthorized entry to the server room. This action directly mitigates the active vulnerability without delay.

Exam trap

CompTIA often tests the distinction between immediate corrective action and administrative follow-up, trapping candidates who choose documentation or reprimand over directly closing the security gap.

How to eliminate wrong answers

Option B is wrong because documenting and reporting, while important, is a secondary step; the immediate threat of unauthorized access must be addressed first. Option C is wrong because reprimanding the employee is a managerial or HR action that does not resolve the current security breach. Option D is wrong because installing a door alarm is a long-term corrective control, not an immediate response to an active physical security gap.

11
MCQmedium

During a security incident investigation, you discover that an attacker gained physical access to a network closet by using a cloned RFID badge. Which control would have most effectively prevented this type of attack?

A.Install a CCTV camera in the closet
B.Use a biometric reader instead of RFID
C.Add a door sensor alarm
D.Require a second factor like a PIN
AnswerB

Biometrics cannot be cloned like an RFID badge, as they rely on unique physical characteristics.

Why this answer

A biometric reader (e.g., fingerprint or iris scanner) is the most effective control because it authenticates based on a unique physical trait that cannot be cloned or duplicated like an RFID badge. Since the attacker used a cloned RFID badge, a biometric system would have required the attacker's own biometric data, which they cannot replicate from the legitimate user. This directly addresses the root cause of the attack—credential theft via cloning—rather than merely detecting or delaying it.

Exam trap

CompTIA often tests the distinction between preventive and detective controls, and the trap here is that candidates confuse 'detecting' an intrusion (CCTV, door alarm) with 'preventing' the root cause (biometric authentication), leading them to choose a reactive measure instead of a proactive one.

How to eliminate wrong answers

Option A is wrong because a CCTV camera is a detective control that records incidents after they occur; it does not prevent an attacker from gaining physical access with a cloned badge. Option C is wrong because a door sensor alarm is a detection mechanism that alerts to unauthorized entry but does not stop the attacker from entering the closet in the first place. Option D is wrong because requiring a second factor like a PIN still relies on the RFID badge as the first factor; if the badge is cloned, the attacker can still present the cloned badge and then enter a PIN (which could be observed or guessed), so it does not prevent the core cloning attack.

12
MCQmedium

A helpdesk technician receives a call from an employee who says their smart card stopped working for building access. The employee is in a hurry and asks the technician to remotely disable the card and issue a temporary PIN for the day. What should the technician do first?

A.Disable the smart card and provide a temporary PIN as requested.
B.Ask the employee to visit the security office in person with a photo ID.
C.Reset the smart card remotely and test it with a badge reader.
D.Send a temporary PIN via email to the employee's company address.
AnswerB

In-person verification with a photo ID ensures the request is legitimate before making changes.

Why this answer

Option B is correct because smart card credentials for physical access are typically managed by a separate physical security system (e.g., an access control server), not the helpdesk's IT identity management system. The technician cannot remotely disable the card or issue a temporary PIN without proper authorization and verification of the caller's identity. The standard procedure is to require in-person verification with a photo ID at the security office to prevent social engineering attacks.

Exam trap

The trap here is that candidates assume the helpdesk has full control over all credential types (logical and physical) and can perform remote operations on smart cards, when in fact physical access systems are usually separate and require in-person identity verification.

How to eliminate wrong answers

Option A is wrong because disabling a smart card and issuing a temporary PIN without verifying the caller's identity violates security policy and could allow an attacker to gain unauthorized physical access. Option C is wrong because the technician cannot reset or test a smart card remotely; smart cards are physical tokens that require local interaction with a reader, and remote testing is not possible. Option D is wrong because sending a temporary PIN via email is insecure; email is not encrypted end-to-end by default and could be intercepted, and the PIN should be delivered through a secure out-of-band method.

13
MCQeasy

A customer reports that their laptop was stolen from a locked office over the weekend. The office door uses a standard key lock, and the laptop was not physically secured. Which physical security control would have most likely prevented this theft?

A.Use a smart card reader on the door
B.Install a security camera in the hallway
C.Attach a cable lock to the laptop
D.Enable BitLocker on the laptop
AnswerC

A cable lock anchors the laptop to a fixed object, making theft much harder and time-consuming.

Why this answer

This question tests knowledge of physical security controls that deter theft. A cable lock physically attaches the laptop to a desk, making it difficult to remove quickly. Key locks on doors alone are insufficient if someone gains access; cable locks provide a secondary layer of defense.

14
MCQhard

During a security audit, you find that a server room door has a standard key lock, but the key is kept in an unlocked drawer nearby. Which physical security principle is being violated?

A.Least privilege
B.Defense in depth
C.Separation of duties
D.Change management
AnswerB

Defense in depth means using multiple layers of security; storing the key insecurely removes the protection of the lock.

Why this answer

The principle of defense in depth requires multiple layers of security. Storing the key in an unlocked drawer negates the door lock, creating a single point of failure. Proper key management is essential.

15
MCQmedium

A retail store wants to protect its point-of-sale (POS) terminals from unauthorized physical access during off-hours. The terminals are in an open area with no lockable cabinets. Which control should be prioritized?

A.Install a privacy screen on each POS terminal.
B.Use tamper-evident seals on the terminal casings.
C.Require a smart card to power on the terminal.
D.Enable a screensaver with a password.
AnswerB

Seals show if the terminal has been opened, alerting staff to potential tampering.

Why this answer

Tamper-evident seals provide a visible indicator if a device has been opened, deterring unauthorized physical access to internal components. This question tests understanding of physical security for unattended devices.

16
MCQhard

A company is designing a secure entry for a high-security lab. They need to ensure that only one person can enter at a time and that the person must be authenticated before the second door opens. Which physical security control should be used?

A.Turnstile with biometric reader
B.Security guard with logbook
C.Mantrap with smart card and biometric authentication
D.Cipher lock with door alarm
AnswerC

A mantrap uses two doors; the first door locks after entry, and the second door only unlocks after successful authentication, ensuring single-person access.

Why this answer

A mantrap (also called an interlocking door system) is the correct physical security control because it creates a small vestibule with two interlocking doors that prevent more than one person from entering at a time. The requirement for smart card and biometric authentication ensures that the person must be authenticated before the second door opens, providing both identity verification and access control. This design enforces a strict one-person entry sequence and prevents tailgating or piggybacking.

Exam trap

CompTIA A+ often tests the distinction between a turnstile (which only prevents tailgating but does not enforce a two-door interlock with authentication) and a mantrap (which provides a secure vestibule with interlocking doors and mandatory authentication before the second door opens).

How to eliminate wrong answers

Option A is wrong because a turnstile with a biometric reader allows one person to pass at a time but does not create a secure holding area with interlocking doors; it cannot prevent a second person from following closely behind (tailgating) and does not enforce authentication before a second door opens. Option B is wrong because a security guard with a logbook relies on human observation and manual logging, which is prone to error, does not provide automated interlocking door control, and cannot guarantee that only one authenticated person enters at a time. Option D is wrong because a cipher lock with a door alarm provides only a single door with a keypad code and an alarm, lacking the two-door interlock mechanism and the multi-factor authentication (smart card + biometric) required to ensure one-person entry and authentication before the second door opens.

17
MCQeasy

During a routine security audit, you find that an employee has taped their door lock open to avoid using their badge every time they leave for a break. What is the most immediate security concern with this practice?

A.The employee might lose their badge
B.It violates company badge policy
C.Unauthorized persons can enter without credentials
D.The door lock may break from being forced open
AnswerC

Propping a door open eliminates the need for authentication, creating a direct security breach.

Why this answer

Option C is correct because propping a door lock open bypasses the physical access control system (PACS), allowing anyone—including unauthorized individuals—to enter the secured area without presenting valid credentials (e.g., a proximity card or PIN). This directly defeats the purpose of the access control mechanism, which is to authenticate and log each entry. The most immediate risk is that an attacker or tailgater can gain unrestricted physical access to sensitive assets, systems, or data.

Exam trap

The CompTIA A+ exam often tests the distinction between a policy violation and an actual security vulnerability—candidates may pick Option B because they focus on compliance rather than the immediate operational risk of unauthorized physical access.

How to eliminate wrong answers

Option A is wrong because losing a badge is a secondary concern that can be mitigated by deactivating the lost badge, whereas the open door creates an immediate, ongoing vulnerability. Option B is wrong because while violating badge policy is a compliance issue, the core security concern is the operational bypass of access control, not the policy violation itself. Option D is wrong because the door lock breaking from being forced open is a mechanical maintenance issue, not an immediate security threat—the primary risk is unauthorized entry, not equipment damage.

18
MCQmedium

A technician is tasked with securing a shared office printer that stores sensitive documents on its hard drive. The printer is in an open area. Which physical security measure should be prioritized to protect the data on the printer?

A.Enable secure print release with a PIN
B.Encrypt the printer's hard drive
C.Place the printer in a locked room
D.Use a cable lock on the printer
AnswerC

Physical access control prevents unauthorized individuals from tampering with or stealing the printer's hard drive.

Why this answer

Option C is correct because the most effective physical security measure to protect sensitive data on a printer's hard drive in an open area is to control physical access to the device itself. Placing the printer in a locked room prevents unauthorized individuals from physically removing the hard drive or accessing the printer's internal components, which is the primary threat in an open area. While encryption and secure release are important, they do not mitigate the risk of physical theft or tampering with the storage medium.

Exam trap

CompTIA often tests the principle that physical security controls must address the most direct threat vector; the trap here is that candidates confuse data-at-rest protections (encryption) with physical access controls, failing to recognize that encryption does not prevent physical theft or tampering with the storage medium.

How to eliminate wrong answers

Option A is wrong because enabling secure print release with a PIN only controls the release of print jobs, not the data already stored on the printer's hard drive; an attacker could still physically steal the drive and extract data offline. Option B is wrong because encrypting the printer's hard drive protects data at rest but does not prevent physical theft of the drive or the printer itself; encryption is a complementary control, not a substitute for physical access control. Option D is wrong because using a cable lock on the printer only prevents the printer from being easily carried away, but it does not prevent an attacker from opening the printer's casing and removing the hard drive or accessing the data directly.

19
MCQmedium

A technician is configuring a new server rack in a shared office space. Which physical security measure should be applied to prevent unauthorized physical access to the servers?

A.Install a door alarm on the office entrance
B.Use rack-mount locks on each server chassis
C.Enable BitLocker on all server drives
D.Configure a strong BIOS password
AnswerB

Rack-mount locks physically prevent the server from being slid out or tampered with, directly securing the hardware.

Why this answer

Option B is correct because rack-mount locks provide a direct physical barrier that prevents unauthorized individuals from opening the server chassis and accessing internal components, such as hard drives, memory, or cables. In a shared office space, this is the most effective measure to deter tampering, theft, or accidental damage at the rack level.

Exam trap

The trap here is that candidates often confuse logical security controls (like BitLocker or BIOS passwords) with physical security controls, failing to recognize that only a physical barrier like a lock prevents direct hardware access.

How to eliminate wrong answers

Option A is wrong because a door alarm on the office entrance only alerts to unauthorized entry into the room but does not prevent direct physical access to the server chassis once inside; it is a perimeter control, not a server-level control. Option C is wrong because BitLocker is a full-disk encryption technology that protects data at rest if a drive is removed, but it does not prevent physical access to the server itself or its components. Option D is wrong because a BIOS password controls boot-level access and prevents unauthorized changes to firmware settings, but it does not prevent someone from physically opening the chassis, removing drives, or tampering with hardware.

20
MCQmedium

During a security audit, you discover that a supply closet containing spare hard drives has a door that can be opened with a standard paperclip. What is the most appropriate recommendation to address this vulnerability?

A.Replace the door with a solid-core door and install a deadbolt.
B.Install a privacy filter on the closet door window.
C.Upgrade the lock to a tamper-resistant electronic lock.
D.Place a sign on the door warning of security cameras.
AnswerC

An electronic lock with a secure mechanism prevents bypass with simple tools like a paperclip.

Why this answer

Option C is correct because the vulnerability is a weak physical lock that can be bypassed with a simple tool. Upgrading to a tamper-resistant electronic lock, such as one with a keypad or biometric reader, significantly increases the difficulty of unauthorized entry. This directly addresses the core issue of inadequate access control for sensitive assets like spare hard drives.

Exam trap

CompTIA A+ often tests the distinction between deterrent controls (signs, cameras) and preventive controls (locks, access control systems), leading candidates to choose a visible but ineffective option like a warning sign instead of a technical fix.

How to eliminate wrong answers

Option A is wrong because replacing the door and installing a deadbolt is an over-engineered solution that does not specifically address the lock vulnerability; a deadbolt can still be picked or bypassed with a paperclip if the lock cylinder is weak. Option B is wrong because a privacy filter on the window only prevents visual observation, not physical access, and does nothing to secure the door lock. Option D is wrong because a warning sign is a deterrent, not a physical control; it does not prevent an attacker from using a paperclip to open the door.

21
MCQhard

A technician is deploying laptops for a sales team that works remotely from coffee shops and client sites. The laptops contain sensitive customer data. Which physical security control is most practical for these mobile devices?

A.Install a laptop tracking software
B.Use a biometric fingerprint reader on the laptop
C.Require a smart card for login
D.Attach a cable lock to the laptop
AnswerD

A cable lock physically anchors the laptop to a table or desk, making it difficult to steal, which is the most practical physical control for mobile devices.

Why this answer

A cable lock is the most practical physical security control for mobile devices used in public spaces because it physically secures the laptop to a fixed object, preventing theft. Unlike software or authentication measures, a cable lock directly addresses the risk of the device being physically taken, which is the primary threat when working in coffee shops or client sites.

Exam trap

The A+ exam often tests the distinction between physical security controls (like cable locks) and logical/authentication controls (like biometrics or smart cards), so the trap here is confusing authentication methods with physical theft prevention.

How to eliminate wrong answers

Option A is wrong because laptop tracking software is a reactive measure that helps locate a stolen device after the fact, but it does not prevent the initial theft or protect sensitive data in the moment. Option B is wrong because a biometric fingerprint reader provides authentication security, not physical security; it can be bypassed if the device is stolen and the attacker uses other methods to access data. Option C is wrong because requiring a smart card for login is an authentication control that protects access to the operating system, but it does not prevent the physical theft of the laptop itself.

22
MCQmedium

A technician is troubleshooting why a smart card reader at a secure entrance fails intermittently. Users can sometimes enter, but other times the reader does not respond. What should the technician check first?

A.Update the smart card reader firmware
B.Replace the smart cards for all users
C.Check the cabling and connections to the reader
D.Reconfigure the access control software
AnswerC

Intermittent connectivity often points to loose or damaged cables; verifying physical connections is a quick and effective first step.

Why this answer

Intermittent failures in a smart card reader are most often caused by physical connection issues, such as loose or damaged cabling, rather than software or firmware problems. Checking cabling and connections is the first step in a structured troubleshooting approach because it addresses the most common and easily verifiable cause of intermittent behavior.

Exam trap

Cisco often tests the principle of 'starting with the simplest and most likely cause' in troubleshooting scenarios, and the trap here is that candidates jump to firmware or software fixes without first verifying the physical layer.

How to eliminate wrong answers

Option A is wrong because updating firmware is a more advanced step that should only be attempted after verifying physical connections and power; firmware issues typically cause consistent failures, not intermittent ones. Option B is wrong because replacing all smart cards is an expensive and disruptive action that assumes a widespread card failure, which is unlikely when the reader itself is unresponsive and the problem is intermittent. Option D is wrong because reconfiguring access control software would not resolve a hardware-level intermittent connection problem; software misconfiguration usually results in consistent access denials or errors, not random unresponsiveness.

23
MCQeasy

A small office wants to restrict access to the server room to only authorized IT staff. They need a solution that does not require keys or cards that can be lost. Which physical security control should they implement?

A.Keyed lock
B.Proximity card reader
C.Biometric lock
D.Cipher lock
AnswerC

Biometric locks use fingerprints or other unique traits, so no keys or cards are needed, meeting the requirement perfectly.

Why this answer

Biometric locks use unique physical characteristics like fingerprints, eliminating the need for keys or cards that can be lost or stolen. This question tests knowledge of access control methods that combine security with convenience.

24
MCQeasy

A user reports that their laptop was stolen from their desk overnight. The security team reviews badge logs and finds no after-hours access to the floor. What physical security control should be implemented to prevent this from recurring?

A.Install a biometric fingerprint reader on the laptop.
B.Require a smart card to log in to the laptop.
C.Use a cable lock to secure the laptop to the desk.
D.Enable full-disk encryption on the laptop.
AnswerC

A cable lock physically attaches the laptop to a stationary object, deterring theft.

Why this answer

Option C is correct because a cable lock physically secures the laptop to a fixed object like a desk, directly preventing theft by requiring physical force or tool removal. Since the breach occurred overnight with no after-hours access, the threat was unauthorized physical removal, not logical access. A cable lock is the only control that addresses the physical theft vector by tethering the device to an immovable anchor.

Exam trap

CompTIA often tests the distinction between physical security controls (preventing theft/damage) and logical/data security controls (preventing unauthorized access or data loss), leading candidates to choose encryption or authentication options when the scenario clearly describes physical removal.

How to eliminate wrong answers

Option A is wrong because a biometric fingerprint reader authenticates the user at login, but does not prevent the laptop from being physically taken from the desk; it only controls logical access after power-on. Option B is wrong because requiring a smart card to log in controls authentication, not physical theft; the laptop can still be stolen regardless of login requirements. Option D is wrong because full-disk encryption protects data confidentiality if the laptop is stolen, but does not prevent the theft itself; it is a data protection control, not a physical security control.

25
MCQeasy

A company is implementing a new policy to prevent tailgating at the main entrance. Which physical security control should they deploy?

A.Security cameras
B.Biometric reader
C.Mantrap
D.Badge reader
AnswerC

A mantrap creates a small vestibule with two doors, allowing only one person to pass after authentication, directly preventing tailgating.

Why this answer

A mantrap uses two interlocking doors to ensure only one person can enter at a time, effectively preventing tailgating. This tests understanding of specialized access controls designed to enforce one-person-per-authentication.

26
MCQeasy

A company wants to secure its server room door so that only authorized personnel can enter. They need a system that can be quickly revoked if an employee leaves and that logs entry attempts. Which physical security control best meets these requirements?

A.A combination lock with a shared code.
B.A biometric fingerprint scanner.
C.An electronic key card system.
D.A physical key and lock system.
AnswerC

Key cards can be individually deactivated and generate logs of each entry attempt.

Why this answer

An electronic key card system meets both requirements: access can be instantly revoked by deactivating the card in the central database, and each entry attempt is logged with a timestamp and card ID. This provides granular, auditable access control without the need to physically change locks or share codes.

Exam trap

CompTIA often tests the distinction between 'revocability' and 'auditability' — the trap here is assuming biometrics are always the best for security, but the question emphasizes quick revocation and logging, where electronic key cards are more practical and cost-effective than biometric systems.

How to eliminate wrong answers

Option A is wrong because a combination lock with a shared code cannot be individually revoked without changing the code for everyone, and it typically does not log entry attempts. Option B is wrong because while a biometric fingerprint scanner can log attempts and be revoked by deleting the user's template, it is less practical for quick revocation in a large organization and can suffer from false rejection or hygiene issues. Option D is wrong because a physical key and lock system requires rekeying or replacing locks to revoke access, and it provides no automated logging of entry attempts.

27
MCQhard

A data center manager wants to implement a physical security control that can detect if a server chassis has been opened without authorization. Which control should they use?

A.Intrusion detection system (IDS) on the network
B.Chassis intrusion switch
C.Tamper-evident seals
D.Video surveillance
AnswerC

Tamper-evident seals are placed over chassis screws or seams; any attempt to open the case will break or distort the seal, providing clear evidence of tampering.

Why this answer

Tamper-evident seals are a physical security control that provide visual evidence of unauthorized access. When a server chassis is opened, the seal is broken, indicating tampering. This is the correct choice because the question specifically asks for a control that can detect if a chassis has been opened, and tamper-evident seals are designed for this purpose.

Exam trap

The trap here is that candidates may confuse a chassis intrusion switch (an electronic detection mechanism) with a physical security control that provides tamper evidence, but the question specifically asks for a control that can detect if a chassis has been opened, and tamper-evident seals are the correct physical control for this purpose.

How to eliminate wrong answers

Option A is wrong because an Intrusion Detection System (IDS) on the network monitors network traffic for malicious activity, not physical chassis access. Option B is wrong because a chassis intrusion switch is an electronic sensor that can detect when a chassis is opened, but it is not a physical security control that provides tamper evidence; it is an electronic detection mechanism that can be bypassed or disabled. Option D is wrong because video surveillance can monitor physical access to the server room but does not directly detect if a specific server chassis has been opened; it requires continuous monitoring and review of footage.

28
MCQmedium

A technician is configuring a new server room and needs to ensure that only authorized personnel can physically access it. The company wants a solution that does not require replacement of keys or cards if one is lost. Which access control method best meets this requirement?

A.Use a combination lock
B.Implement a biometric fingerprint reader
C.Install a smart card system
D.Use a keypad with a PIN code
AnswerB

Biometrics are tied to the individual and cannot be lost, so no reissuance is needed if a card is lost.

Why this answer

Biometric systems use unique physical traits (fingerprint, retina) that cannot be lost or easily duplicated. This eliminates the need to reissue credentials if a card or key is lost, though biometrics have their own management challenges.

29
MCQmedium

A school district is deploying laptops to students and wants to deter theft while keeping devices usable. Which physical security control should they implement on the laptops?

A.Install a cable lock on each laptop
B.Use a laptop safe
C.Apply asset tracking tags
D.Enable a BIOS password
AnswerC

Asset tags (e.g., RFID or barcode) help track and recover stolen laptops without hindering normal use.

Why this answer

Asset tracking tags (e.g., RFID or GPS-enabled stickers) provide a non-intrusive way to monitor and recover laptops if stolen, without hindering normal use. They deter theft by enabling location tracking and inventory management, which aligns with the school's goal of keeping devices usable while reducing loss.

Exam trap

CompTIA often tests the distinction between physical controls (e.g., locks, safes, tags) and logical controls (e.g., BIOS passwords, encryption), and the trap here is confusing a BIOS password as a physical security measure when it is actually a logical access control.

How to eliminate wrong answers

Option A is wrong because a cable lock physically tethers the laptop to a desk, which restricts mobility and contradicts the requirement to keep devices usable for students who need to move between classes. Option B is wrong because a laptop safe is a stationary storage container, not a control applied to the laptop itself, and it prevents use while stored. Option D is wrong because a BIOS password is an authentication control, not a physical security control; it secures access to firmware settings but does not deter or prevent physical theft of the device.

30
MCQmedium

A company is moving to a new office and wants to secure its server room against both unauthorized entry and environmental hazards. Which combination of physical controls should be implemented?

A.A key lock and a fire extinguisher
B.An electronic badge reader and a temperature sensor
C.A biometric scanner and a security camera
D.A combination lock and a humidity monitor
AnswerB

The badge reader controls and logs access; the temperature sensor monitors environmental conditions to prevent overheating.

Why this answer

Option B is correct because the question requires controls that address both unauthorized entry (electronic badge reader) and environmental hazards (temperature sensor). An electronic badge reader provides access control by authenticating users before entry, while a temperature sensor monitors environmental conditions to detect overheating or fire risks, enabling proactive responses to protect server equipment.

Exam trap

The trap here is that candidates pick options that address only one of the two required categories (unauthorized entry or environmental hazards) instead of both.

How to eliminate wrong answers

Option A is wrong because a key lock only addresses unauthorized entry but does not monitor environmental hazards; a fire extinguisher is a reactive suppression tool, not a proactive environmental monitoring control. Option C is wrong because a biometric scanner and security camera both address unauthorized entry and surveillance, but neither monitors environmental hazards like temperature, humidity, or smoke. Option D is wrong because a combination lock addresses unauthorized entry, but a humidity monitor only addresses one environmental hazard (humidity) and does not cover other critical hazards like temperature or fire; the question asks for a combination that secures against both unauthorized entry and environmental hazards, and humidity alone is insufficient.

Ready to test yourself?

Try a timed practice session using only Physical Security Controls questions.