Free · No account needed · No credit card

CompTIA SecurityX CAS-004 Practice Test

510 questions with instant explanations, domain breakdown, and wrong-answer analysis. Built for the real exam.

Instant feedback after each answer
Full explanations included
Domain score breakdown
Real exam: 165 min

Sample questions with explanations

This is exactly what you see during practice — question, options, and a full explanation after you answer.

Q1Governance, Risk and Compliancemedium
Full explanation →

A global financial firm must comply with GDPR and SOX. The CISO wants to consolidate controls across frameworks using a single set of controls. Which approach best addresses this requirement?

Adopt a unified control framework such as NIST SP 800-53Correct
BFocus only on the most stringent regulation
CImplement automated GRC tools without changing controls
DMaintain separate control sets for each regulation

Adopting a unified control framework such as NIST SP 800-53 allows the firm to map controls from GDPR and SOX into a single, comprehensive set, reducing duplication and ensuring consistent compliance. This approach leverages the framework's catalog of controls, which can be tailo…Read full explanation

Q2Governance, Risk and Compliancehard
Full explanation →

A healthcare organization is planning to migrate patient data to a cloud provider. The risk assessment identifies that the provider's SOC 2 report does not cover HIPAA controls. What is the BEST course of action?

ARequest the provider's most recent SOC 3 report
BAccept the risk and proceed with migration
Require the provider to sign a Business Associate Agreement (BAA)Correct
DRequire the provider to encrypt all data at rest and in transit

Option B is correct because a BA agreement is required under HIPAA to ensure the provider contractually agrees to safeguard ePHI. Option A is wrong because the risk assessment should drive decisions, not just acceptance. Option C is wrong because encryption does not eliminate the…Read full explanation

Q3Governance, Risk and Complianceeasy
Full explanation →

An organization wants to ensure that its third-party vendors comply with the company's security policies. Which of the following is the MOST effective method?

Include security requirements in contracts and conduct periodic auditsCorrect
BRequire vendors to obtain ISO 27001 certification
CSend annual self-assessment questionnaires
DPerform quarterly penetration tests on vendor networks

Including security requirements in contracts and conducting periodic audits is the most effective method because it creates a legally binding obligation for vendors to adhere to the organization's security policies, and audits provide direct, verifiable evidence of compliance. Un…Read full explanation

Untimed Practice

Answer at your own pace. Explanation and domain tag shown immediately after each answer.

Timed Practice

Countdown timer starts immediately. Results and domain scores shown at the end — just like the real exam.

Why practice here?

Full explanations on every question

Not just the right answer — you get exactly why each wrong option is wrong, so you learn the concept, not the answer.

Domain score breakdown

After each session see your score by exam domain so you know exactly where to focus study time.

100% free, forever

No subscription, no trial, no email wall. Start a session in under 10 seconds.

Exam-style questions

Scenario-based, precise wording, realistic distractors — written to match what you actually see on exam day.

← All CAS-004 questionsCAS-004 exam guideStudy guidePractice by domain