CCNA Grc Questions

75 of 127 questions · Page 1/2 · Grc topic · Answers revealed

1
MCQeasy

Which of the following is the BEST definition of a risk register?

A.A list of identified risks with associated attributes such as impact, likelihood, and owner.
B.A report of audit findings and non-conformities.
C.A document that outlines the organization's risk appetite.
D.A tool used to automate risk assessment processes.
AnswerA

A risk register captures each risk along with its characteristics and management status.

Why this answer

Option B is correct because a risk register is a structured repository for documenting and tracking risks.

2
Multi-Selecthard

Which THREE of the following are required by the NIST Cybersecurity Framework (CSF) for the 'Protect' function?

Select 3 answers
A.Performing regular maintenance of systems
B.Ensuring data at rest and in transit is encrypted
C.Conducting a risk assessment for critical assets
D.Developing an incident response plan
E.Implementing access controls for authorized users
AnswersA, B, E

Maintenance is under Protect.

Why this answer

Options A, C, and E are correct. Access control (PR.AC), data security (PR.DS), and maintenance (PR.MA) are part of the Protect function. Option B is wrong because 'Respond' is a separate function.

Option D is wrong because risk assessment is under 'Identify'.

3
MCQeasy

A financial institution is required to comply with PCI DSS. A low-severity vulnerability is found in the cardholder data environment that would cost significant downtime to patch. What is the BEST course of action?

A.Implement compensating controls and formally accept the risk with documented approval
B.Transfer the risk to a third party
C.Accept the risk without documentation
D.Immediately patch the vulnerability
AnswerA

This satisfies PCI DSS requirements and manages risk.

Why this answer

PCI DSS allows risk acceptance with compensating controls and documented approval. Option A lacks documentation; Option C may cause unacceptable downtime; Option D does not directly address the vulnerability.

4
Multi-Selectmedium

A company is implementing a vendor risk management program. Which THREE of the following should be included in the initial vendor assessment?

Select 3 answers
A.Employee training records
B.Financial stability
C.Security incident history
D.Marketing collateral
E.Business continuity plan
AnswersB, C, E

Essential to assess viability.

Why this answer

Financial stability, security incident history, and business continuity plan are key to evaluating vendor risk. Employee training is not typically part of initial assessment; marketing collateral is irrelevant.

5
MCQmedium

An organization is required to retain logs for seven years per regulatory requirement. Which of the following should be considered to ensure the integrity of these logs?

A.Write-once, read-many (WORM) storage
B.Hashing each log entry
C.Encryption of the logs
D.Compression to reduce storage space
AnswerA

WORM prevents tampering with log entries.

Why this answer

Write-once, read-many (WORM) storage ensures logs cannot be altered or deleted. Encryption, compression, and hashing provide security or validation but not immutable storage.

6
MCQeasy

A company is implementing a new cloud-based SaaS application and needs to ensure compliance with GDPR. The security team is tasked with updating the data protection impact assessment (DPIA). Which of the following should the team prioritize?

A.Assessing the types of personal data processed and the risks to data subjects
B.Defining data retention schedules for all data types
C.Conducting a vulnerability scan of the SaaS application
D.Reviewing the cloud provider's SLA for uptime guarantees
AnswerA

DPIA focuses on the processing of personal data and associated risks.

Why this answer

Under GDPR, a Data Protection Impact Assessment (DPIA) is mandatory when processing personal data that is likely to result in high risk to individuals. The core requirement is to systematically assess the types of personal data being processed, the necessity and proportionality of the processing, and the risks to data subjects' rights and freedoms. This directly aligns with option A, as the DPIA must identify and mitigate privacy risks before the SaaS application goes live.

Exam trap

The trap here is that candidates confuse a DPIA with a security assessment (like a vulnerability scan or SLA review), but the DPIA is specifically a privacy risk assessment mandated by GDPR Article 35, not a general security or operational review.

How to eliminate wrong answers

Option B is wrong because defining data retention schedules is a separate GDPR compliance activity (Article 5(1)(e)) that occurs after the DPIA, not a priority for the DPIA itself; the DPIA focuses on risk assessment, not retention policies. Option C is wrong because conducting a vulnerability scan addresses technical security controls (Article 32), but a DPIA is a broader privacy risk assessment that evaluates the necessity, proportionality, and impact on data subjects, not just security vulnerabilities. Option D is wrong because reviewing the cloud provider's SLA for uptime guarantees relates to business continuity and availability, not to the GDPR-mandated assessment of risks to data subjects' privacy rights.

7
MCQmedium

A financial institution is adopting a new vendor-managed SaaS platform for customer data processing. The CISO wants to ensure the vendor's security controls meet regulatory requirements before data is transferred. Which of the following should be completed FIRST?

A.Execute a penetration test on the SaaS platform.
B.Implement data loss prevention controls.
C.Conduct a vulnerability assessment of the vendor's network.
D.Perform a third-party risk assessment.
AnswerD

Third-party risk assessment evaluates the vendor's security controls and compliance before data transfer.

Why this answer

B is correct because a third-party risk assessment is the initial step to evaluate the vendor's security posture against compliance. A and C are technical assessments that come later. D is a control implementation that should follow assessment.

8
Multi-Selectmedium

Which THREE are key elements of a security policy?

Select 3 answers
A.Vendor names
B.Roles and responsibilities
C.Enforcement actions
D.Review date
E.Scope
AnswersB, C, E

Clear assignment of responsibilities is essential.

Why this answer

Options A, B, and C are correct. Scope defines applicability, roles and responsibilities assign accountability, and enforcement actions ensure compliance. Vendor names are not typical policy elements, and review date is part of document control but not a core element.

9
MCQmedium

During a compliance audit, an organization discovers that its backup data for a critical database is stored in an unencrypted format on a tape that is kept offsite. The organization's data protection policy requires encryption of all data at rest. Which of the following is the BEST remediation action?

A.Change the offsite storage provider to one with better physical security
B.Implement TLS for data transmission to offsite storage
C.Re-encrypt the existing tape and implement encryption for all future backups
D.Encrypt all future backups before writing to tape
AnswerC

Remediates the non-compliance for existing and future backups.

Why this answer

Option C is the best remediation because it directly addresses the compliance violation by re-encrypting the existing unencrypted tape and ensuring all future backups are encrypted before being written to tape. This aligns with the data protection policy requiring encryption of data at rest, as the tape is a storage medium that holds data at rest. Simply encrypting future backups (Option D) would leave the existing unencrypted data in violation, while the other options do not address the at-rest encryption requirement.

Exam trap

The trap here is that candidates often confuse encryption of data in transit (TLS) with encryption of data at rest, or they choose to only encrypt future backups, overlooking the need to remediate the existing non-compliant data that is already stored unencrypted.

How to eliminate wrong answers

Option A is wrong because improving physical security does not satisfy the requirement for encryption of data at rest; the policy mandates cryptographic protection, not just access controls. Option B is wrong because TLS protects data in transit during transmission to offsite storage, but the tape itself remains unencrypted at rest, which is the core compliance issue. Option D is wrong because it only encrypts future backups, leaving the existing unencrypted tape in violation of the policy; remediation must address the current non-compliant data.

10
MCQmedium

An organization is evaluating risk treatment options for a critical vulnerability with a CVSS score of 9.8. The cost to remediate is $500,000, and the potential loss if exploited is estimated at $2,000,000. Which risk response is most appropriate?

A.Transfer the risk through cyber insurance
B.Accept the risk
C.Avoid the risk by decommissioning the affected system
D.Remediate the vulnerability
AnswerD

Remediation cost is lower than expected loss, making it the best option.

Why this answer

With a CVSS score of 9.8 (critical) and a potential loss of $2,000,000, the cost to remediate ($500,000) is significantly lower than the expected loss. Remediation reduces the risk to an acceptable residual level, making it the most cost-effective response. This aligns with the principle that when the cost of remediation is less than the potential loss, the organization should directly fix the vulnerability.

Exam trap

CompTIA often tests the misconception that a high CVSS score automatically justifies acceptance or transfer, but the key is comparing the cost of remediation against the potential loss to determine the most appropriate risk response.

How to eliminate wrong answers

Option A is wrong because transferring risk via cyber insurance does not reduce the likelihood or impact of exploitation; it only provides financial compensation after a breach, and insurers often exclude critical vulnerabilities or require remediation as a condition. Option B is wrong because accepting a critical vulnerability with a CVSS of 9.8 and a $2,000,000 potential loss is irresponsible when a cheaper remediation option exists; acceptance is only appropriate when the cost of mitigation exceeds the potential loss. Option C is wrong because avoiding the risk by decommissioning the affected system would eliminate the business function entirely, incurring operational and revenue losses that likely exceed the $500,000 remediation cost, making it an extreme and unnecessary response.

11
MCQmedium

A company is evaluating a vendor that will process sensitive customer data. The vendor's SOC 2 Type II report shows that controls were in place but had several exceptions noted. Which of the following is the BEST course of action?

A.Perform a risk assessment on the exceptions
B.Request a SOC 2 Type I report instead
C.Accept the vendor because it has a Type II report
D.Reject the vendor immediately due to exceptions
AnswerA

Risk assessment determines if exceptions are acceptable.

Why this answer

Option D is correct because a risk assessment should be conducted to evaluate the exceptions in the context of the company's risk appetite. Option A is wrong because rejecting without analysis is hasty. Option B is wrong because accepting without review is negligent.

Option C is wrong because a Type I report covers a point in time, not operations.

12
Multi-Selecthard

During a business continuity planning meeting, the team identifies several critical systems. Which THREE of the following are key components of a Business Impact Analysis (BIA)? (Select THREE.)

Select 3 answers
A.Mission-essential functions
B.Inventory of all hardware assets
C.Threat modeling of likely attack vectors
D.Recovery Time Objective (RTO)
E.Recovery Point Objective (RPO)
AnswersA, D, E

BIA identifies which functions are critical to the mission.

Why this answer

A BIA identifies recovery time objective (RTO), recovery point objective (RPO), and mission-essential functions. Asset inventory and threat modeling may be inputs but are not core BIA outputs.

13
MCQmedium

An organization is migrating sensitive customer data to a public cloud. Which of the following actions best demonstrates due diligence for compliance with GDPR?

A.Conducting a data protection impact assessment (DPIA).
B.Enabling server-side encryption on the cloud storage.
C.Obtaining explicit consent from all data subjects.
D.Signing a data processing agreement (DPA) with the cloud provider.
AnswerA

A DPIA is mandated by GDPR for high-risk processing and demonstrates thorough due diligence.

Why this answer

Option C is correct because a DPIA is a systematic process to identify and mitigate data protection risks, required by GDPR for cloud migrations involving sensitive data.

14
MCQmedium

During a risk assessment, the analyst identifies that a legacy system containing sensitive data cannot be patched due to vendor end-of-life. The system is critical to operations. Which risk treatment strategy is MOST appropriate?

A.Transfer by purchasing cyber insurance
B.Avoidance by decommissioning the system
C.Acceptance by documenting the risk
D.Mitigation by implementing compensating controls
AnswerD

Compensating controls reduce risk without removing the system.

Why this answer

Implementing compensating controls reduces the risk while allowing the system to operate. Option A may not be feasible; Option C does not reduce the risk; Option D is less proactive.

15
MCQeasy

A company is evaluating its disaster recovery plan. Which metric indicates the maximum acceptable downtime?

A.Mean Time to Repair (MTTR)
B.Recovery Point Objective (RPO)
C.Recovery Time Objective (RTO)
D.Mean Time Between Failures (MTBF)
AnswerC

RTO is the maximum acceptable downtime.

Why this answer

Option B is correct because Recovery Time Objective (RTO) defines the maximum acceptable downtime. Option A is wrong RPO defines acceptable data loss. Option C is wrong MTBF measures reliability.

Option D is wrong MTTR measures repair time.

16
MCQeasy

A security engineer is reviewing firewall logs and finds multiple failed SSH attempts from an internal IP. Which control should be implemented to reduce this risk?

A.Allow SSH only from a specific management subnet
B.Implement account lockout after 5 failed attempts
C.Install a host-based IDS on the server
D.Disable SSH and use Telnet instead
AnswerB

Account lockout prevents brute-force attacks by temporarily disabling the account.

Why this answer

Option B is correct because implementing an account lockout policy after a defined number of failed attempts (e.g., 5) directly mitigates brute-force or password-guessing attacks against SSH. This control enforces a threshold that stops automated scripts or manual attempts from continuing, reducing the risk of unauthorized access without blocking legitimate administrative traffic.

Exam trap

The trap here is that candidates often choose a network-based control like subnet restriction (Option A) because it seems logical to limit access, but they overlook that the failed attempts are already coming from an internal IP, meaning the attacker is already inside the trusted zone and subnet filtering alone will not stop the attack.

How to eliminate wrong answers

Option A is wrong because restricting SSH to a specific management subnet reduces the attack surface but does not prevent brute-force attacks from within that subnet; an attacker who compromises a machine on that subnet could still launch unlimited attempts. Option C is wrong because a host-based IDS (HIDS) can detect and alert on failed SSH attempts but does not actively prevent them; it is a detective control, not a preventive one. Option D is wrong because disabling SSH and using Telnet would increase risk, as Telnet transmits credentials and data in cleartext, making it vulnerable to sniffing and completely unacceptable in a secure environment.

17
MCQmedium

Refer to the exhibit. A security analyst reviews the firewall logs and sees traffic from 192.168.1.200 to the database server 10.0.0.10 on TCP port 1433. 192.168.1.200 is not in the approved IP list for database access. What is the BEST immediate action?

A.Investigate the source host for malware
B.Disable the database server
C.Review the database access rules
D.Block the source IP on the firewall
AnswerD

Immediate containment of unauthorized access.

Why this answer

Blocking the source IP on the firewall immediately contains the potential threat. Investigation is important but secondary; reviewing rules is not immediate; disabling the server is too drastic.

18
MCQeasy

A company's risk assessment identifies that employees often use weak passwords. Which control directly addresses this risk?

A.Conduct security awareness training
B.Deploy single sign-on
D.Enforce a strong password policy
AnswerD

A strong password policy directly addresses weak passwords.

Why this answer

Enforcing a strong password policy directly addresses the risk of weak passwords by mandating complexity, length, and expiration requirements (e.g., minimum 12 characters, mixed case, numbers, symbols). This control reduces the likelihood of successful brute-force or dictionary attacks by increasing the entropy of user credentials. Unlike other options, it specifically targets the root cause—weak password creation—rather than adding compensating controls.

Exam trap

The trap here is that candidates confuse 'addressing the risk' with 'mitigating the impact'—MFA (Option C) reduces the impact of a weak password but does not prevent the weak password itself, which is the root cause identified in the risk assessment.

How to eliminate wrong answers

Option A is wrong because security awareness training educates users but does not technically enforce password strength; users may still choose weak passwords despite training. Option B is wrong because single sign-on (SSO) centralizes authentication but does not prevent users from creating weak passwords for the SSO identity provider or downstream systems. Option C is wrong because multi-factor authentication (MFA) adds a second factor (e.g., TOTP, SMS) but does not address the weakness of the first factor (password); a weak password can still be guessed or cracked offline, bypassing MFA in some attack scenarios (e.g., pass-the-cookie).

19
MCQmedium

An organization is merging with another company and needs to ensure that the combined entity's security policies are aligned. Which document type should the security team prioritize to harmonize security expectations and responsibilities?

A.Disaster Recovery Plan (DRP)
B.Non-Disclosure Agreement (NDA)
C.Acceptable Use Policy (AUP)
D.Business Continuity Plan (BCP)
AnswerC

AUP sets rules for system use and user responsibilities.

Why this answer

An Acceptable Use Policy (AUP) defines acceptable behavior and responsibilities for users, making it key for harmonizing expectations. BCP focuses on continuity, DRP on recovery, and NDA on confidentiality.

20
MCQeasy

Which of the following is the PRIMARY purpose of a business continuity plan (BCP)?

A.Assign roles for incident response.
B.Restore IT systems after a disaster.
C.Ensure critical business functions continue during a disruption.
D.Establish procedures for data backup.
AnswerC

The BCP's main goal is to maintain essential operations despite incidents.

Why this answer

Option C is correct because a BCP aims to sustain critical business processes, not just IT recovery.

21
Multi-Selectmedium

Which THREE of the following are common challenges when implementing a vendor risk management program? (Select THREE)

Select 3 answers
A.Lack of visibility into vendor security practices
B.Over-automation of risk scoring
C.Resource constraints for conducting assessments
D.Inconsistent assessment criteria across vendors
E.Excessive cooperation from vendors
AnswersA, C, D

Common challenge

Why this answer

A is correct because organizations often lack visibility into vendor security practices, meaning they cannot verify whether vendors comply with security policies or contractual obligations. This challenge arises when vendors do not provide access to their security controls, audit reports, or real-time monitoring data, leaving gaps in the risk assessment process.

Exam trap

Cisco often tests the distinction between common operational challenges (like lack of visibility, resource constraints, and inconsistent criteria) versus hypothetical or reversed issues (like over-automation or excessive cooperation) that are not typical in vendor risk management programs.

22
MCQmedium

A multinational corporation is migrating its data centers to a hybrid cloud model. The security team must ensure that data sovereignty laws are respected. The company operates in the EU, US, and Asia. Which of the following is the BEST approach?

A.Require all employees to sign a data processing agreement.
B.Encrypt all data at rest and in transit using a single global encryption key.
C.Implement a virtual private network between all data centers and cloud providers.
D.Use cloud regions in each geographic area where data is stored and processed.
AnswerD

Cloud regions allow data to stay within jurisdictional boundaries.

Why this answer

B is correct. Using cloud regions ensures data is stored and processed within legal boundaries. Single global encryption key does not address location.

VPN is for connectivity, not sovereignty. DPA is for processing agreements, not location enforcement.

23
MCQeasy

An organization wants to ensure that its employees understand their responsibilities regarding data protection. Which of the following is the MOST effective way to achieve this?

A.Include a clause in the employment contract
B.Post posters in common areas
C.Distribute a data protection policy annually via email
D.Conduct regular security awareness training with assessments
AnswerD

Interactive training with assessments reinforces understanding.

Why this answer

Regular training with assessments ensures ongoing awareness and understanding. Options A, B, and C are passive methods that are less effective.

24
Multi-Selectmedium

Which TWO of the following are key components of a risk assessment methodology?

Select 2 answers
A.Disaster recovery.
B.Threat identification.
C.Risk appetite.
D.Incident response.
E.Asset inventory.
AnswersB, E

Identifying threats is a fundamental step in risk assessment.

Why this answer

Threat identification and asset inventory are core components of a risk assessment, while risk appetite is a guiding parameter.

25
Multi-Selecthard

A multinational corporation is subject to GDPR and the California Consumer Privacy Act (CCPA). A security architect is designing a data governance solution to meet both regulations. Which TWO controls are most appropriate?

Select 2 answers
A.Implement data mapping to track personal data across systems and jurisdictions.
B.Establish data classification policies to categorize information based on sensitivity.
C.Deploy data loss prevention (DLP) technology to monitor data exfiltration.
D.Define a data retention schedule that automatically deletes data after a set period.
E.Integrate a security information and event management (SIEM) system for log analysis.
AnswersA, B

Data mapping is a foundational governance activity required by both GDPR and CCPA.

Why this answer

Options A and D are correct. GDPR and CCPA both require data mapping (A) to understand data flows, and data classification (D) to apply appropriate controls. Option B (retention schedule) is important but not the most critical for both regulations; retention is more GDPR-specific.

Option C (DLP) is a technical control that supports compliance but is not a governance control. Option E (SIEM) is a security monitoring tool, not a governance control.

26
MCQhard

A company's risk register shows a high-likelihood, high-impact risk related to ransomware. The cost to mitigate fully is $2M, while the expected annual loss is $500K. Which risk response is most appropriate?

A.Avoid the risk by discontinuing use of IT systems
B.Mitigate the risk by implementing full endpoint protection
C.Accept the risk and implement monitoring controls
D.Transfer the risk via cyber insurance
AnswerC

Cost-benefit analysis supports acceptance

Why this answer

The cost to fully mitigate the ransomware risk is $2M, which far exceeds the expected annual loss of $500K. This makes full mitigation economically unjustifiable under a cost-benefit analysis. Accepting the risk with monitoring controls allows the organization to detect ransomware early and respond, without spending more on prevention than the potential loss itself.

Exam trap

CompTIA often tests the cost-benefit analysis principle in risk response decisions, where candidates mistakenly choose 'mitigate' because they focus on the high likelihood and impact without comparing the cost of mitigation to the expected loss.

How to eliminate wrong answers

Option A is wrong because discontinuing IT systems would halt business operations entirely, which is an extreme and impractical response that ignores the organization's need to function; avoidance is only appropriate when the risk outweighs any possible benefit, not when a cost-effective alternative exists. Option B is wrong because implementing full endpoint protection at a cost of $2M is not cost-justified when the annual expected loss is only $500K; this violates the principle of risk management where the cost of mitigation should not exceed the potential loss. Option D is wrong because transferring the risk via cyber insurance does not reduce the likelihood or impact of ransomware; it only provides financial reimbursement after an incident, and the premium cost may still be high relative to the expected loss, making acceptance with monitoring a more balanced approach.

27
MCQhard

A multinational corporation is implementing a privacy program that must comply with both GDPR and CCPA. Which approach to privacy impact assessments (PIAs) is most appropriate?

A.Perform separate PIAs for GDPR and CCPA requirements
B.Skip PIAs for existing processing activities
C.Conduct a single PIA that covers both regulations' requirements
D.Only perform PIAs when processing high-risk data
AnswerC

Comprehensive and efficient

Why this answer

Option B is correct because conducting a single PIA that addresses both regulations is efficient. Option A is wrong because separate PIAs are redundant. Option C is wrong because PIAs should be conducted before processing.

Option D is wrong because only high-risk processing is not sufficient for all processing.

28
MCQeasy

A small business wants to achieve compliance with PCI DSS. Which approach should they take to minimize the scope of the assessment?

A.Segment the cardholder data environment from the corporate network
B.Implement a tokenization service
C.Encrypt all cardholder data at rest
D.Train employees on security awareness
AnswerA

Segmentation reduces the systems that process, store, or transmit card data.

Why this answer

Segmenting the cardholder data environment (CDE) from other networks reduces the number of systems in scope. Encryption, tokenization, and training are important but do not directly reduce scope like segmentation does.

29
MCQhard

A multinational corporation must comply with both the EU's GDPR and the California Consumer Privacy Act (CCPA). Which of the following scenarios would cause a conflict between these regulations?

A.GDPR requires explicit consent for data processing, while CCPA allows opt-out for data sale
B.One regulation requires breach notification, the other does not
C.CCPA imposes data minimization, while GDPR does not
D.Both require data access rights for individuals
AnswerA

Consent vs opt-out can conflict.

Why this answer

Option B is correct because GDPR requires consent for certain processing, while CCPA allows opt-out for sale of data; these can conflict. Option A is wrong because both require breach notification. Option C is wrong because both allow data access.

Option D is wrong because both address data minimization similarly.

30
Multi-Selectmedium

Which TWO of the following are key elements of a data classification policy?

Select 2 answers
A.Handling and labeling procedures
B.Classification categories (e.g., public, internal, confidential)
C.Acceptable use guidelines for company devices
D.Backup frequency and retention periods
E.Encryption algorithms and key lengths
AnswersA, B

Procedures for handling each classification level are essential.

Why this answer

Handling and labeling procedures (Option A) are a key element of a data classification policy because they define the operational steps for marking, storing, transmitting, and disposing of data based on its classification level. Without these procedures, classification categories have no enforceable controls, leading to inconsistent data protection. This aligns with NIST SP 800-53 and ISO 27001 requirements for data handling.

Exam trap

Cisco often tests the distinction between policy elements and implementation controls, so the trap here is confusing operational procedures (handling/labeling) and classification categories (the core of a classification policy) with technical security controls like encryption algorithms or backup schedules, which belong in separate policies.

31
Multi-Selectmedium

Which TWO of the following are essential elements of an effective data governance framework?

Select 2 answers
A.Data classification policies and procedures
B.Mandatory data localization requirements
C.Assignment of data stewardship roles
D.Automated breach notification system
E.Implementation of full-disk encryption on all endpoints
AnswersA, C

Classification is foundational to governance.

Why this answer

Options B and D are correct. Data classification policies define how data is categorized, and data stewardship assigns ownership. Option A is wrong because encryption is a technical control, not governance.

Option C is wrong because data localization is a compliance requirement, not a governance element. Option E is wrong because breach response is operational.

32
MCQmedium

You are the compliance officer for a financial institution that must adhere to the Payment Card Industry Data Security Standard (PCI DSS). During a quarterly vulnerability scan, you discover that several critical vulnerabilities in the cardholder data environment (CDE) were not remediated within the required 30-day window. Additionally, the most recent penetration test report shows that a segmentation control between the CDE and the corporate network is not functioning as intended. The next PCI DSS assessment is in two months. Which of the following remediation actions should be prioritized FIRST to maintain compliance?

A.Implement a compensating control for the segmentation failure and document it
B.Immediately patch all critical vulnerabilities in the CDE
C.Request an extension from the acquirer for the next assessment
D.Re-establish correct segmentation between CDE and corporate network
AnswerD

Segmentation is foundational to PCI DSS compliance.

Why this answer

Option D is correct because fixing the segmentation failure is critical; without proper segmentation, the entire network might be considered in scope, increasing compliance burden. Option A is wrong because patching vulnerabilities is important but the segmentation issue broader. Option B is wrong because compensating controls may be temporary but segmentation is a fundamental requirement.

Option C is wrong because delaying assessment is not a remediation.

33
MCQhard

The exhibit shows results from a CIS Controls assessment. Based on the findings, which control deficiency poses the greatest risk to the organization and should be prioritized for remediation?

A.Incident response (Control 8) because testing is only at 1/5
B.Network monitoring and defense (Control 13) because it has the lowest overall score and intrusion detection is missing
C.Data protection (Control 3) because sensitive data inventory is not implemented
D.Data encryption at rest (Subcontrol 3.2) because it received a score of 4/5, indicating room for improvement
AnswerB

This control has the lowest score (1/5) and lacks intrusion detection, which is vital for detecting threats.

Why this answer

Option C is correct because the network monitoring and defense control has the lowest overall score (1/5), and within it, intrusion detection is completely unimplemented (0/5), leaving the organization blind to active attacks. Option A is wrong because data protection has a higher overall score (2/5) and its subcontrols are partially implemented. Option B is wrong because incident response has a score of 3/5, which is relatively better, and the plan is fully in place; testing can be improved but is not as critical.

Option D is wrong because data encryption at rest is already highly implemented (4/5).

34
MCQeasy

A financial institution must ensure that its data classification policy aligns with regulatory requirements for customer financial information. Which of the following actions best demonstrates governance in this context?

A.Implement a formal data classification policy that maps data types to regulatory categories and enforce it via technical controls.
B.Restrict all customer financial data to a single secure server without labeling.
C.Allow data owners to classify data on an ad-hoc basis as needed.
D.Encrypt all customer data at rest and in transit regardless of classification.
AnswerA

This establishes clear rules, accountability, and enforcement — core governance elements.

Why this answer

Option A is correct because it directly implements governance by establishing a formal data classification policy that maps data types to specific regulatory categories (e.g., PCI DSS, GLBA, SOX) and enforces compliance through technical controls such as Data Loss Prevention (DLP) rules, access control lists (ACLs), and encryption policies. This structured approach ensures that customer financial information is consistently protected according to legal requirements, rather than relying on ad-hoc or incomplete measures.

Exam trap

The trap here is that candidates often confuse encryption (a security control) with governance (a policy-driven framework), leading them to select Option D because they assume encryption alone satisfies regulatory compliance, when in fact governance requires classification to define which data must be encrypted and under what conditions.

How to eliminate wrong answers

Option B is wrong because restricting all customer financial data to a single secure server without labeling violates the principle of data classification; without labels or tags, the organization cannot differentiate between data types or apply granular controls (e.g., retention policies, access restrictions) required by regulations like GDPR or PCI DSS. Option C is wrong because allowing data owners to classify data on an ad-hoc basis introduces inconsistency and human error, undermining governance and potentially leading to misclassification that fails to meet regulatory mandates. Option D is wrong because encrypting all customer data at rest and in transit regardless of classification ignores the need for differentiated controls; while encryption is a security control, governance requires classification to apply appropriate policies (e.g., key management, access logging, retention) based on data sensitivity and regulatory obligations.

35
MCQhard

A security manager is reviewing business continuity plans. Which element is MOST critical to test regularly?

A.Updated contact lists
B.Failover capability of critical systems
C.Alternate site readiness
D.Backup media integrity
AnswerB

Testing failover validates that critical systems can be recovered in a disaster.

Why this answer

Option A is correct because failover capability ensures systems can be restored. Option B is wrong contact lists need updates but are not the most critical to test. Option C is wrong backup media must be tested but failover tests the whole process.

Option D is wrong alternate site readiness is part of failover testing.

36
MCQhard

A regional healthcare provider with 2,000 employees recently acquired a smaller clinic that uses a legacy electronic health record (EHR) system. The provider's security team performed a risk assessment and identified that the legacy system does not support encryption at rest, lacks role-based access controls (RBAC), and stores administrative credentials in plaintext. The system is scheduled to be decommissioned in 18 months, but it must remain operational to support patient care during the transition. The provider is subject to HIPAA and state breach notification laws. The CEO wants to avoid any disruption to patient services but also minimize regulatory risk. Which of the following is the BEST course of action?

A.Accelerate the migration timeline to replace the legacy system within 6 months.
B.Immediately disconnect the legacy system from the network and use manual processes.
C.Accept the residual risk and document it in the risk register.
D.Implement compensating controls such as network segmentation, storage-level encryption, and strict access monitoring.
AnswerD

Compensating controls mitigate risk while the system remains operational.

Why this answer

Option D is the best course of action because it allows the legacy EHR system to remain operational for patient care while reducing regulatory risk. Compensating controls like network segmentation isolate the vulnerable system, storage-level encryption (e.g., BitLocker or LUKS) protects data at rest, and strict access monitoring (e.g., SIEM with real-time alerts) mitigates the lack of RBAC and plaintext credentials. This approach balances the CEO's requirement for no disruption with HIPAA's security rule requirements for reasonable safeguards.

Exam trap

CompTIA often tests the concept that compensating controls are a valid risk treatment option when a vulnerability cannot be immediately remediated, and candidates mistakenly choose risk acceptance (Option C) without realizing that HIPAA requires active safeguards, not just documentation.

How to eliminate wrong answers

Option A is wrong because accelerating migration to 6 months is unrealistic and would likely cause significant disruption to patient services, violating the CEO's directive to avoid disruption. Option B is wrong because immediately disconnecting the legacy system would halt patient care, creating an unacceptable operational impact and potentially violating continuity of care requirements under HIPAA. Option C is wrong because accepting residual risk without implementing any compensating controls would leave the organization exposed to a high likelihood of a breach, violating HIPAA's requirement to implement reasonable and appropriate safeguards and increasing regulatory risk under state breach notification laws.

37
MCQmedium

Which of the following is the MOST effective way to detect unauthorized changes to critical files?

A.Antivirus software
C.Regular backups
D.File integrity monitoring
AnswerD

FIM specifically monitors file changes.

Why this answer

File integrity monitoring (FIM) alerts on changes to critical files. Option B detects malware; Option C monitors network traffic; Option D is for recovery, not detection.

38
MCQmedium

A security analyst discovers that a third-party vendor has been granted access to the company's production database for support purposes. The vendor's contract expires in two weeks. What is the BEST course of action to ensure compliance with the principle of least privilege and reduce risk?

A.Immediately revoke the vendor's database access and provide temporary access only if needed.
B.Extend the contract for another year to maintain support continuity.
C.Wait until the contract expires and then revoke access.
D.Monitor the vendor's activities until the contract expires.
AnswerA

Immediate revocation aligns with least privilege and reduces risk.

Why this answer

Revoking access before contract end ensures that the vendor cannot access data after the relationship ends, complying with least privilege. Extending or monitoring only would still leave access beyond necessity, and waiting is risky.

39
MCQhard

A healthtech startup is developing a mobile app that collects PHI. They plan to use a third-party cloud provider for data storage. What is the most critical compliance requirement before signing the contract?

A.Verify the provider's data center locations comply with data residency laws
B.Execute a Business Associate Agreement (BAA) with the provider
C.Review the provider's SOC 2 Type II report
D.Ensure all data is encrypted at rest and in transit
AnswerB

A BAA is a legal requirement under HIPAA for any vendor handling PHI.

Why this answer

Under HIPAA, a Business Associate Agreement (BAA) is a mandatory contract that ensures the third-party cloud provider (a business associate) will safeguard Protected Health Information (PHI). Without a BAA, the startup would be in direct violation of HIPAA's Privacy and Security Rules, regardless of other security measures. This requirement is non-negotiable before any PHI is shared or stored by the provider.

Exam trap

CompTIA often tests the distinction between contractual compliance (BAA) and technical controls (encryption, SOC reports), leading candidates to prioritize security measures over the mandatory legal agreement required by HIPAA.

How to eliminate wrong answers

Option A is wrong because while data residency laws (e.g., GDPR, local regulations) are important, they are not the most critical compliance requirement under HIPAA; a BAA is the foundational legal agreement. Option C is wrong because reviewing a SOC 2 Type II report provides assurance about the provider's controls but does not satisfy the HIPAA requirement for a contractual BAA; it is a supplementary due diligence step. Option D is wrong because encryption at rest and in transit is a technical safeguard, but it does not replace the legal obligation of a BAA; HIPAA mandates the BAA even if encryption is implemented.

40
Multi-Selecteasy

Which TWO of the following are examples of administrative controls? (Select TWO)

Select 2 answers
A.Firewall rules
B.Encryption of data at rest
C.Security awareness training
D.Access control policy
AnswersC, D

Administrative control

Why this answer

Security awareness training (C) is an administrative control because it involves policies, procedures, and human behavior management rather than technical mechanisms. It educates users on security risks and compliance requirements, reducing the likelihood of social engineering or policy violations. This aligns with the administrative domain of the CIA triad's governance framework.

Exam trap

Cisco often tests the distinction between administrative, technical, and physical controls, and the trap here is that candidates confuse technical controls like encryption or firewalls with administrative controls because they are both part of a defense-in-depth strategy, but only administrative controls involve human processes and documentation.

41
MCQhard

You are the security architect for a global manufacturing company that has recently experienced a ransomware attack. The attack originated from a third-party vendor's compromised VPN account, which had been granted privileged access to the corporate network for remote maintenance. The vendor is a critical supplier of industrial control system (ICS) components. The incident severely disrupted production for three days. Post-incident analysis reveals that the vendor's security posture was not assessed prior to granting access, and the contract did not include specific security requirements or audit rights. The company now wants to implement a vendor risk management program to prevent future incidents. Which of the following is the MOST comprehensive and effective course of action to address the root cause?

A.Implement network segmentation to isolate vendor access to specific systems
B.Conduct background checks on all vendor personnel before granting access
C.Develop a vendor risk management policy that includes security assessments, contractual clauses, and periodic audits
D.Require all vendors to use multi-factor authentication (MFA) for remote access
AnswerC

A comprehensive program addresses root cause of lack of oversight.

Why this answer

Option C is correct because establishing a formal vendor risk management program with contractual security requirements and periodic audits directly addresses the lack of assessment and oversight. Option A is wrong because network segmentation alone does not enforce vendor compliance. Option B is wrong because MFA is a single control; it does not replace a program.

Option D is wrong because instituting background checks does not ensure technical security controls.

42
MCQhard

A security team discovers a misconfiguration that exposes sensitive data. The operations team wants to wait until the next maintenance window. What is the BEST course of action?

A.Document the risk and accept it
B.Notify the data protection authority
C.Immediately fix the misconfiguration
D.Implement a temporary workaround
AnswerC

Reduces risk immediately.

Why this answer

Immediate remediation minimizes exposure. Options B, C, and D are unacceptable delays given the severity.

43
MCQhard

A company is merging with another organization and needs to integrate their identity management systems. The security team is concerned about maintaining least privilege and segregation of duties across the combined environment. Which of the following approaches BEST addresses these concerns?

A.Deploy single sign-on (SSO) across both organizations
B.Create a unified user group with the same permissions for all employees
C.Use an identity governance and administration (IGA) tool with automated provisioning
D.Perform a role-mining exercise and design new roles based on common job functions
AnswerD

Role mining ensures roles are aligned with business needs and reduces conflict.

Why this answer

Option D is correct because role-mining analyzes existing user entitlements and access patterns across both organizations to identify common job functions, enabling the design of least-privilege roles that enforce segregation of duties. This approach directly addresses the security concerns by ensuring users receive only the permissions necessary for their roles, preventing conflicts of interest inherent in merged environments.

Exam trap

CompTIA often tests the misconception that SSO or automated provisioning alone solves authorization and segregation issues, when in fact they are authentication and enforcement mechanisms that require proper role design (via role-mining) to achieve least privilege.

How to eliminate wrong answers

Option A is wrong because SSO only simplifies authentication by allowing users to log in once, but it does not manage authorization or enforce least privilege or segregation of duties across the combined identity systems. Option B is wrong because creating a unified user group with identical permissions for all employees violates least privilege by granting excessive access and eliminates segregation of duties, as every user would have the same capabilities. Option C is wrong because while an IGA tool with automated provisioning can enforce policies, without first performing role-mining to define appropriate roles based on actual job functions, it would simply automate existing (potentially flawed) permissions, failing to establish proper least privilege and segregation of duties.

44
MCQmedium

A security analyst reviews this output from an SSH session. What security control is in place on the remote server?

A.Account lockout policy
B.MaxAuthTries limit in SSH configuration
C.Fail2ban or similar IP blocking
D.SSH banner
AnswerB

The SSH server's MaxAuthTries setting limits the number of authentication attempts per connection.

Why this answer

The output shows repeated 'Permission denied' messages followed by 'Connection closed by remote host' after a specific number of attempts. This behavior is characteristic of the MaxAuthTries directive in the SSH server configuration (sshd_config), which limits the number of authentication attempts per connection. When the limit is reached, the SSH server immediately closes the connection, as seen in the output.

Exam trap

Cisco often tests the distinction between server-side connection termination (MaxAuthTries) and account-level lockout or external IP blocking, leading candidates to confuse a per-connection limit with a per-account or firewall-based control.

How to eliminate wrong answers

Option A is wrong because an account lockout policy would lock the user account after failed attempts, but the output shows the connection being closed by the remote host without any account lockout message, and the SSH session itself is terminated. Option C is wrong because Fail2ban or similar IP blocking would block the source IP at the firewall level, resulting in a timeout or connection refused, not the 'Connection closed by remote host' message after authentication attempts. Option D is wrong because an SSH banner is displayed before authentication begins and does not cause connection closure after failed attempts; it is a pre-authentication message.

45
MCQhard

A multinational corporation must comply with multiple data protection laws. What is the BEST strategy?

A.Use a minimal baseline that meets all laws
B.Follow only the laws of the home country
C.Follow local laws per region
D.Implement the most stringent requirements across all regions
AnswerD

This ensures compliance with the highest standards and reduces legal risk.

Why this answer

Option A is correct because applying the most stringent requirements ensures compliance across all jurisdictions. Option B is wrong following local laws per region may lead to inconsistencies and gaps. Option C is wrong following only home country laws may violate other laws.

Option D is wrong a minimal baseline may not meet stricter requirements.

46
MCQhard

You are the security architect for a mid-sized e-commerce company that processes credit card payments. The company must comply with PCI DSS. Currently, the cardholder data environment (CDE) includes a web server, an application server, and a database server, all on the same flat network segment. The QSA has identified that the CDE is not properly segmented, and network access controls are insufficient. The company wants to minimize the scope of PCI compliance by reducing the number of systems that handle cardholder data. You propose implementing network segmentation to isolate the CDE. Which of the following is the most effective approach to reduce PCI scope while maintaining business functionality?

A.Encrypt all cardholder data at rest and in transit
B.Replace the database with a tokenization service and remove the database from the CDE
C.Move all servers to a DMZ and implement host-based firewalls
D.Deploy a firewall between the CDE and corporate network, allowing only necessary traffic
AnswerD

Segmenting the CDE reduces scope

Why this answer

Option D is correct because deploying a firewall between the CDE and the corporate network, and restricting traffic to only what is necessary, creates a proper network segmentation boundary. This isolation reduces the PCI DSS scope by ensuring that only systems within the CDE are subject to the full set of PCI requirements, while the corporate network remains out of scope. The firewall enforces a default-deny policy, which aligns with PCI DSS Requirement 1 for network segmentation and access control.

Exam trap

The trap here is that candidates often confuse data-centric controls (like encryption or tokenization) with network-centric controls (like segmentation), leading them to choose options that protect data but do not reduce the number of systems in the CDE.

How to eliminate wrong answers

Option A is wrong because encrypting cardholder data at rest and in transit does not reduce the number of systems that handle cardholder data; it only protects the data but does not change the CDE boundary or scope. Option B is wrong because replacing the database with a tokenization service and removing the database from the CDE would reduce scope, but the question asks for the most effective approach to segment the existing CDE; tokenization is a data-centric approach, not a network segmentation technique, and does not address the immediate need for network isolation. Option C is wrong because moving all servers to a DMZ and implementing host-based firewalls does not isolate the CDE from the corporate network; a DMZ is typically used for public-facing services and does not provide the strict segmentation required to reduce PCI scope, and host-based firewalls alone are insufficient for network-level segmentation.

47
MCQhard

A security engineer is designing a new network architecture for a government agency that requires compliance with NIST SP 800-53. The network must segregate data tiers and enforce least privilege. Which of the following designs BEST meets the requirements?

A.Perimeter-based security with a VPN for remote access.
B.Zero-trust architecture with micro-segmentation and continuous verification.
C.DMZ architecture with a single firewall between the internet and internal network.
D.Flat network with VLANs for each data tier and ACLs controlling traffic.
AnswerB

Zero-trust enforces least privilege and fine-grained segmentation, aligning with NIST SP 800-53.

Why this answer

C is correct. Zero-trust architecture with micro-segmentation provides granular control and enforces least privilege. VLANs with ACLs are less fine-grained.

DMZ and perimeter-based designs do not provide internal segmentation.

48
MCQhard

During a compliance audit, an organization's security team discovers that sensitive data in a legacy database is stored in plaintext. The database is critical for operations and cannot be taken offline for patching until the next maintenance window in three months. Which of the following is the BEST compensating control to reduce risk immediately?

A.Restrict network access to the database to only authorized applications
B.Use file-level encryption on the database storage volume
C.Implement transparent database encryption (TDE)
D.Apply a digital signature to the database files
AnswerA

Network restrictions reduce attack surface without downtime.

Why this answer

Option D is correct because network access restrictions limit exposure while the database remains unencrypted. Option A is wrong because encryption would require downtime or performance impact. Option B is wrong because file-level encryption does not apply to database storage.

Option C is wrong because signing does not address confidentiality.

49
MCQmedium

An organization is implementing a governance framework to ensure that security controls are aligned with business objectives. Which of the following frameworks is specifically designed for this purpose?

A.COBIT 2019
B.NIST SP 800-53
C.ITIL 4
D.ISO/IEC 27001
AnswerA

COBIT is a governance framework that aligns IT with business objectives.

Why this answer

COBIT 2019 is specifically designed to align IT governance and security controls with business objectives by providing a comprehensive framework that links business goals to IT goals and enablers. It focuses on governance of enterprise IT (GEIT), ensuring that security investments and controls directly support strategic business outcomes, unlike other frameworks that are more operational or compliance-focused.

Exam trap

CompTIA often tests the distinction between governance frameworks (COBIT) and operational or compliance frameworks (NIST SP 800-53, ITIL, ISO 27001), trapping candidates who confuse control implementation with strategic alignment.

How to eliminate wrong answers

Option B (NIST SP 800-53) is wrong because it is a catalog of security and privacy controls for federal information systems, not a governance framework designed to align controls with business objectives; it focuses on technical and operational control implementation rather than strategic alignment. Option C (ITIL 4) is wrong because it is a service management framework that focuses on IT service lifecycle and delivery processes, not on governance or linking security controls to business goals. Option D (ISO/IEC 27001) is wrong because it is an information security management standard that specifies requirements for an ISMS, emphasizing risk management and compliance, but it does not inherently provide a governance structure to align controls with business objectives like COBIT does.

50
MCQmedium

An organization's risk appetite is defined as 'low' for data privacy. Which of the following risk treatments is most aligned with this appetite?

A.Transfer the risk through cyber insurance
B.Mitigate the risk by encrypting personal data
C.Avoid the risk by not collecting unnecessary personal data
D.Accept the risk and self-insure
AnswerC

Eliminates risk directly

Why this answer

With a 'low' risk appetite for data privacy, the organization must minimize exposure to privacy breaches. Avoiding the risk by not collecting unnecessary personal data is the most aligned treatment because it eliminates the privacy risk entirely rather than reducing or transferring it. This approach ensures no personal data exists to be compromised, directly supporting a low-risk appetite.

Exam trap

Cisco often tests the distinction between risk mitigation and risk avoidance, where candidates mistakenly choose encryption (mitigation) as the best option for a low-risk appetite, overlooking that avoidance eliminates the risk entirely.

How to eliminate wrong answers

Option A is wrong because transferring risk through cyber insurance does not reduce the likelihood or impact of a privacy breach; it only provides financial compensation, which is insufficient for a low-risk appetite that demands minimal exposure. Option B is wrong because mitigating the risk by encrypting personal data reduces but does not eliminate the risk; encrypted data can still be exfiltrated and decrypted, leaving residual privacy risk unacceptable for a low appetite. Option D is wrong because accepting the risk and self-insuring implies tolerance of potential privacy breaches, which contradicts a low-risk appetite that seeks to avoid such events entirely.

51
MCQmedium

An organization wants to adopt a cybersecurity framework that provides a structured approach to managing cyber risks. Which framework is BEST suited?

A.COBIT
B.NIST Cybersecurity Framework
C.ISO 27001
D.ITIL
AnswerB

NIST CSF provides a comprehensive framework for managing cybersecurity risks.

Why this answer

Option B is correct because NIST Cybersecurity Framework is designed for managing cyber risks. Option A is wrong ISO 27001 is a management standard, not specifically a risk management framework. Option C is wrong COBIT focuses on IT governance.

Option D is wrong ITIL focuses on IT service management.

52
Multi-Selecthard

During a compliance audit, the auditor finds that several systems are missing security patches. The CISO needs to decide on a risk treatment. Which TWO of the following actions are appropriate?

Select 2 answers
A.Mitigate with compensating controls
B.Transfer risk through cyber insurance
C.Immediately patch all systems
D.Ignore the findings until next audit
E.Accept the risk formally
AnswersA, B

Compensating controls reduce risk without immediate patching.

Why this answer

Transferring risk via cyber insurance and mitigating with compensating controls are valid risk treatments. Ignoring findings is not acceptable; immediate patching may not be feasible; decommissioning is extreme.

53
MCQeasy

A mid-sized healthcare organization processes protected health information (PHI) and must comply with HIPAA and the GDPR for its EU patients. The organization uses a hybrid cloud environment with on-premises servers and AWS. Recently, an employee's laptop was stolen containing unencrypted PHI. The incident response team was activated. The security architect must determine the best course of action to address compliance obligations. The organization has a data classification policy, but it is not consistently enforced. A business continuity plan exists but has not been tested in two years. The CEO is concerned about reputational damage and legal liability. Which of the following should the security architect recommend FIRST?

A.Purchase cyber liability insurance to cover potential fines and legal costs
B.Notify affected patients and relevant regulatory authorities per breach notification rules
C.Implement full-disk encryption on all laptops and mobile devices immediately
D.Update the data classification policy to require encryption of all PHI on endpoints
AnswerB

Both HIPAA and GDPR require timely notification of data breaches; this is the first step in incident response compliance.

Why this answer

Option B is correct because the primary obligation under both HIPAA and GDPR is to notify affected individuals and authorities within prescribed timeframes (72 hours for GDPR, but HIPAA allows up to 60 days). Notifying demonstrates compliance and mitigates legal risk. Option A is wrong because updating the classification policy is important but is a secondary, long-term task; immediate notification is legally required.

Option C is wrong because buying cyber insurance is reactive and does not fulfill notification requirements; it addresses financial risk but not compliance. Option D is wrong while encryption would have prevented this incident, implementing encryption now will not address the current breach; notification must come first.

54
MCQhard

An auditor reviews this IAM policy attached to a user group. What is the primary compliance concern?

A.The policy restricts access to specific resources
B.The policy does not enable logging
C.The policy violates the principle of least privilege
D.The policy does not allow any actions
AnswerC

Granting all actions on all resources is excessive and violates least privilege.

Why this answer

Option C is correct because the IAM policy grants wildcard actions (Action: '*') on all resources (Resource: '*'), which violates the principle of least privilege by allowing any user in the group to perform any operation on any resource. This broad permission set creates an excessive attack surface and is a primary compliance concern under frameworks like NIST SP 800-53 or PCI DSS, which require restricting access to only what is necessary for job functions.

Exam trap

Cisco often tests the principle of least privilege by presenting a policy that appears functional (allows actions) but is overly permissive, tricking candidates into focusing on whether the policy 'works' rather than whether it complies with security best practices.

How to eliminate wrong answers

Option A is wrong because the policy does not restrict access to specific resources; it uses 'Resource': '*' to allow access to all resources, which is the opposite of restriction. Option B is wrong because IAM policies themselves do not enable or disable logging; logging is configured separately via services like AWS CloudTrail or Azure Monitor, and the absence of logging is not a compliance issue inherent to the policy statement. Option D is wrong because the policy explicitly allows all actions via 'Action': '*', so it does allow actions; the problem is that it allows too many actions, not none.

55
Multi-Selectmedium

A security analyst is performing a risk assessment for a critical application. Which TWO of the following are characteristics of a quantitative risk assessment methodology?

Select 2 answers
A.Calculates Annualized Loss Expectancy (ALE)
B.Relies on expert judgment and scenarios
C.Determines Exposure Factor (EF) for each asset
D.Uses high/medium/low ratings for likelihood and impact
E.Assigns dollar values to assets and potential losses
AnswersA, E

ALE is a key output of quantitative risk assessment.

Why this answer

Quantitative risk assessment uses numerical values for assets, threats, and vulnerabilities. Option A (Assigns dollar values to assets and losses) is correct because it uses monetary figures. Option C (Calculates Annualized Loss Expectancy (ALE)) is also correct because ALE = SLE * ARO is a quantitative metric.

Option B is qualitative (judgment-based). Option D is qualitative (expert opinion). Option E is quantitative but not a characteristic of the methodology itself; it's a common metric but not defining.

However, careful: The stem asks for characteristics of quantitative methodology. ALE is a result, not a characteristic. But typical CompTIA sees ALE as part of quantitative.

I'll adjust options to be clearer.

56
Multi-Selecteasy

A healthcare organization is implementing HIPAA Security Rule safeguards. Which TWO of the following are required administrative safeguards? (Choose TWO.)

Select 2 answers
A.Security management process.
B.Encryption of ePHI at rest.
C.Unique user identification.
D.Assigned security responsibility.
E.Facility access controls.
AnswersA, D

Required administrative safeguard per HIPAA §164.308(a)(1).

Why this answer

A and C are correct. Administrative safeguards include security management process and assigned security responsibility. B is a technical safeguard, D is a physical safeguard, and E is a technical safeguard.

57
MCQmedium

A company's data classification policy labels all financial data as 'Confidential.' An employee accidentally emails a spreadsheet containing customer payment information to an unauthorized external party. Which type of control failure occurred?

A.Preventive control failure
B.Corrective control failure
C.Administrative control failure
D.Detective control failure
AnswerA

A DLP solution should have prevented the email

Why this answer

A preventive control failure occurred because the organization lacked a technical safeguard—such as Data Loss Prevention (DLP) rules, email content filtering, or mandatory access controls—to block the outbound transmission of confidential financial data. Preventive controls are designed to stop unauthorized actions before they happen, and the absence of such a mechanism allowed the accidental email to be sent. The failure is not in detection or correction, but in the inability to prevent the data exfiltration at the point of transmission.

Exam trap

The trap here is that candidates confuse the existence of a policy (administrative control) with the technical enforcement of that policy, leading them to incorrectly select 'Administrative control failure' when the real issue is the lack of a preventive technical control.

How to eliminate wrong answers

Option B is wrong because corrective controls (e.g., data backup restoration, incident response procedures) are activated after an incident to repair damage or restore normal operations, not to block the initial unauthorized email. Option C is wrong because administrative controls (e.g., policies, training, user awareness programs) are procedural and human-focused; while a policy existed, the failure was in the technical enforcement layer, not in the policy itself. Option D is wrong because detective controls (e.g., audit logs, SIEM alerts, DLP monitoring) would identify the breach after it occurred, but the question asks about the control that should have prevented the email from being sent in the first place.

58
MCQmedium

A security architect is designing a system for a healthcare provider that must comply with HIPAA. Which control is required for ePHI transmission?

A.Encryption of data in transit
B.Integrity verification mechanisms
C.Role-based access control
D.Audit logging for all access
AnswerA

HIPAA requires encryption for ePHI transmitted over networks.

Why this answer

Option A is correct because HIPAA requires encryption for ePHI in transit. Option B is wrong access controls are required but not specifically for transmission. Option C is wrong audit logs are required for monitoring but not for transmission.

Option D is wrong integrity controls are required but encryption is the specific requirement for transmission.

59
Multi-Selecthard

Which THREE of the following are required components of a Business Continuity Plan (BCP) per ISO 22301?

Select 3 answers
A.Detailed technical recovery procedures for IT systems
B.Scope and policy for business continuity
C.Vulnerability scanner configuration
D.Communication and notification plan
E.Business Impact Analysis (BIA)
AnswersB, D, E

The BCP must define its scope and the policy that drives it.

Why this answer

ISO 22301 mandates that a Business Continuity Plan (BCP) must include the scope and policy for business continuity (Option B) to define the boundaries and objectives of the BCP. This ensures alignment with organizational strategy and compliance requirements, as specified in Clause 4.3 (Scope) and Clause 5.2 (Policy) of the standard.

Exam trap

CompTIA often tests the distinction between a BCP (organizational continuity) and a DRP (technical recovery), leading candidates to mistakenly select detailed IT recovery procedures as a BCP component.

60
Drag & Dropmedium

Drag and drop the steps to deploy a new certificate from an internal CA using Group Policy into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Certificate deployment involves requesting, approving, exporting with private key, importing, and then distributing via Group Policy.

61
MCQhard

During a risk assessment, a residual risk is identified as high. What should be the NEXT step?

A.Transfer the risk to a third party
B.Implement additional controls to reduce the risk to an acceptable level
C.Ignore the risk because it is residual
D.Accept the residual risk as is
AnswerB

The next step is to apply additional controls to lower residual risk.

Why this answer

Option C is correct because residual risk should be reduced to an acceptable level. Option A is wrong accepting high risk without mitigation is not responsible. Option B is wrong transferring risk may be an option but not necessarily the next step.

Option D is wrong ignoring risk is not acceptable.

62
MCQmedium

A global financial firm must comply with GDPR and SOX. The CISO wants to consolidate controls across frameworks using a single set of controls. Which approach best addresses this requirement?

A.Adopt a unified control framework such as NIST SP 800-53
B.Focus only on the most stringent regulation
C.Implement automated GRC tools without changing controls
D.Maintain separate control sets for each regulation
AnswerA

Allows mapping to multiple regulations

Why this answer

Adopting a unified control framework such as NIST SP 800-53 allows the firm to map controls from GDPR and SOX into a single, comprehensive set, reducing duplication and ensuring consistent compliance. This approach leverages the framework's catalog of controls, which can be tailored to meet the specific requirements of multiple regulations simultaneously, aligning with the CISO's goal of consolidation.

Exam trap

Cisco often tests the misconception that simply automating compliance with GRC tools or focusing on the strictest regulation is sufficient, but the correct approach requires a unified framework that harmonizes controls across all applicable regulations.

How to eliminate wrong answers

Option B is wrong because focusing only on the most stringent regulation ignores unique requirements of other regulations (e.g., GDPR's data subject rights or SOX's financial reporting controls), leading to compliance gaps. Option C is wrong because implementing automated GRC tools without changing controls merely automates existing inefficiencies and does not consolidate or harmonize the control sets across frameworks. Option D is wrong because maintaining separate control sets for each regulation increases administrative overhead, audit complexity, and the risk of control conflicts, contradicting the requirement for consolidation.

63
Multi-Selecteasy

Which TWO of the following are common compliance frameworks used in the healthcare industry?

Select 2 answers
A.HIPAA
B.PCI DSS
C.ISO 27001
D.SOX
E.HITECH
AnswersA, E

HIPAA governs healthcare data.

Why this answer

Options A and C are correct. HIPAA is the U.S. healthcare privacy rule, and HITECH strengthens HIPAA. Option B is wrong because PCI DSS is for payment card data.

Option D is wrong because SOX is for financial reporting. Option E is wrong because ISO 27001 is general.

64
MCQeasy

A company is implementing a risk management framework to comply with PCI DSS. Which type of control is a firewall rule that blocks all inbound traffic except HTTP and HTTPS?

A.Corrective
B.Compensating
C.Preventive
D.Detective
AnswerC

Preventive controls block or avoid security incidents.

Why this answer

A firewall rule that blocks traffic is a preventive control because it prevents unauthorized access. Detective controls identify incidents after they occur, corrective controls fix issues, and compensating controls provide alternative security.

65
MCQeasy

A company's security policy requires that all remote access be conducted via VPN. An employee uses a personal device without VPN to access company email. Which type of policy violation is this?

A.Legal violation
B.Standards violation
C.Regulatory compliance violation
D.Organizational policy violation
AnswerD

Directly contravenes company policy

Why this answer

Option D is correct because the employee's action directly violates the company's internal security policy requiring VPN for all remote access. This is a policy violation, not a legal or regulatory one, as the company has established a mandatory rule that the employee failed to follow. The use of a personal device without VPN to access company email is a clear breach of organizational policy, which is a governance issue within the company's risk management framework.

Exam trap

The trap here is that candidates often confuse 'organizational policy violation' with 'regulatory compliance violation,' mistakenly thinking that any security breach automatically involves a regulatory mandate, when in fact the question explicitly describes a breach of internal policy.

How to eliminate wrong answers

Option A is wrong because a legal violation involves breaking a law (e.g., data protection statutes like GDPR or HIPAA), and while the action may have legal implications, the question specifically asks about a policy violation, not a legal one. Option B is wrong because a standards violation refers to non-compliance with industry or technical standards (e.g., ISO 27001, NIST SP 800-53), not internal company rules. Option C is wrong because a regulatory compliance violation involves failing to meet external regulatory requirements (e.g., PCI DSS, SOX), and the scenario describes a breach of internal policy, not a specific regulatory mandate.

66
MCQhard

During a third-party risk assessment, a security architect discovers that a vendor's data retention policy does not align with the organization's legal requirements. Which of the following is the BEST course of action?

A.Request the vendor to update its retention policy to align with legal requirements.
B.Accept the risk and document it in the risk register.
C.Immediately terminate the vendor contract.
D.Implement compensating controls to enforce data deletion after the required period.
AnswerA

This directly addresses the discrepancy and leverages the contractual requirement to follow best practices.

Why this answer

Option D is correct because the best first step is to request the vendor to comply, as termination or acceptance are premature.

67
MCQeasy

A security team is adopting the NIST risk management framework. Which step should they perform first?

A.Categorize.
B.Select.
C.Implement.
D.Assess.
AnswerA

The first step in NIST RMF is Categorize, where the system and its information are categorized based on impact.

Why this answer

Option D is correct because the NIST RMF requires categorization of the system and data as the initial step to guide subsequent risk management decisions.

68
MCQhard

A company that processes credit card transactions discovers that a third-party vendor with access to its network has suffered a data breach. The vendor's access was limited but included a connection to the cardholder data environment. The company must comply with PCI DSS. Which of the following is the FIRST action the company should take?

A.Revoke the vendor's access immediately and change all shared credentials.
B.Notify all affected cardholders as required by law.
C.Perform a forensic investigation to determine the scope of the breach.
D.Contact the acquiring bank and report the breach.
AnswerA

Immediate containment is the first priority to stop further exfiltration.

Why this answer

A is correct. PCI DSS requires immediate revocation of compromised access to prevent further data loss. Reporting and investigation follow containment.

Cardholder notification occurs after determining scope.

69
Drag & Dropmedium

Drag and drop the steps to perform a vulnerability scan using Nessus into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Vulnerability scanning: configure policy, set targets, run scan, review results, and report.

70
MCQhard

A multinational organization is subject to GDPR and local data protection laws. A data subject from country X requests deletion of personal data, but the data is also required for a legal hold under country Y's law. What is the BEST course of action?

A.Anonymize the data to satisfy both requirements
B.Escalate to the data protection authority
C.Retain the data and inform the data subject of the conflicting legal obligation
D.Delete the data to comply with GDPR
AnswerC

This balances compliance requirements transparently.

Why this answer

Informing the data subject of the conflicting legal obligation is transparent and complies with both laws. Option A violates the legal hold; Option C may not satisfy either requirement; Option D should be a last resort.

71
MCQmedium

A healthcare provider is migrating patient records to a cloud EHR system. The security officer is concerned about data ownership and portability. Which contractual clause is MOST critical to include in the cloud service agreement?

A.A clause on data portability and format standards
B.A service level agreement guaranteeing 99.999% uptime
C.A stipulation that encryption keys are managed by the customer
D.A requirement for breach notification within 24 hours
AnswerA

Data portability ensures the organization can retrieve data.

Why this answer

Option B is correct because data portability ensures the provider can retrieve data if they switch vendors. Option A is wrong because uptime SLAs address availability, not ownership. Option C is wrong because breach notification is standard but doesn't address ownership.

Option D is wrong because encryption strength is important but not about ownership.

72
MCQmedium

A security analyst discovers that an employee has been using a personal USB drive to transfer sensitive customer data from a workstation to a home computer. This violates the company's data handling policy. According to the company's incident response plan, which of the following is the FIRST step the analyst should take?

A.Perform a forensic analysis of the workstation
B.Isolate the workstation from the network
C.Escalate the incident to the data protection officer (DPO)
D.Notify law enforcement
AnswerB

Isolation contains the incident and prevents further data transfer.

Why this answer

The first priority in any incident response is containment to prevent further data loss or network propagation. Isolating the workstation from the network (Option B) immediately stops the employee from exfiltrating additional data and prevents any potential lateral movement by malware that might be on the USB drive. This aligns with the NIST SP 800-61 incident response lifecycle, where containment precedes eradication and recovery.

Exam trap

CompTIA often tests the candidate's ability to prioritize containment over investigation or notification, trapping those who confuse the order of the incident response phases (e.g., jumping to forensic analysis or legal escalation before stopping the bleeding).

How to eliminate wrong answers

Option A is wrong because forensic analysis is a post-containment step; performing it first could alter volatile evidence and does not stop ongoing data exfiltration. Option C is wrong because escalation to the DPO is a notification step that occurs after containment and initial triage, not as the first action. Option D is wrong because notifying law enforcement is a final step reserved for criminal activity after the incident is fully contained and evidence is preserved, and it is not the immediate priority.

73
MCQhard

A security auditor finds that a company's backup tapes are stored in the same building as the primary data center. Which risk treatment strategy does this lack represent?

A.Risk avoidance
B.Risk mitigation
C.Risk acceptance
D.Risk transference
AnswerB

Mitigation would require offsite backups to reduce risk.

Why this answer

Storing backups at a separate site is risk mitigation through redundancy. The current practice increases risk due to common physical location. Acceptance, transference, and avoidance are not directly addressed here.

74
Multi-Selectmedium

Which TWO of the following are key components of a governance framework? (Select TWO)

Select 2 answers
A.Policies and procedures
B.Vulnerability scanning schedule
C.Firewall rules
D.Penetration test results
E.Defined roles and responsibilities
AnswersA, E

Core governance documents

Why this answer

Policies and procedures are foundational to a governance framework because they define the rules, standards, and operational guidelines that an organization must follow to ensure compliance, security, and risk management. They establish the 'what' and 'how' for decision-making and behavior, aligning with frameworks like ISO 27001 or NIST SP 800-53. Without documented policies and procedures, governance lacks enforceable structure and accountability.

Exam trap

CompTIA often tests the distinction between governance components (policies, roles) and operational or technical controls (schedules, rules, results), leading candidates to mistake tactical activities for strategic framework elements.

75
MCQhard

Refer to the exhibit. The data classification policy defines levels and rules. During an audit, a database containing both PII and credit card numbers is found labeled as 'Internal'. Which of the following is the BEST first action?

A.Accept the risk as the data is not public
B.Remove the credit card numbers from the database
C.Create a new classification level for mixed data
D.Reclassify the database as 'Critical' to reflect the highest required level
AnswerD

Aligns with policy rule that PCI data must be Critical.

Why this answer

The database should be reclassified to 'Critical' because it contains PCI data, which requires the highest level. Creating a new level is unnecessary; accepting risk violates policy; removing data is not the first step.

Page 1 of 2 · 127 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Grc questions.