CCNA Reporting And Communication Questions

75 of 91 questions · Page 1/2 · Reporting And Communication topic · Answers revealed

1
MCQeasy

A security analyst needs to present vulnerability scan results to a non-technical manager. Which of the following is MOST important to include?

A.Summary of critical vulnerabilities with associated business risk and recommended actions
B.Raw scan output with IP addresses and ports
C.Detailed exploit code for critical vulnerabilities
D.List of all CVSS scores with no further explanation
AnswerA

Provides clear decision-support information.

Why this answer

Option D is correct because risk prioritization helps managers allocate resources. Options A, B, C are too technical or lack context.

2
MCQhard

An incident may involve regulated personal data. Who should be engaged early to determine notification obligations? If the primary audience is business service owner, which content choice is most appropriate?

A.Only the graphic design team
B.Legal, privacy, and compliance stakeholders
C.Only the vulnerability scanner vendor
D.Only the facilities manager
AnswerB

Notification decisions depend on law, contract, data type, jurisdiction, and timing. The report should be tuned to business service owner while preserving factual accuracy.

Why this answer

When an incident involves regulated personal data, legal, privacy, and compliance stakeholders must be engaged early because they determine notification obligations under frameworks such as GDPR, HIPAA, or CCPA. These stakeholders interpret breach notification timelines (e.g., 72 hours under GDPR Article 33) and assess whether the data type triggers mandatory reporting. The business service owner needs this guidance to avoid regulatory penalties and ensure proper incident response coordination.

Exam trap

Cisco often tests the misconception that technical teams (e.g., vulnerability scanner vendors) handle notification obligations, but in reality, only legal, privacy, and compliance stakeholders have the authority to interpret data protection laws and trigger mandatory reporting.

How to eliminate wrong answers

Option A is wrong because the graphic design team has no role in data privacy or legal notification requirements; they handle visual assets, not regulatory compliance. Option C is wrong because the vulnerability scanner vendor provides technical scanning tools but lacks authority to interpret data protection laws or determine notification obligations. Option D is wrong because the facilities manager oversees physical security and building operations, not the legal or regulatory aspects of personal data breaches.

3
MCQmedium

An analyst identifies a security policy violation during a routine audit. The violation does not pose immediate risk. Which of the following is the BEST way to report this finding?

A.Create a formal report with the finding, policy references, and recommended remediation
B.Mention it casually in a team meeting
C.Send an instant message to the system owner
D.Immediately report it to the Chief Information Security Officer
AnswerA

Proper documentation supports compliance and follow-up.

Why this answer

A formal report is the best method for documenting a security policy violation because it provides a permanent, auditable record that includes specific policy references and recommended remediation steps. This aligns with the reporting and communication domain's emphasis on structured, traceable documentation for non-urgent findings, ensuring proper tracking and accountability without causing unnecessary alarm.

Exam trap

CompTIA often tests the distinction between formal reporting for non-urgent findings versus immediate escalation for critical threats, trapping candidates who confuse 'no immediate risk' with 'requires urgent action' or choose informal communication methods.

How to eliminate wrong answers

Option B is wrong because casually mentioning a policy violation in a team meeting lacks formal documentation, making it impossible to track remediation or prove compliance during audits. Option C is wrong because sending an instant message to the system owner is informal and ephemeral, providing no permanent record or policy reference for future review. Option D is wrong because immediately reporting a non-urgent violation to the Chief Information Security Officer escalates unnecessarily, bypassing standard reporting channels and overwhelming leadership with low-priority issues.

4
MCQeasy

The CISO asks whether incident response is improving quarter over quarter. Which metric is most relevant? If the primary audience is executive leadership, which content choice is most appropriate?

A.Number of unused dashboards
B.Number of desktop wallpapers changed
C.Total coffee consumed by analysts
D.Mean time to detect, mean time to respond, containment time, and recurrence rate
AnswerD

These KPIs show detection and response effectiveness over time. The report should be tuned to executive leadership while preserving factual accuracy.

Why this answer

Mean time to detect (MTTD), mean time to respond (MTTR), containment time, and recurrence rate are key performance indicators (KPIs) that directly measure the efficiency and effectiveness of an incident response program. These metrics provide quantitative data on how quickly threats are identified, contained, and remediated, and whether the root cause is fully addressed to prevent repeat incidents. For executive leadership, these high-level, trendable metrics are the most relevant for assessing improvement quarter over quarter, as they tie directly to risk reduction and operational maturity.

Exam trap

Cisco often tests the distinction between operational metrics (like MTTD/MTTR) and irrelevant or humorous distractors, trapping candidates who fail to focus on KPIs that directly measure incident response effectiveness for executive reporting.

How to eliminate wrong answers

Option A is wrong because the number of unused dashboards is a metric related to security information and event management (SIEM) or reporting tool utilization, not incident response performance; it does not measure detection, response, or containment speed. Option B is wrong because changing desktop wallpapers is a configuration management or endpoint compliance task unrelated to incident response metrics; it has no bearing on detecting or responding to security incidents. Option C is wrong because total coffee consumed by analysts is a humorous distractor with no technical relevance to incident response KPIs; it does not provide any data on detection time, response time, containment, or recurrence.

5
MCQeasy

A third-party provider caused an outage during remediation. What should the communication to the vendor focus on? If the primary audience is business service owner, which content choice is most appropriate?

A.Timeline, service impact, evidence, required corrective actions, and contractual follow-up
B.Internal blame speculation
C.Confidential unrelated customer data
D.A public press statement draft first
AnswerA

Vendor communications should be factual and tied to obligations and remediation. The report should be tuned to business service owner while preserving factual accuracy.

Why this answer

Option A is correct because it aligns with the structured communication framework required for vendor management during an outage. The business service owner needs a clear timeline, quantified service impact (e.g., number of affected users, duration), evidence (e.g., logs, monitoring data), required corrective actions to prevent recurrence, and contractual follow-up (e.g., SLA breach, credits). This ensures accountability and supports informed decision-making without speculation or unnecessary data.

Exam trap

Cisco often tests the candidate's ability to distinguish between operational, evidence-based communication and emotional or premature responses, with the trap being that test-takers may choose 'internal blame speculation' (Option B) thinking it shows accountability, but it actually violates professional incident management protocols.

How to eliminate wrong answers

Option B is wrong because internal blame speculation is unprofessional, lacks technical substance, and violates incident communication best practices by focusing on fault rather than resolution and evidence. Option C is wrong because sharing confidential unrelated customer data violates data privacy regulations (e.g., GDPR, HIPAA) and is irrelevant to the vendor's remediation failure. Option D is wrong because a public press statement draft is premature and inappropriate for internal communication to a business service owner; it bypasses the need for factual, technical details and could cause reputational harm if released without verification.

6
MCQmedium

A server team needs to fix an OpenSSL vulnerability across Linux hosts. What should the technical remediation section include? If the primary audience is SOC manager, which content choice is most appropriate?

A.Only estimated financial loss
B.Affected assets, package versions, patch commands or vendor guidance, validation method, and rollback notes
C.Only the CVE headline
D.Only a red/yellow/green chart
AnswerB

Technical teams need precise, actionable remediation steps and a way to confirm success. The report should be tuned to SOC manager while preserving factual accuracy.

Why this answer

Option B is correct because a technical remediation section for an OpenSSL vulnerability must include specific, actionable steps: affected assets and package versions to identify scope, patch commands or vendor guidance to apply the fix, a validation method (e.g., openssl version -a or a vulnerability scanner) to confirm remediation, and rollback notes for safety. This ensures the SOC manager can direct the server team with precise, auditable instructions, aligning with the Reporting and Communication domain's requirement for clear, technical content in incident response.

Exam trap

The trap here is that candidates may choose a high-level summary (like a chart or CVE headline) thinking it suffices for a SOC manager, but Cisco tests that technical remediation must include specific, executable steps (package versions, commands, validation) even when the audience is a manager, because the manager needs to verify and delegate the work accurately.

How to eliminate wrong answers

Option A is wrong because estimated financial loss belongs in a business impact analysis or executive summary, not in a technical remediation section; it provides no actionable steps for fixing the OpenSSL vulnerability. Option C is wrong because only the CVE headline (e.g., CVE-2024-XXXX) lacks the necessary details—affected package versions, patch commands, validation, and rollback—needed for the server team to execute the fix. Option D is wrong because a red/yellow/green chart is a high-level status indicator for dashboards, not a technical remediation; it omits the specific commands, version checks, and rollback procedures required to patch OpenSSL across Linux hosts.

7
Multi-Selectmedium

During a weekly security briefing, a junior analyst presents vulnerability scan results to a mixed audience of technical and non-technical stakeholders. Which three of the following communication practices should the analyst follow? (Choose three.)

Select 3 answers
.Use technical jargon to demonstrate expertise and build credibility
.Provide a high-level executive summary with business risk context
.Focus only on critical and high-severity vulnerabilities
.Visualize data using charts and graphs to highlight trends
.Differentiate between managed and unmanaged risks
.Present every low-severity finding in detail to be thorough

Why this answer

Providing a high-level executive summary with business risk context is correct because non-technical stakeholders need to understand the impact of vulnerabilities in terms of potential financial, operational, or reputational harm, not just technical severity scores. This aligns with the CompTIA CS0-003 objective of tailoring communication to the audience, ensuring that decision-makers can prioritize remediation based on business risk rather than raw CVSS numbers.

Exam trap

CompTIA often tests the misconception that 'focusing only on critical and high-severity vulnerabilities' is sufficient for a mixed audience, but the trap is that this ignores the need to communicate managed vs. unmanaged risks and to provide context for all findings, not just the highest severity ones.

8
MCQmedium

A vulnerability programme wants to show whether critical findings are fixed within policy timelines. Which report is best? If the primary audience is technical remediation owner, which content choice is most appropriate?

A.SLA compliance by severity, asset owner, and business unit
B.A list of all closed tickets with no dates
C.A vendor price comparison
D.A report sorted only by scanner plugin ID
AnswerA

SLA reporting connects remediation timeliness to accountability. The report should be tuned to technical remediation owner while preserving factual accuracy.

Why this answer

Option A is correct because an SLA compliance report by severity, asset owner, and business unit directly maps to the goal of showing whether critical findings are fixed within policy timelines. This report filters by severity (e.g., critical), includes remediation deadlines (SLA), and groups by asset owner and business unit, enabling technical remediation owners to track overdue items and prioritize fixes. It aligns with the NIST SP 800-55 framework for measuring security effectiveness through compliance metrics.

Exam trap

Cisco often tests the distinction between operational metrics (SLA compliance) and raw data (closed tickets) or irrelevant business data (vendor costs), trapping candidates who confuse 'showing compliance' with 'listing activity' or 'financial analysis'.

How to eliminate wrong answers

Option B is wrong because a list of all closed tickets with no dates provides no temporal context to determine if fixes were completed within policy timelines; without timestamps, SLA compliance cannot be measured. Option C is wrong because a vendor price comparison is irrelevant to vulnerability remediation timelines and technical remediation ownership; it addresses procurement, not security operations or SLA adherence.

9
Multi-Selectmedium

A security analyst needs to communicate the results of a vulnerability scan to different stakeholders. Which TWO of the following are appropriate reporting formats for executive-level stakeholders?

Select 2 answers
A.A one-page executive summary with risk ratings and business impact
B.A dashboard showing trend analysis and high-level metrics
C.A detailed remediation checklist for system administrators
D.A raw output from the vulnerability scanner
E.A technical report listing CVSS scores and exploit details
AnswersA, B

Concise and focused on business risk, ideal for executives.

Why this answer

Executive-level stakeholders require high-level, business-focused information to make strategic decisions. A one-page executive summary with risk ratings and business impact (Option A) provides a concise overview of the most critical vulnerabilities, their potential effect on operations, and recommended actions without technical jargon. A dashboard showing trend analysis and high-level metrics (Option B) allows executives to quickly assess the organization's security posture over time, track remediation progress, and identify emerging risks through visual data.

Exam trap

CompTIA often tests the distinction between stakeholder-appropriate reporting formats, and the trap here is that candidates mistakenly choose technical options (like CVSS scores or raw scanner output) because they focus on the data's accuracy rather than the audience's need for actionable, non-technical summaries.

10
MCQeasy

A critical vulnerability affected the customer portal, but no evidence of exploitation was found. What should the executive summary emphasize? If the primary audience is business service owner, which content choice is most appropriate?

A.A list of analyst shift times only
B.Business risk, customer impact assessment, remediation status, and remaining exposure
C.Every command the scanner executed
D.Raw packet captures from the scan
AnswerB

Executives need business impact and risk posture, not raw technical noise. The report should be tuned to business service owner while preserving factual accuracy.

Why this answer

Option B is correct because the executive summary for a business service owner must focus on business risk, customer impact, remediation status, and remaining exposure. Since no exploitation was found, the key message is the potential business impact and the current state of remediation, not technical details. This aligns with the Reporting and Communication domain, where the audience requires actionable business-level information.

Exam trap

Cisco often tests the candidate's ability to tailor communication to the audience; the trap here is that technical details (like scanner commands) seem thorough but are inappropriate for a business-focused executive summary, leading candidates to choose overly technical options.

How to eliminate wrong answers

Option A is wrong because listing analyst shift times is irrelevant to the vulnerability's business impact and does not address the service owner's need to understand risk and remediation. Option C is wrong because providing every command the scanner executed is overly technical, irrelevant to the executive summary, and would overwhelm the business audience with unnecessary operational details.

11
MCQhard

A post-incident report finds that no one owned a failed alert integration. What should the corrective action include? If the primary audience is technical remediation owner, which content choice is most appropriate?

A.Named owner, due date, acceptance criteria, and retest plan
B.No action because the incident is closed
C.Deletion of the integration record
D.A vague recommendation to improve security
AnswerA

Corrective actions should be accountable and verifiable. The report should be tuned to technical remediation owner while preserving factual accuracy.

Why this answer

A is correct because a failed alert integration indicates a gap in operational ownership, which must be resolved by assigning a named owner, setting a due date, defining acceptance criteria, and planning a retest. This ensures accountability and verifies that the integration is properly restored and monitored, preventing recurrence. Without these elements, the corrective action lacks closure and measurable success criteria.

Exam trap

Cisco often tests the misconception that closing an incident ends all responsibility, but the trap here is that corrective actions must include ownership and verification steps to prevent the same failure from recurring.

How to eliminate wrong answers

Option B is wrong because closing the incident without addressing the root cause (lack of ownership) leaves the vulnerability unpatched and the integration non-functional, violating post-incident remediation best practices. Option C is wrong because deleting the integration record removes the alerting capability entirely, which could blind the security team to future incidents; the corrective action should fix the integration, not eliminate it.

12
MCQeasy

The CISO asks whether incident response is improving quarter over quarter. Which metric is most relevant? If the primary audience is business service owner, which content choice is most appropriate?

A.Number of desktop wallpapers changed
B.Mean time to detect, mean time to respond, containment time, and recurrence rate
C.Total coffee consumed by analysts
D.Number of unused dashboards
AnswerB

These KPIs show detection and response effectiveness over time. The report should be tuned to business service owner while preserving factual accuracy.

Why this answer

Mean time to detect (MTTD), mean time to respond (MTTR), containment time, and recurrence rate are the standard operational metrics for measuring incident response effectiveness. These directly quantify how quickly threats are identified, contained, and whether they return, which is exactly what the CISO needs to assess quarter-over-quarter improvement.

Exam trap

Cisco often tests the candidate's ability to distinguish between vanity metrics (like wallpaper changes) and actionable security KPIs, trapping those who confuse IT helpdesk tasks with incident response metrics.

How to eliminate wrong answers

Option A is wrong because the number of desktop wallpapers changed is a trivial, non-security metric that has no bearing on incident response performance or business service health. Option C is wrong because total coffee consumed by analysts is a humorous distractor with no relevance to security operations metrics or service owner reporting.

13
MCQmedium

A large enterprise with a centralized SOC is responding to a suspected data exfiltration incident. The incident response plan designates the SOC manager as the primary point of contact for all communication. However, during the incident, the marketing department independently publishes a social media post acknowledging the incident, stating that customer data was not compromised, and that the company has everything under control. The SOC analyst discovers this post. The actual investigation is still ongoing, and it is unclear whether customer data was exfiltrated. The company has a strict communication policy that all external statements regarding security incidents must be approved by the incident commander. The marketing department was not aware of the ongoing investigation and acted based on incomplete information. The analyst must consider the potential legal and regulatory implications of the inaccurate statement. The incident commander is currently in a meeting with the CISO and is unavailable. What should the analyst do FIRST?

A.Report the unauthorized communication to the SOC manager and recommend updating the incident communication plan to require approval from the incident commander before any external communication.
B.Inform the marketing department that their post was premature and potentially inaccurate, and ask them to remove it immediately.
C.Post a correction on the company's social media account to clarify that the investigation is ongoing.
D.Ignore the post because it helps maintain customer confidence.
AnswerA

Escalation to the designated communication lead is appropriate; updating the plan prevents recurrence.

Why this answer

Option A is correct because the SOC manager is designated as the primary point of contact for all communication per the incident response plan, and the analyst must first report the unauthorized communication to the SOC manager to ensure proper escalation and documentation. This aligns with the strict communication policy requiring incident commander approval for external statements, and it preserves the chain of command while the incident commander is unavailable. Reporting the breach of protocol allows the SOC manager to initiate corrective actions, such as updating the communication plan, without the analyst exceeding their authority or making unauthorized statements.

Exam trap

CompTIA often tests the principle of 'first report to the designated authority' versus taking direct corrective action, trapping candidates who choose to immediately fix the problem themselves rather than following the incident response plan's communication hierarchy.

How to eliminate wrong answers

Option B is wrong because directly contacting the marketing department to demand removal of the post violates the incident response plan's chain of command, which designates the SOC manager as the primary point of contact; the analyst lacks the authority to instruct other departments. Option C is wrong because posting a correction on social media without incident commander approval violates the strict communication policy and could create additional legal liability by publicly confirming an ongoing investigation with incomplete facts. Option D is wrong because ignoring the post disregards the potential legal and regulatory implications of the inaccurate statement, such as SEC disclosure rules or GDPR misrepresentation penalties, and fails to uphold the duty to report policy violations.

14
Multi-Selectmedium

Which TWO methods help ensure the accuracy of security metrics reported to management?

Select 2 answers
A.Using colorful charts to impress stakeholders
B.Periodic validation of data against original logs
C.Automated data collection from reliable sources
D.Reporting only positive metrics to maintain confidence
E.Manual entry of data from multiple spreadsheets
AnswersB, C

Ensures consistency.

Why this answer

Option B is correct because periodic validation of security metrics against original logs (e.g., firewall logs, IDS/IPS alerts, or authentication logs) ensures data integrity by detecting discrepancies introduced during aggregation or transformation. This practice aligns with the principle of 'trust but verify,' where raw log sources serve as the authoritative baseline for metric accuracy, preventing reporting of corrupted or incomplete data.

Exam trap

CompTIA often tests the misconception that 'automated collection alone guarantees accuracy,' but the trap here is that automation without periodic validation can still propagate errors from misconfigured sources or data pipelines, so both B and C are required for accuracy.

15
Multi-Selectmedium

Which metrics best show SOC detection and response effectiveness? (Choose two.)

Select 2 answers
A.Mean time to detect
B.Mean time to contain
C.Number of office printers
D.Total number of email signatures
AnswersA, B

MTTD measures detection speed.

Why this answer

Mean time to detect (MTTD) directly measures how quickly the SOC identifies a security incident from the initial compromise, reflecting the efficiency of detection tools like SIEM and EDR. A lower MTTD indicates faster threat discovery, which is critical for minimizing dwell time and reducing potential damage.

Exam trap

Cisco often tests the distinction between detection metrics (MTTD) and response/containment metrics (MTTC), and candidates may mistakenly include irrelevant operational metrics like printer counts that have no bearing on security operations effectiveness.

16
MCQmedium

The board asks whether cyber risk is decreasing after a vulnerability-management investment. Which presentation is strongest? If the primary audience is executive leadership, which content choice is most appropriate?

A.A list of tool login names
B.Trend in exploitable critical exposure, remediation SLA performance, and residual risk by business service
C.A raw CSV of 20,000 findings
D.A screenshot of every scanner page
AnswerB

Board reporting should connect investment to measurable risk reduction. The report should be tuned to executive leadership while preserving factual accuracy.

Why this answer

Option B is correct because it directly addresses the board's question by showing a trend in exploitable critical exposures (measuring vulnerability reduction), remediation SLA performance (tracking timeliness of fixes), and residual risk by business service (quantifying remaining risk). This provides executive leadership with a clear, high-level view of risk reduction over time, aligning with the CS0-003 domain of Reporting and Communication for a non-technical audience.

Exam trap

Cisco often tests the misconception that executives want raw data or operational details, when in fact they need summarized, trend-based, risk-focused metrics that directly answer the business question of risk reduction.

How to eliminate wrong answers

Option A is wrong because a list of tool login names provides no insight into risk trends or remediation effectiveness; it is an operational detail irrelevant to executive decision-making. Option C is wrong because a raw CSV of 20,000 findings is too granular and unprocessed for executive leadership, who need summarized, actionable metrics rather than raw data dumps.

17
Multi-Selectmedium

Which TWO of the following are best practices for distributing security reports to stakeholders?

Select 2 answers
A.Post reports on a public website for easy access
B.Use encrypted email for sensitive reports
C.Send reports via instant messaging without encryption
D.Print and leave reports in common areas
E.Grant access via a secure portal with role-based permissions
AnswersB, E

Protects confidentiality.

Why this answer

Option B is correct because encrypted email (e.g., using S/MIME or PGP) ensures that sensitive security reports are protected from unauthorized interception during transit, maintaining confidentiality and integrity as required by security best practices.

Exam trap

CompTIA often tests the misconception that convenience (e.g., public posting or unencrypted messaging) is acceptable for security reports, when in fact any distribution method must enforce confidentiality, integrity, and access control.

18
Multi-Selectmedium

A cybersecurity analyst is preparing a post-incident report for a data breach that affected multiple business units. Which three of the following elements should be included in the report to ensure effective communication and support future prevention? (Choose three.)

Select 3 answers
.A detailed timeline of the incident, including detection and response actions
.The specific usernames and passwords of affected accounts
.Root cause analysis and contributing factors
.Recommendations for remediation and process improvements
.The raw packet capture data from the breach period
.A list of all employees’ personal contact information for notification

Why this answer

A detailed timeline of the incident, including detection and response actions, is correct because it provides a chronological record essential for understanding the sequence of events, assessing response effectiveness, and meeting regulatory reporting requirements. Root cause analysis and contributing factors are correct because they identify the underlying technical or procedural failures (e.g., unpatched vulnerability, misconfigured firewall rule) that must be addressed to prevent recurrence. Recommendations for remediation and process improvements are correct because they translate findings into actionable steps, such as implementing multi-factor authentication or updating incident response playbooks, which directly support future prevention.

Exam trap

CompTIA often tests the distinction between operational data (e.g., raw packet captures, credentials) and actionable intelligence (e.g., timeline, root cause, recommendations) to see if candidates understand that a post-incident report is a high-level communication tool, not a data dump.

19
MCQhard

A business owner accepts delayed remediation for a production system. What must the report include? If the primary audience is business service owner, which content choice is most appropriate?

A.Only the analyst's personal opinion
B.Risk owner, reason, compensating controls, review date, and expiry
C.No mention of the accepted risk
D.A permanent exception with no review
AnswerB

Risk acceptance must be accountable, time-bound, and visible. The report should be tuned to business service owner while preserving factual accuracy.

Why this answer

Option B is correct because when a business owner accepts delayed remediation for a production system, the report must formally document the risk acceptance decision. This includes the risk owner (who accepted the risk), the reason for acceptance, any compensating controls in place, a review date to reassess the risk, and an expiry date for the acceptance. This aligns with risk management frameworks like NIST SP 800-37 and ISO 27005, which require traceability and accountability for accepted risks.

Exam trap

Cisco often tests the misconception that risk acceptance means the risk is simply ignored or not reported, but the correct approach is to formally document the acceptance with all required metadata to maintain accountability and audit readiness.

How to eliminate wrong answers

Option A is wrong because including only the analyst's personal opinion violates the principle of objective risk reporting; risk acceptance decisions must be based on business context and documented facts, not subjective views. Option C is wrong because omitting the accepted risk from the report would hide a critical security decision from stakeholders, breaking audit trails and compliance requirements (e.g., PCI DSS, SOX) that mandate clear documentation of risk acceptance.

20
MCQhard

A business owner accepts delayed remediation for a production system. What must the report include? If the primary audience is executive leadership, which content choice is most appropriate?

A.A permanent exception with no review
B.Risk owner, reason, compensating controls, review date, and expiry
C.Only the analyst's personal opinion
D.No mention of the accepted risk
AnswerB

Risk acceptance must be accountable, time-bound, and visible. The report should be tuned to executive leadership while preserving factual accuracy.

Why this answer

Option B is correct because when a business owner accepts delayed remediation for a production system, the report must formally document the risk owner, the reason for the delay, any compensating controls in place, a scheduled review date, and an expiry date. This ensures accountability, traceability, and that the risk is not permanently ignored, aligning with risk management frameworks like NIST SP 800-37 or ISO 27001.

Exam trap

Cisco often tests the misconception that risk acceptance can be permanent or that a single opinion suffices, but the exam requires documentation of ownership, controls, and a mandatory review/expiry cycle to ensure governance and auditability.

How to eliminate wrong answers

Option A is wrong because a permanent exception with no review violates the principle of continuous monitoring and risk acceptance; risk acceptance must be time-bound and reviewed periodically to ensure compensating controls remain effective. Option C is wrong because including only the analyst's personal opinion lacks objective evidence, stakeholder accountability, and fails to meet compliance or audit requirements for risk acceptance documentation.

21
MCQhard

A security analyst discovers that a data breach involving personally identifiable information (PII) of European Union citizens occurred two weeks ago but was not detected until now due to a monitoring gap. The company is subject to GDPR, which requires notification to the relevant supervisory authority within 72 hours of becoming aware of the breach. The analyst reports this to the CISO, who decides to delay notification for another week to prepare a more comprehensive response. The analyst believes this violates regulatory requirements. The analyst has documented the breach details and is concerned about the legal and financial penalties for non-compliance. The company's legal department has a strong compliance focus. The analyst has a duty to escalate within the organization. The organization has a whistleblower policy and an ethics hotline. What should the analyst do?

A.Document the decision and the delay, then proceed with the notification after one week as instructed.
B.Escalate the matter to the company's legal department and explain the regulatory requirement for timely notification.
C.Report the incident to the data protection authority (DPA) immediately, bypassing the CISO, as required by GDPR.
D.Follow the CISO's orders and delay the notification.
AnswerB

Legal can advise on compliance and potentially override the CISO's decision while respecting internal channels.

Why this answer

Option B is correct because the analyst has a duty to escalate within the organization, and the legal department is the appropriate internal authority to address compliance with GDPR's 72-hour notification requirement. By escalating to legal, the analyst ensures the regulatory obligation is formally raised without bypassing internal hierarchy, which aligns with the company's compliance focus and whistleblower policy. This approach balances the CISO's decision with the legal imperative to notify the supervisory authority within the mandated timeframe.

Exam trap

CompTIA often tests the distinction between internal escalation and external reporting, where the trap is that candidates may choose Option C (direct DPA notification) because they confuse an individual's ethical duty with the organizational process required by GDPR, but the correct action is to escalate internally first to allow the organization to fulfill its legal obligation as the data controller.

How to eliminate wrong answers

Option A is wrong because it instructs the analyst to accept a deliberate delay that violates GDPR's explicit 72-hour notification requirement, which could lead to severe penalties under Article 83(4) of the GDPR (up to 10 million EUR or 2% of annual global turnover). Option C is wrong because bypassing the CISO and reporting directly to the DPA violates the organization's internal escalation procedures and could undermine the chain of command; GDPR requires the data controller (the company) to notify, not an individual analyst acting unilaterally. Option D is wrong because blindly following the CISO's order to delay notification for a week constitutes willful non-compliance with GDPR, exposing the company to regulatory fines and the analyst to potential personal liability under Article 82.

22
Multi-Selectmedium

A CISO wants a concise incident update during active containment. Which elements should be included? (Choose three.)

Select 3 answers
A.Every raw log line collected so far
B.Containment actions completed and pending
C.Known decisions or approvals needed
D.Current impact and affected services
AnswersB, C, D

Status shows risk reduction progress.

Why this answer

During active containment, the CISO needs a concise update focused on actions taken and pending, not raw data. Option B is correct because containment actions completed and pending directly inform the CISO of the current response status, enabling rapid decision-making without sifting through logs.

Exam trap

Cisco often tests the distinction between raw data (logs) and actionable intelligence (status updates), trapping candidates who think more data is better for a concise executive update.

23
MCQmedium

After a major security incident, a post-incident review reveals that communication between the SOC and the network operations center (NOC) was slow and unclear. Which document should be updated to improve future incident response?

A.Disaster recovery plan (DRP)
B.Communication management plan
C.Business continuity plan (BCP)
D.Incident response plan (IRP)
AnswerB

This plan governs communication during incidents, making it the appropriate document to update.

Why this answer

The communication management plan defines roles, responsibilities, escalation paths, and communication channels (e.g., secure chat, phone bridges, ticketing systems) between teams like the SOC and NOC during an incident. Since the review specifically identified slow and unclear inter-team communication, updating this plan directly addresses the root cause by clarifying protocols, contact lists, and expected response times, ensuring faster and clearer coordination in future incidents.

Exam trap

CompTIA often tests the distinction between the incident response plan (which covers technical response steps) and the communication management plan (which covers inter-team coordination), leading candidates to mistakenly choose the IRP when the question specifically highlights communication failures.

How to eliminate wrong answers

Option A is wrong because the disaster recovery plan (DRP) focuses on restoring IT infrastructure and systems after a disaster (e.g., data center outage), not on improving real-time communication workflows between operational teams during a security incident. Option C is wrong because the business continuity plan (BCP) ensures critical business functions continue during a disruption (e.g., alternate site operations), but does not address the specific communication breakdown between SOC and NOC. Option D is wrong because the incident response plan (IRP) outlines technical steps for detecting, containing, and eradicating threats (e.g., playbooks, containment procedures), but it does not typically detail inter-team communication protocols; that is the role of the communication management plan.

24
MCQhard

During a post-incident review, the team identifies that the incident response plan was not followed correctly due to unclear communication channels. Which recommendation BEST addresses this issue?

A.Update the incident response plan to define specific communication channels and escalation paths
B.Implement multi-factor authentication for all accounts
C.Replace the current SIEM tool with a faster one
D.Conduct more frequent vulnerability scans
AnswerA

Directly resolves the ambiguity in communication.

Why this answer

Option A is correct because the root cause identified in the post-incident review is unclear communication channels, which directly violates the communication and escalation procedures defined in the incident response plan. Updating the plan to specify exact communication channels (e.g., dedicated Slack channel, email distribution list, or phone tree) and escalation paths (e.g., tier-1 analyst → SOC manager → CISO) ensures that all team members know how and when to communicate during an incident, preventing delays and miscoordination.

Exam trap

Cisco often tests the distinction between procedural improvements (like updating the IR plan) versus technical controls (like MFA or SIEM upgrades), and the trap here is that candidates mistakenly choose a technical solution (e.g., faster SIEM) when the root cause is a process/communication failure.

How to eliminate wrong answers

Option B is wrong because multi-factor authentication (MFA) is an access control mechanism that strengthens authentication but does not address communication channel clarity or escalation paths during incident response. Option C is wrong because replacing the SIEM tool with a faster one focuses on detection speed and log analysis performance, not on the procedural communication failures identified in the review. Option D is wrong because conducting more frequent vulnerability scans improves proactive threat identification and patch management, but it does not resolve the operational breakdown in how the team communicates and escalates during an active incident.

25
MCQhard

During an active incident, a security analyst discovers that the attacker has exfiltrated data. The analyst must communicate this to the incident response team. Which method of communication is MOST appropriate?

A.Update the incident ticket and wait for the team to review
B.Send a detailed email to the incident response team
C.Use a predefined secure messaging channel or phone call to escalate
D.Post the information on a public forum for awareness
AnswerC

Real-time communication is critical during incidents.

Why this answer

During an active incident, speed and security are critical. A predefined secure messaging channel or phone call ensures immediate, confidential communication without the delays or exposure risks of email or ticketing systems. This aligns with NIST SP 800-61 incident response guidelines, which prioritize real-time, out-of-band communication for sensitive updates.

Exam trap

CompTIA often tests the misconception that email or ticketing systems are sufficient for urgent incident communication, when in fact they lack the speed, security, and out-of-band nature required during an active data exfiltration event.

How to eliminate wrong answers

Option A is wrong because updating an incident ticket and waiting introduces unacceptable latency; the team may not see it promptly, and the ticket system could be monitored by the attacker. Option B is wrong because email is not real-time and can be intercepted, delayed, or logged, violating the need for secure, immediate escalation during an active breach. Option D is wrong because posting on a public forum violates confidentiality and could alert the attacker or expose sensitive data, directly contradicting incident response protocols.

26
MCQmedium

After a risk assessment, a security analyst recommends accepting a low-risk finding. The system owner disagrees. Which communication strategy should the analyst use?

A.Escalate the disagreement to the CISO immediately
B.Agree with the system owner and change the recommendation
C.Present the risk assessment data and cost-benefit analysis to justify acceptance
D.Insist that the finding must be mitigated due to policy
AnswerC

Facts help stakeholders understand the decision.

Why this answer

Option C is correct because the security analyst should use data-driven communication to resolve disagreements over risk acceptance. By presenting the risk assessment data and a cost-benefit analysis, the analyst provides objective evidence that the low-risk finding does not warrant mitigation, aligning with the NIST risk management framework's emphasis on informed decision-making. This approach respects the system owner's concerns while justifying the acceptance based on technical and business rationale.

Exam trap

The trap here is that candidates may choose immediate escalation (A) or policy insistence (D) because they confuse risk acceptance with risk avoidance, failing to recognize that data-driven justification is the standard professional approach for resolving such disagreements.

How to eliminate wrong answers

Option A is wrong because immediately escalating to the CISO bypasses collaborative resolution and may be seen as adversarial, which is not the first step in a professional disagreement over a low-risk finding. Option B is wrong because agreeing and changing the recommendation without justification undermines the risk assessment process and could lead to unnecessary resource expenditure or overlooked risks. Option D is wrong because insisting on mitigation due to policy ignores the risk assessment's conclusion that the finding is low-risk, and policy often allows for risk acceptance when justified by data.

27
Multi-Selecthard

A remediation report shows repeated SLA breaches by one business unit. Which recommendations are appropriate? (Choose two.)

Select 2 answers
A.Automatically accept all future risk permanently
B.Review ownership, resourcing, and change-window constraints
C.Hide the business unit from future reports
D.Create an agreed corrective action plan with dates
AnswersB, D

Persistent breaches often reflect operational blockers.

Why this answer

Option B is correct because reviewing ownership, resourcing, and change-window constraints directly addresses the root causes of repeated SLA breaches. SLA breaches often stem from inadequate staffing, misaligned change windows, or unclear ownership of remediation tasks, not from technical failures alone. This recommendation aligns with the reporting and communication domain's emphasis on actionable, root-cause analysis rather than superficial fixes.

Exam trap

Cisco often tests the misconception that hiding or ignoring non-compliant data is an acceptable reporting strategy, when in fact the exam emphasizes transparency and root-cause analysis as the only valid path to remediation.

28
MCQmedium

A vulnerability programme wants to show whether critical findings are fixed within policy timelines. Which report is best? If the primary audience is SOC manager, which content choice is most appropriate?

A.A report sorted only by scanner plugin ID
B.SLA compliance by severity, asset owner, and business unit
C.A list of all closed tickets with no dates
D.A vendor price comparison
AnswerB

SLA reporting connects remediation timeliness to accountability. The report should be tuned to SOC manager while preserving factual accuracy.

Why this answer

Option B is correct because the vulnerability program needs to demonstrate that critical findings are remediated within policy timelines, which requires a report showing SLA compliance. For a SOC manager, the most appropriate content includes severity, asset owner, and business unit breakdowns, enabling them to track accountability and prioritize remediation efforts across the organization.

Exam trap

Cisco often tests the distinction between a report that merely lists findings (like sorted by plugin ID) versus one that demonstrates compliance with a policy timeline, and candidates may confuse a technical sort with a business-oriented SLA report.

How to eliminate wrong answers

Option A is wrong because sorting by scanner plugin ID only groups findings by technical signature, not by severity or SLA status, so it cannot show whether critical findings are fixed within policy timelines. Option C is wrong because a list of all closed tickets with no dates lacks any temporal context, making it impossible to determine if remediation met policy deadlines. Option D is wrong because a vendor price comparison is irrelevant to vulnerability remediation tracking and SLA compliance reporting.

29
Multi-Selecteasy

Which TWO of the following are key components of an incident communication plan?

Select 2 answers
A.Escalation contact list
B.Pre-approved public statements or scripts
C.Network topology diagrams
D.Encryption keys for secure communications
E.System event logs
AnswersA, B

An escalation contact list ensures the right people are notified based on incident severity.

Why this answer

An incident communication plan must include an escalation contact list (A) to ensure that the right stakeholders—such as the incident response team, legal counsel, and executive management—are notified promptly based on the severity of the incident. Pre-approved public statements or scripts (B) are critical to maintain consistent, accurate, and legally vetted messaging to external parties (e.g., customers, media, regulators) during a crisis, preventing unauthorized disclosures that could worsen the situation.

Exam trap

CompTIA often tests the distinction between operational/forensic artifacts (like network diagrams, logs, or encryption keys) and the structured communication components (contacts and scripts) that are explicitly defined in the incident communication plan, leading candidates to mistakenly include technical tools as part of the plan.

30
MCQmedium

A server team needs to fix an OpenSSL vulnerability across Linux hosts. What should the technical remediation section include? If the primary audience is executive leadership, which content choice is most appropriate?

A.Only estimated financial loss
B.Only the CVE headline
C.Affected assets, package versions, patch commands or vendor guidance, validation method, and rollback notes
D.Only a red/yellow/green chart
AnswerC

Technical teams need precise, actionable remediation steps and a way to confirm success. The report should be tuned to executive leadership while preserving factual accuracy.

Why this answer

Option C is correct because a technical remediation section must provide actionable steps to resolve the vulnerability. This includes identifying affected assets and package versions, specifying patch commands or vendor guidance, outlining a validation method (e.g., checking the OpenSSL version with `openssl version`), and including rollback notes to revert changes if the patch fails. Without these details, the remediation cannot be executed reliably by the server team.

Exam trap

Cisco often tests the distinction between technical remediation content and executive-level reporting, trapping candidates who confuse the audience (executives) with the content needed for the server team's technical remediation section.

How to eliminate wrong answers

Option A is wrong because estimated financial loss belongs in a risk assessment or business impact analysis, not in the technical remediation section, which focuses on the steps to fix the vulnerability. Option B is wrong because only the CVE headline (e.g., CVE-2022-3786) is insufficient for remediation; it lacks the specific commands, package versions, and validation steps needed to patch OpenSSL on Linux hosts.

31
MCQmedium

The board asks whether cyber risk is decreasing after a vulnerability-management investment. Which presentation is strongest? If the primary audience is business service owner, which content choice is most appropriate?

A.A screenshot of every scanner page
B.A raw CSV of 20,000 findings
C.Trend in exploitable critical exposure, remediation SLA performance, and residual risk by business service
D.A list of tool login names
AnswerC

Board reporting should connect investment to measurable risk reduction. The report should be tuned to business service owner while preserving factual accuracy.

Why this answer

Option C is correct because it directly addresses the board's question about whether cyber risk is decreasing by presenting a trend in exploitable critical exposures (showing direction of risk), remediation SLA performance (showing operational effectiveness), and residual risk by business service (showing risk remaining after investment). This aligns with the primary audience of business service owners, who need aggregated, risk-focused metrics rather than raw technical data. The use of residual risk by business service ties vulnerability management outcomes to business impact, which is essential for executive decision-making.

Exam trap

Cisco often tests the misconception that more data equals better reporting, but the trap here is that raw technical outputs (scanner screenshots or CSV dumps) fail to communicate risk reduction to a non-technical audience, while trend-based, business-aligned metrics directly answer the board's question.

How to eliminate wrong answers

Option A is wrong because a screenshot of every scanner page provides overwhelming, unaggregated technical detail that obscures risk trends and does not answer whether cyber risk is decreasing; it represents a failure to distill scanner output into actionable business intelligence. Option B is wrong because a raw CSV of 20,000 findings is data, not information—it lacks trend analysis, risk prioritization, and business context, making it impossible for a service owner to assess risk reduction without extensive manual analysis.

32
MCQmedium

A vulnerability programme wants to show whether critical findings are fixed within policy timelines. Which report is best? If the primary audience is legal/privacy stakeholder, which content choice is most appropriate?

A.A list of all closed tickets with no dates
B.SLA compliance by severity, asset owner, and business unit
C.A vendor price comparison
D.A report sorted only by scanner plugin ID
AnswerB

SLA reporting connects remediation timeliness to accountability. The report should be tuned to legal/privacy stakeholder while preserving factual accuracy.

Why this answer

B is correct because SLA compliance by severity, asset owner, and business unit directly maps to the requirement of showing whether critical findings are fixed within policy timelines. This report filters by severity (e.g., critical), includes time-bound metrics (SLA compliance), and can be broken down by asset owner and business unit to demonstrate accountability and policy adherence. For legal/privacy stakeholders, this content provides auditable evidence of remediation timelines, which is essential for regulatory compliance and risk management.

Exam trap

Cisco often tests the misconception that any list of closed tickets is sufficient for compliance reporting, but the trap here is that without date fields and severity-based SLA filtering, you cannot prove policy adherence—candidates overlook the need for time-bound, severity-specific metrics in legal/privacy contexts.

How to eliminate wrong answers

Option A is wrong because a list of all closed tickets with no dates lacks any temporal context, making it impossible to determine whether critical findings were fixed within policy timelines; it provides no SLA compliance or severity filtering. Option C is wrong because a vendor price comparison is irrelevant to vulnerability remediation timelines and policy compliance; it addresses procurement or cost analysis, not security operations or legal/privacy reporting needs.

33
MCQeasy

A third-party provider caused an outage during remediation. What should the communication to the vendor focus on? If the primary audience is legal/privacy stakeholder, which content choice is most appropriate?

A.Confidential unrelated customer data
B.Internal blame speculation
C.A public press statement draft first
D.Timeline, service impact, evidence, required corrective actions, and contractual follow-up
AnswerD

Vendor communications should be factual and tied to obligations and remediation. The report should be tuned to legal/privacy stakeholder while preserving factual accuracy.

Why this answer

Option D is correct because it provides a structured, factual communication that addresses the legal and privacy stakeholder's need for accountability, risk assessment, and contractual compliance. The timeline and evidence establish the sequence of events, service impact quantifies the breach of SLA, required corrective actions demonstrate remediation steps, and contractual follow-up triggers legal review of penalties or liabilities. This approach avoids speculation and focuses on verifiable data, which is critical for legal teams to assess regulatory obligations (e.g., GDPR breach notification timelines) and potential litigation.

Exam trap

CompTIA often tests the misconception that legal stakeholders need immediate public relations content or internal blame assignments, but the trap here is that legal teams require objective, evidence-based data to assess liability and regulatory compliance, not subjective or premature communications.

How to eliminate wrong answers

Option A is wrong because disclosing confidential unrelated customer data would violate data protection laws (e.g., GDPR Article 5) and is irrelevant to the vendor's outage; legal stakeholders need only data directly tied to the incident. Option B is wrong because internal blame speculation is subjective, unverifiable, and could create legal liability or prejudice; legal teams require objective facts, not finger-pointing. Option C is wrong because drafting a public press statement before internal legal review risks premature disclosure, misrepresentation, or admission of fault, which could harm regulatory defense or contractual negotiations.

34
Multi-Selecthard

Which THREE elements are essential components of a comprehensive post-incident report?

Select 3 answers
A.Root cause analysis
B.Timeline of events leading up to and during the incident
C.List of all employee usernames and passwords
D.Budget report for the incident response team
E.Lessons learned and recommendations for improvement
AnswersA, B, E

Identifies underlying issue.

Why this answer

Root cause analysis (RCA) is essential because it identifies the underlying technical failure—such as a misconfigured firewall rule, an unpatched CVE, or a phishing campaign—that allowed the incident to occur. Without RCA, the report would only describe symptoms, not the fundamental vulnerability that must be addressed to prevent recurrence.

Exam trap

CompTIA often tests the distinction between operational necessities (like budgets or credential lists) and the mandatory technical/analytical components of a post-incident report, trapping candidates who confuse administrative tasks with incident documentation requirements.

35
MCQhard

An incident may involve regulated personal data. Who should be engaged early to determine notification obligations? If the primary audience is legal/privacy stakeholder, which content choice is most appropriate?

A.Legal, privacy, and compliance stakeholders
B.Only the graphic design team
C.Only the facilities manager
D.Only the vulnerability scanner vendor
AnswerA

Notification decisions depend on law, contract, data type, jurisdiction, and timing. The report should be tuned to legal/privacy stakeholder while preserving factual accuracy.

Why this answer

When an incident involves regulated personal data, legal, privacy, and compliance stakeholders must be engaged early because they determine notification obligations under laws such as GDPR, HIPAA, or CCPA. These stakeholders assess the data type, jurisdiction, and breach thresholds to decide if and when to notify regulators and affected individuals. In the context of CS0-003, this aligns with the Reporting and Communication domain, where timely stakeholder involvement is critical for legal compliance and risk mitigation.

Exam trap

Cisco often tests the misconception that only technical teams (e.g., IT or security) handle breach response, but the trap here is that notification obligations are a legal/compliance function, not a technical one, so candidates must recognize the need for legal and privacy stakeholders early.

How to eliminate wrong answers

Option B is wrong because the graphic design team has no role in determining legal notification obligations for data breaches; their focus is on visual assets, not regulatory compliance. Option C is wrong because the facilities manager handles physical security and building operations, not the legal or privacy aspects of personal data incidents. Option D is wrong because the vulnerability scanner vendor provides technical scanning tools but lacks the authority or expertise to interpret data protection laws or define notification requirements.

36
MCQeasy

During a post-incident review, the security team needs to communicate findings to the IT operations team. Which communication method is MOST effective for this audience?

A.A presentation with graphs and trends
B.A detailed technical report including indicators of compromise and remediation procedures
C.An informal email with bullet points and no specific actions
D.A one-page executive summary with risk ratings
AnswerB

Provides the precise information needed by operations.

Why this answer

The IT operations team needs actionable technical details to implement remediation and prevent recurrence. A detailed technical report with indicators of compromise (IoCs) and remediation procedures provides the precise commands, log entries, and configuration changes required for their work, making it the most effective method for this audience.

Exam trap

CompTIA often tests the distinction between audience-appropriate communication formats, and the trap here is that candidates may choose the executive summary (Option D) thinking it's concise, but fail to recognize that the IT operations team requires the full technical depth of a detailed report to perform their duties effectively.

How to eliminate wrong answers

Option A is wrong because a presentation with graphs and trends is more suitable for executive or management briefings, lacking the specific technical details (e.g., file hashes, IP addresses, registry keys) that the IT operations team needs to act. Option C is wrong because an informal email with bullet points and no specific actions omits critical remediation steps and IoCs, leaving the IT operations team without clear guidance on what to do. Option D is wrong because a one-page executive summary with risk ratings is designed for non-technical stakeholders, not for the IT operations team who require in-depth technical data to perform system changes.

37
MCQmedium

A vulnerability programme wants to show whether critical findings are fixed within policy timelines. Which report is best? If the primary audience is executive leadership, which content choice is most appropriate?

A.SLA compliance by severity, asset owner, and business unit
B.A list of all closed tickets with no dates
C.A vendor price comparison
D.A report sorted only by scanner plugin ID
AnswerA

SLA reporting connects remediation timeliness to accountability. The report should be tuned to executive leadership while preserving factual accuracy.

Why this answer

Option A is correct because it directly maps to the requirement of showing whether critical findings are fixed within policy timelines. SLA compliance by severity, asset owner, and business unit provides the necessary metrics to track remediation against defined service-level agreements, which is exactly what a vulnerability programme needs to demonstrate adherence to policy timelines. For executive leadership, this content choice is most appropriate as it offers a high-level, actionable view of compliance status across organizational units without technical noise.

Exam trap

Cisco often tests the misconception that any list of closed tickets is sufficient for compliance reporting, but without date fields or SLA context, such a list is useless for proving policy adherence.

How to eliminate wrong answers

Option B is wrong because a list of all closed tickets with no dates provides no temporal context to assess whether fixes were completed within policy timelines; it fails to show SLA compliance or any measure of timeliness. Option C is wrong because a vendor price comparison is irrelevant to tracking vulnerability remediation timelines or SLA compliance; it addresses procurement concerns, not the operational effectiveness of a vulnerability management programme.

38
MCQhard

An incident may involve regulated personal data. Who should be engaged early to determine notification obligations? If the primary audience is executive leadership, which content choice is most appropriate?

A.Only the facilities manager
B.Legal, privacy, and compliance stakeholders
C.Only the vulnerability scanner vendor
D.Only the graphic design team
AnswerB

Notification decisions depend on law, contract, data type, jurisdiction, and timing. The report should be tuned to executive leadership while preserving factual accuracy.

Why this answer

When an incident involves regulated personal data (e.g., PII, PHI, or GDPR-protected data), legal, privacy, and compliance stakeholders must be engaged early to determine statutory notification obligations. These stakeholders interpret applicable regulations (such as GDPR Article 33, HIPAA Breach Notification Rule, or state breach notification laws) to decide if, when, and how to notify affected parties and regulators. Executive leadership requires a concise summary of legal exposure and required actions, not operational details.

Exam trap

Cisco often tests the misconception that technical teams (like vulnerability scanner vendors) or operational staff (like facilities managers) can handle compliance decisions, when in fact only legal, privacy, and compliance stakeholders have the authority to interpret breach notification laws.

How to eliminate wrong answers

Option A is wrong because the facilities manager has no authority or expertise to evaluate data privacy laws or notification triggers; their role is limited to physical security and building access, not regulatory compliance. Option C is wrong because a vulnerability scanner vendor provides technical scanning tools but lacks legal standing and knowledge of jurisdiction-specific data breach notification requirements; they cannot determine if a breach triggers mandatory reporting under laws like GDPR or CCPA.

39
MCQeasy

A third-party provider caused an outage during remediation. What should the communication to the vendor focus on? If the primary audience is executive leadership, which content choice is most appropriate?

A.Timeline, service impact, evidence, required corrective actions, and contractual follow-up
B.Internal blame speculation
C.A public press statement draft first
D.Confidential unrelated customer data
AnswerA

Vendor communications should be factual and tied to obligations and remediation. The report should be tuned to executive leadership while preserving factual accuracy.

Why this answer

Option A is correct because executive leadership requires a concise, actionable summary that focuses on business impact and remediation steps, not technical details. The communication must include the timeline of the outage, service impact (e.g., affected systems, downtime duration), evidence (e.g., logs, monitoring data), required corrective actions from the vendor, and contractual follow-up (e.g., SLA breach, penalties). This aligns with the NIST Incident Response framework's post-incident activity phase, where clear accountability and remediation are critical for vendor management.

Exam trap

Cisco often tests the distinction between internal operational communication (for technical teams) and executive-level reporting, where candidates mistakenly include technical jargon or blame instead of focusing on business impact and contractual accountability.

How to eliminate wrong answers

Option B is wrong because internal blame speculation is unprofessional, lacks factual basis, and violates incident response best practices (e.g., NIST SP 800-61), which emphasize objective analysis over finger-pointing. Option C is wrong because a public press statement draft is premature and inappropriate for internal communication to executive leadership; it should be developed later with legal and PR teams, not as the primary content for vendor-focused communication.

40
MCQhard

A post-incident report finds that no one owned a failed alert integration. What should the corrective action include? If the primary audience is SOC manager, which content choice is most appropriate?

A.No action because the incident is closed
B.Named owner, due date, acceptance criteria, and retest plan
C.A vague recommendation to improve security
D.Deletion of the integration record
AnswerB

Corrective actions should be accountable and verifiable. The report should be tuned to SOC manager while preserving factual accuracy.

Why this answer

Option B is correct because a failed alert integration represents a gap in detection capability that must be formally remediated. Assigning a named owner ensures accountability, a due date enforces timely resolution, acceptance criteria define what constitutes success, and a retest plan verifies that the fix works. Without these elements, the same failure could recur, leaving the SOC blind to future incidents.

Exam trap

Cisco often tests the misconception that closing an incident means the problem is solved, when in fact post-incident corrective actions must address root causes with measurable, accountable steps to prevent recurrence.

How to eliminate wrong answers

Option A is wrong because closing the incident does not resolve the underlying technical failure; the integration will remain broken, creating a persistent blind spot in monitoring. Option C is wrong because a vague recommendation lacks the specificity needed to implement a fix—no owner, no deadline, and no measurable success criteria means the issue will likely be ignored or forgotten. Option D is wrong because deleting the integration record removes the alert channel entirely, which could violate compliance requirements (e.g., PCI DSS logging mandates) and eliminates any chance of restoring the integration.

41
MCQhard

A post-incident report finds that no one owned a failed alert integration. What should the corrective action include? If the primary audience is legal/privacy stakeholder, which content choice is most appropriate?

A.A vague recommendation to improve security
B.Deletion of the integration record
C.Named owner, due date, acceptance criteria, and retest plan
D.No action because the incident is closed
AnswerC

Corrective actions should be accountable and verifiable. The report should be tuned to legal/privacy stakeholder while preserving factual accuracy.

Why this answer

Option C is correct because a post-incident report identifying an unowned failed alert integration requires a corrective action that assigns clear accountability and a measurable remediation plan. Naming an owner, setting a due date, defining acceptance criteria, and scheduling a retest ensure the integration is properly configured and monitored, directly addressing the root cause of the alert failure. This aligns with the NIST Incident Response Lifecycle's post-incident activity phase, which mandates actionable follow-up items to prevent recurrence.

Exam trap

Cisco often tests the concept that corrective actions must be specific, assignable, and verifiable (SMART criteria), and the trap here is that candidates may choose a vague or destructive option (like deletion) instead of recognizing the need for accountable ownership and a measurable fix.

How to eliminate wrong answers

Option A is wrong because a vague recommendation to improve security lacks specificity and does not assign ownership or a measurable plan, making it impossible to verify that the alert integration failure is actually resolved. Option B is wrong because deleting the integration record would remove evidence needed for forensic analysis and compliance, and it does not fix the underlying ownership and configuration issues that caused the alert to fail.

42
MCQhard

A post-incident report finds that no one owned a failed alert integration. What should the corrective action include?

A.No action because the incident is closed
B.A vague recommendation to improve security
C.Deletion of the integration record
D.Named owner, due date, acceptance criteria, and retest plan
AnswerD

Corrective actions should be accountable and verifiable.

Why this answer

Option D is correct because a post-incident finding of an unowned alert integration indicates a process gap that must be closed with a named owner, a due date, acceptance criteria, and a retest plan. This ensures accountability, a measurable fix, and verification that the integration is properly configured and monitored, preventing future failures.

Exam trap

Cisco often tests the principle that corrective actions must be specific, measurable, and accountable, so the trap is choosing a vague or dismissive option (like 'no action' or 'vague recommendation') instead of the one that enforces ownership and verification.

How to eliminate wrong answers

Option A is wrong because closing the incident does not resolve the root cause; without corrective action, the failed integration will recur. Option B is wrong because a vague recommendation lacks the specificity needed to assign ownership, set a deadline, or define success criteria, making it unenforceable and unverifiable. Option C is wrong because deleting the integration record removes evidence of the failure and does not address the underlying lack of ownership or configuration issue.

43
MCQhard

A business owner accepts delayed remediation for a production system. What must the report include? If the primary audience is technical remediation owner, which content choice is most appropriate?

A.Risk owner, reason, compensating controls, review date, and expiry
B.No mention of the accepted risk
C.A permanent exception with no review
D.Only the analyst's personal opinion
AnswerA

Risk acceptance must be accountable, time-bound, and visible. The report should be tuned to technical remediation owner while preserving factual accuracy.

Why this answer

Option A is correct because when a business owner accepts delayed remediation for a production system, the risk acceptance must be formally documented to maintain an accurate risk register and audit trail. The report must include the risk owner (who accepted the risk), the reason for the delay, any compensating controls in place to mitigate the risk during the delay, a review date to reassess the risk, and an expiry date to ensure the acceptance does not become permanent. This aligns with risk management frameworks like NIST SP 800-37 and ISO 27005, which require explicit documentation of risk acceptance decisions.

Exam trap

Cisco often tests the misconception that risk acceptance can be undocumented or permanent, but the exam requires candidates to recognize that formal documentation with a review date and expiry is mandatory for auditability and compliance with frameworks like PCI DSS or FedRAMP.

How to eliminate wrong answers

Option B is wrong because omitting the accepted risk from the report violates the principle of transparency in risk management; the report must include the risk to ensure all stakeholders are aware of the deferred remediation and its potential impact. Option C is wrong because a permanent exception with no review contradicts the requirement for periodic reassessment; risk acceptance must have a defined expiry and review date to prevent indefinite exposure to unmitigated vulnerabilities.

44
MCQeasy

The CISO asks whether incident response is improving quarter over quarter. Which metric is most relevant? If the primary audience is legal/privacy stakeholder, which content choice is most appropriate?

A.Number of unused dashboards
B.Total coffee consumed by analysts
C.Number of desktop wallpapers changed
D.Mean time to detect, mean time to respond, containment time, and recurrence rate
AnswerD

These KPIs show detection and response effectiveness over time. The report should be tuned to legal/privacy stakeholder while preserving factual accuracy.

Why this answer

Option D is correct because Mean Time to Detect (MTTD), Mean Time to Respond (MTTR), containment time, and recurrence rate are standard, quantifiable metrics that directly measure the efficiency and effectiveness of an incident response program. These metrics allow the CISO to track improvements quarter over quarter by showing whether the team is detecting and containing incidents faster and with fewer repeat events. For a legal/privacy audience, these metrics are also critical because they demonstrate due diligence, regulatory compliance, and risk reduction in measurable terms.

Exam trap

CompTIA often tests the distinction between operational metrics (like MTTD/MTTR) and irrelevant or distracting metrics (like coffee consumption or wallpaper changes) to see if candidates understand which KPIs are meaningful for incident response improvement and stakeholder reporting.

How to eliminate wrong answers

Option A is wrong because the number of unused dashboards is a metric related to SIEM or monitoring tool utilization, not incident response performance; it does not measure detection speed, response time, or containment effectiveness. Option B is wrong because total coffee consumed by analysts is a non-technical, irrelevant metric that has no bearing on incident response outcomes or legal/privacy reporting requirements. Option C is wrong because the number of desktop wallpapers changed is a trivial endpoint configuration change, completely unrelated to incident response metrics such as detection, response, containment, or recurrence.

45
MCQmedium

A server team needs to fix an OpenSSL vulnerability across Linux hosts. What should the technical remediation section include? If the primary audience is legal/privacy stakeholder, which content choice is most appropriate?

A.Affected assets, package versions, patch commands or vendor guidance, validation method, and rollback notes
B.Only the CVE headline
C.Only a red/yellow/green chart
D.Only estimated financial loss
AnswerA

Technical teams need precise, actionable remediation steps and a way to confirm success. The report should be tuned to legal/privacy stakeholder while preserving factual accuracy.

Why this answer

Option A is correct because a technical remediation section for an OpenSSL vulnerability must include affected assets (specific Linux hosts and package versions), the exact patch commands or vendor guidance (e.g., 'yum update openssl' or 'apt-get upgrade openssl'), a validation method (e.g., 'openssl version -a' or running a vulnerability scanner), and rollback notes (e.g., 'yum history undo' or snapshot restoration). For a legal/privacy stakeholder audience, the most appropriate content choice is a red/yellow/green chart (Option C) that summarizes risk posture without overwhelming technical detail, but the question asks for the technical remediation section content, not the stakeholder-appropriate summary.

Exam trap

Cisco often tests the distinction between 'what should be in a technical remediation section' versus 'what is appropriate for a specific audience'; the trap here is that candidates see 'legal/privacy stakeholder' and assume the answer must be a simplified chart, but the question explicitly asks for the technical remediation section content, not the stakeholder-facing summary.

How to eliminate wrong answers

Option B is wrong because including only the CVE headline (e.g., 'CVE-2022-3786') provides no actionable steps for the server team to remediate the vulnerability; it lacks package versions, patch commands, validation, or rollback procedures. Option C is wrong because a red/yellow/green chart is a high-level risk communication tool for non-technical stakeholders, not a technical remediation section; it omits the specific commands, affected assets, and validation steps needed by the server team to fix the OpenSSL flaw.

46
MCQmedium

A vulnerability programme wants to show whether critical findings are fixed within policy timelines. Which report is best? If the primary audience is business service owner, which content choice is most appropriate?

A.SLA compliance by severity, asset owner, and business unit
B.A report sorted only by scanner plugin ID
C.A vendor price comparison
D.A list of all closed tickets with no dates
AnswerA

SLA reporting connects remediation timeliness to accountability. The report should be tuned to business service owner while preserving factual accuracy.

Why this answer

Option A is correct because an SLA compliance report by severity, asset owner, and business unit directly maps to the requirement of showing whether critical findings are fixed within policy timelines. This report allows the vulnerability program to track remediation against defined service-level agreements (SLAs), and the breakdown by business unit and asset owner provides the business service owner with actionable, ownership-specific data to drive accountability and resource allocation.

Exam trap

Cisco often tests the distinction between technical raw data (e.g., plugin ID sort) and business-oriented, decision-support reports (e.g., SLA compliance by business unit) to see if candidates understand that reporting must be tailored to the audience's role and responsibility.

How to eliminate wrong answers

Option B is wrong because a report sorted only by scanner plugin ID is purely technical and lacks any context of severity, asset ownership, or business unit; it cannot demonstrate compliance with policy timelines or provide the business service owner with the necessary business-level view. Option C is wrong because a vendor price comparison is unrelated to vulnerability remediation timelines or SLA compliance; it addresses procurement decisions, not operational reporting on finding remediation.

47
Multi-Selecthard

A vulnerability dashboard for executives should avoid raw technical overload. Which views are useful? (Choose two.)

Select 2 answers
A.A list of scanner process IDs
B.Unfiltered plugin-output text
C.Critical exposure trend by business service
D.SLA compliance and overdue remediation by owner
AnswersC, D

Trends show whether risk is moving.

Why this answer

Option C is correct because executive dashboards must communicate risk in business terms, not technical raw data. A trend of critical exposures by business service translates vulnerability severity into operational impact, enabling prioritization of remediation resources without requiring technical expertise. This aligns with the Reporting and Communication domain's emphasis on tailoring information to the audience.

Exam trap

Cisco often tests the distinction between raw technical data (useful for analysts) and summarized business-contextual views (useful for executives), trapping candidates who think any vulnerability data is appropriate for all audiences.

48
MCQeasy

A critical vulnerability affected the customer portal, but no evidence of exploitation was found. What should the executive summary emphasize? If the primary audience is executive leadership, which content choice is most appropriate?

A.Raw packet captures from the scan
B.A list of analyst shift times only
C.Every command the scanner executed
D.Business risk, customer impact assessment, remediation status, and remaining exposure
AnswerD

Executives need business impact and risk posture, not raw technical noise. The report should be tuned to executive leadership while preserving factual accuracy.

Why this answer

Option D is correct because executive leadership requires a high-level summary that translates technical findings into business impact. The executive summary should focus on business risk, customer impact assessment, remediation status, and remaining exposure, as these directly inform strategic decisions without overwhelming non-technical stakeholders with raw data.

Exam trap

Cisco often tests the distinction between technical detail and executive-level communication, trapping candidates who think more data (e.g., packet captures or command logs) is always better, when in fact leadership needs concise, risk-focused summaries.

How to eliminate wrong answers

Option A is wrong because raw packet captures are low-level network data that require deep technical analysis and are irrelevant for an executive audience; they belong in a technical report for security analysts. Option B is wrong because a list of analyst shift times provides no insight into the vulnerability, its impact, or remediation, and is operationally irrelevant to the executive summary. Option C is wrong because listing every command the scanner executed is excessive technical detail that does not convey the severity, business risk, or remediation progress, and would confuse rather than inform leadership.

49
MCQmedium

The board asks whether cyber risk is decreasing after a vulnerability-management investment. Which presentation is strongest? If the primary audience is technical remediation owner, which content choice is most appropriate?

A.A raw CSV of 20,000 findings
B.A screenshot of every scanner page
C.A list of tool login names
D.Trend in exploitable critical exposure, remediation SLA performance, and residual risk by business service
AnswerD

Board reporting should connect investment to measurable risk reduction. The report should be tuned to technical remediation owner while preserving factual accuracy.

Why this answer

Option D is correct because it directly answers the board's question about whether cyber risk is decreasing by showing a trend in exploitable critical exposure, remediation SLA performance, and residual risk by business service. This provides a clear, quantitative, and business-aligned view of risk reduction, which is essential for executive reporting. For a technical remediation owner, this content is most appropriate as it focuses on actionable metrics (e.g., SLA compliance, residual risk per service) that directly guide patching and mitigation priorities.

Exam trap

Cisco often tests the distinction between raw data (e.g., CSV, screenshots) and actionable, risk-based reporting; the trap here is that candidates may think providing all raw findings (Option A) is thorough, but it fails to answer the board's specific question about risk reduction and is not tailored for a technical remediation owner's workflow.

How to eliminate wrong answers

Option A is wrong because a raw CSV of 20,000 findings is overwhelming, lacks aggregation, and does not show risk trends or business impact, making it unsuitable for executive decision-making. Option B is wrong because a screenshot of every scanner page is unstructured, non-analytical, and fails to provide a consolidated view of risk reduction or SLA performance. Option C is wrong because a list of tool login names is irrelevant to demonstrating risk reduction and provides no data on vulnerabilities, exposures, or remediation effectiveness.

50
Multi-Selecthard

A third-party supplier needs incident information to fix an integration. What should be shared? (Choose two.)

Select 2 answers
A.Internal blame discussions
B.Credentials for unrelated systems
C.Required remediation outcome and deadline
D.Relevant timeline and technical evidence tied to the integration
AnswersC, D

Clear expectations support accountability.

Why this answer

Option C is correct because sharing the required remediation outcome and deadline ensures the third-party supplier understands the expected fix and urgency, aligning with incident response communication best practices. This enables the supplier to prioritize their work and deliver a solution that meets the organization's security and operational requirements, without exposing unnecessary internal details.

Exam trap

Cisco often tests the principle of 'need-to-know' in incident communication, where candidates mistakenly think sharing all technical details or internal discussions is helpful, but the trap is that only evidence and outcomes tied directly to the affected integration should be shared.

51
Multi-Selecthard

After a data breach incident, a post-incident review team is collecting lessons learned. Which THREE items should be included in the lessons learned documentation?

Select 3 answers
A.Individual performance evaluations of team members
B.Timeline of events during the incident
C.Legal liability of the organization
D.Root cause analysis of the breach
E.Recommendations for process improvements
AnswersB, D, E

A timeline helps understand the sequence of events and identify gaps.

Why this answer

Option B is correct because the timeline of events is a critical component of lessons learned documentation. It provides a chronological sequence of actions, detections, and responses during the incident, which is essential for identifying gaps in detection, delays in response, and opportunities for improvement. Without a precise timeline, the team cannot accurately assess the effectiveness of their incident response procedures or the speed of containment.

Exam trap

CompTIA often tests the distinction between operational improvement items (timeline, root cause, recommendations) and administrative or legal items (performance reviews, liability) to see if candidates understand that lessons learned focus on process, not blame or legal exposure.

52
MCQhard

A security analyst needs to share threat intelligence data with a partner organization as part of an information sharing agreement. Which of the following is the most critical consideration before sharing the data?

A.The volume of data being shared
B.The classification level and handling restrictions
C.The data format (e.g., STIX, TAXII)
D.The geographic location of the partner
AnswerB

Proper classification ensures the data is handled appropriately, protecting sensitive information.

Why this answer

The classification level and handling restrictions are the most critical consideration because threat intelligence often contains sensitive information such as indicators of compromise (IOCs) that may be classified or subject to legal handling requirements (e.g., TLP markings). Sharing data without verifying classification could violate security policies, breach confidentiality agreements, or expose critical vulnerabilities to unauthorized parties, undermining the trust and legality of the information-sharing agreement.

Exam trap

CompTIA often tests the misconception that technical interoperability (e.g., STIX/TAXII format) is the primary concern, when in reality classification and handling restrictions are the non-negotiable first step to ensure legal and policy compliance.

How to eliminate wrong answers

Option A is wrong because the volume of data being shared is a logistical concern (e.g., bandwidth or storage), not a security or compliance priority; classification and handling restrictions take precedence regardless of size. Option C is wrong because the data format (e.g., STIX/TAXII) is a technical interoperability choice that facilitates automated sharing but does not address the fundamental requirement to protect sensitive data from unauthorized disclosure. Option D is wrong because the geographic location of the partner is relevant to jurisdictional legal considerations (e.g., GDPR, data sovereignty) but is secondary to ensuring the data's classification and handling restrictions are properly enforced before any sharing occurs.

53
MCQmedium

The board asks whether cyber risk is decreasing after a vulnerability-management investment. Which presentation is strongest? If the primary audience is SOC manager, which content choice is most appropriate?

A.Trend in exploitable critical exposure, remediation SLA performance, and residual risk by business service
B.A screenshot of every scanner page
C.A list of tool login names
D.A raw CSV of 20,000 findings
AnswerA

Board reporting should connect investment to measurable risk reduction. The report should be tuned to SOC manager while preserving factual accuracy.

Why this answer

Option A is correct because it directly addresses the board's question about whether cyber risk is decreasing by presenting trend data on exploitable critical exposures, remediation SLA performance, and residual risk by business service. This combination provides a clear, measurable view of risk reduction over time, which is exactly what a SOC manager needs to justify the vulnerability-management investment. The focus on residual risk by business service ties technical findings to business impact, making the data actionable for both technical and executive audiences.

Exam trap

Cisco often tests the misconception that more data (e.g., raw CSV or screenshots) is better for reporting, when in fact the strongest presentation for a SOC manager is a summarized, trend-based view that ties technical metrics to business risk.

How to eliminate wrong answers

Option B is wrong because a screenshot of every scanner page is an overwhelming, unstructured dump of raw scanner output that does not summarize risk trends or provide actionable insights for the board or SOC manager. Option C is wrong because a list of tool login names is irrelevant to demonstrating risk reduction; it is an administrative detail that does not address the board's question about cyber risk. Option D is wrong because a raw CSV of 20,000 findings is too granular and lacks aggregation, trend analysis, or business context, making it impossible for the board or SOC manager to quickly assess whether risk is decreasing.

54
MCQhard

An incident may involve regulated personal data. Who should be engaged early to determine notification obligations? If the primary audience is SOC manager, which content choice is most appropriate?

A.Only the facilities manager
B.Only the vulnerability scanner vendor
C.Only the graphic design team
D.Legal, privacy, and compliance stakeholders
AnswerD

Notification decisions depend on law, contract, data type, jurisdiction, and timing. The report should be tuned to SOC manager while preserving factual accuracy.

Why this answer

When an incident involves regulated personal data (e.g., PII, PHI, or GDPR-protected data), legal, privacy, and compliance stakeholders must be engaged early to determine notification obligations. These stakeholders interpret breach notification laws (such as HIPAA, GDPR, or CCPA) and advise on required timelines, affected parties, and regulatory reporting. The SOC manager needs this input to ensure the incident response plan aligns with legal mandates, not just technical containment.

Exam trap

Cisco often tests the misconception that technical teams (e.g., vulnerability scanner vendors) or non-IT departments (e.g., facilities) are responsible for legal compliance decisions, when in fact only legal, privacy, and compliance stakeholders have the authority to determine notification obligations.

How to eliminate wrong answers

Option A is wrong because the facilities manager handles physical security and building access, not data privacy regulations or breach notification laws. Option B is wrong because the vulnerability scanner vendor provides technical scanning tools but has no authority or expertise to determine legal notification obligations for regulated data. Option C is wrong because the graphic design team creates visual assets and has no role in incident response or compliance decisions regarding personal data breaches.

55
MCQhard

An analyst views the above SIEM logs from a Linux server. Which of the following attacks is MOST likely occurring?

A.Man-in-the-middle attack intercepting credentials
B.SQL injection through the web application
C.Brute force attack leading to credential compromise and malware installation
D.Denial of service attack against the SSH service
AnswerC

Failed logins then success, then download of suspicious file.

Why this answer

The SIEM logs show repeated failed SSH login attempts from multiple IP addresses, followed by a successful login and then a wget command to download a suspicious file, indicating a brute force attack that succeeded, leading to credential compromise and subsequent malware installation. This pattern matches the typical lifecycle of a brute force attack against SSH services, where an attacker gains access and then stages malware.

Exam trap

CompTIA often tests the distinction between a brute force attack and a denial of service attack by including a successful login event, which eliminates DoS as the answer since DoS does not involve credential compromise or post-exploitation activity.

How to eliminate wrong answers

Option A is wrong because a man-in-the-middle attack intercepting credentials would typically involve ARP spoofing or SSL stripping, not repeated SSH login attempts from diverse IPs followed by a file download. Option B is wrong because SQL injection attacks target web application parameters (e.g., HTTP GET/POST) and would not generate SSH authentication logs or wget commands. Option D is wrong because a denial of service attack against SSH would flood the service with connection requests to exhaust resources, not result in a single successful login and subsequent file download.

56
Matchingmedium

Match each threat intelligence source to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Publicly available information

Sector-specific sharing community

Structured language for cyber threat intelligence

Protocol for exchanging threat intelligence

Open-source threat intelligence platform

Why these pairings

These terms are key to understanding threat intelligence sharing and formats.

57
MCQmedium

Refer to the exhibit. An analyst sees this alert in the SIEM console. What is the best immediate action?

A.Update the Suricata signature to block the traffic.
B.Run a full antivirus scan on destination host 10.0.0.1.
C.Isolate the source host 10.0.0.5 from the network.
D.Escalate the alert to the incident response team.
AnswerD

Escalation ensures proper investigation and containment by the designated team.

Why this answer

Option D is correct because the alert indicates a potential security incident that requires formal escalation to the incident response team for proper triage, analysis, and containment. The SIEM alert likely contains indicators of compromise (IoCs) that need expert investigation before any automated or manual remediation steps are taken, as premature actions could destroy forensic evidence or disrupt legitimate services.

Exam trap

CompTIA often tests the candidate's understanding of the incident response process hierarchy, where the trap is that candidates confuse immediate containment actions (like isolation) with the correct first step of escalation, failing to recognize that analysts must first report and escalate before taking technical actions.

How to eliminate wrong answers

Option A is wrong because updating a Suricata signature to block traffic is a reactive, long-term tuning action that should only be performed after the incident is fully analyzed and confirmed; it does not address the immediate need to investigate the alert. Option B is wrong because running a full antivirus scan on the destination host (10.0.0.1) is a secondary step that may be part of remediation, but it is not the best immediate action—the source host (10.0.0.5) is the likely origin of the threat, and scanning alone cannot stop an active attack. Option C is wrong because isolating the source host (10.0.0.5) from the network is a containment action that should be directed by the incident response team after proper analysis, not taken unilaterally by the analyst without understanding the full context, as it could disrupt business operations or alert the attacker.

58
MCQeasy

The CISO asks whether incident response is improving quarter over quarter. Which metric is most relevant? If the primary audience is technical remediation owner, which content choice is most appropriate?

A.Total coffee consumed by analysts
B.Mean time to detect, mean time to respond, containment time, and recurrence rate
C.Number of desktop wallpapers changed
D.Number of unused dashboards
AnswerB

These KPIs show detection and response effectiveness over time. The report should be tuned to technical remediation owner while preserving factual accuracy.

Why this answer

Mean time to detect (MTTD), mean time to respond (MTTR), containment time, and recurrence rate are the standard metrics for measuring incident response effectiveness. These directly quantify how quickly threats are identified, contained, and whether they return, providing clear quarter-over-quarter trend data for the CISO. For a technical remediation owner, these same metrics are actionable, as they pinpoint where to improve detection rules, response playbooks, and patch cycles.

Exam trap

Cisco often tests the distinction between vanity metrics (like coffee consumption or dashboard counts) and operational metrics that directly measure the security team's performance in detection, response, and prevention.

How to eliminate wrong answers

Option A is wrong because total coffee consumed by analysts is a non-technical, irrelevant metric that does not measure any aspect of incident response performance or improvement. Option C is wrong because number of desktop wallpapers changed has no bearing on security operations, detection, or remediation effectiveness. Option D is wrong because number of unused dashboards is a measure of SIEM or reporting hygiene, not a direct indicator of incident response speed, containment, or recurrence.

59
Multi-Selectmedium

A security analyst must prepare a report on a recent intrusion for a technical audience (IT staff and security engineers). Which TWO elements should be included?

Select 2 answers
A.Estimated financial cost of the incident
B.Indicators of compromise (IoCs)
C.Mitigation steps and remediation actions taken
D.Full exploit code used in the attack
E.Executive summary explaining business impact
AnswersB, C

Technical staff need IoCs to detect and block similar threats.

Why this answer

Indicators of Compromise (IoCs) are essential for a technical audience because they provide the forensic artifacts—such as IP addresses, file hashes, registry keys, and domain names—that security engineers need to detect, contain, and eradicate the intrusion. Including IoCs enables the IT staff to update detection signatures, block malicious infrastructure, and perform host-based threat hunting, directly supporting incident response and future prevention.

Exam trap

CompTIA often tests the distinction between audience-appropriate content, where candidates mistakenly include business impact or exploit code for a technical audience, overlooking that technical staff need actionable forensic data like IoCs and clear remediation steps.

60
MCQeasy

A small business with 50 employees has been hit by ransomware. All files on the file server and local workstations are encrypted, and the ransom note demands $5,000 in Bitcoin for the decryption key. The CEO is panicking and wants to know the impact on operations and how to proceed. The security analyst has been tasked with preparing a report for the CEO. The company does not have cyber insurance, has minimal IT staff, and relies heavily on email and shared drives for daily operations. The analyst has identified that there is a one-week-old backup but is unsure of its integrity. The analyst must consider that the CEO has limited technical knowledge and that the report will form the basis for critical business decisions. The company's reputation and customer trust are at stake. The analyst must balance transparency with clear, actionable guidance. Which of the following is the BEST approach for the analyst to take in communicating with the CEO?

A.Provide a detailed technical timeline of the ransomware infection, including the malware variant and encryption algorithm used.
B.Tell the CEO that the incident is being handled and not to worry, then proceed with recovery without further updates.
C.Summarize the situation in non-technical terms, explain the business impact (e.g., inability to access customer data, potential revenue loss), outline recovery options (e.g., restore from backups or pay ransom with risks), and recommend immediate steps.
D.Immediately contact law enforcement and advise the CEO to wait for their instructions without providing additional information.
AnswerC

Provides clear, actionable information tailored to the CEO's needs.

Why this answer

Summarizing business impact and recovery options in non-technical terms is best for the CEO to make informed decisions.

61
Drag & Dropmedium

Order the steps for proper forensic acquisition of a hard drive.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Forensic acquisition requires documentation, write-blocked imaging, hash verification, secure storage, and image hash verification.

62
MCQhard

A business owner accepts delayed remediation for a production system. What must the report include? If the primary audience is SOC manager, which content choice is most appropriate?

A.Only the analyst's personal opinion
B.A permanent exception with no review
C.No mention of the accepted risk
D.Risk owner, reason, compensating controls, review date, and expiry
AnswerD

Risk acceptance must be accountable, time-bound, and visible. The report should be tuned to SOC manager while preserving factual accuracy.

Why this answer

Option D is correct because when a business owner accepts delayed remediation for a production system, the report must formally document the risk acceptance. This includes the risk owner, the reason for acceptance, any compensating controls in place, a scheduled review date, and an expiry date for the exception. This ensures traceability, accountability, and that the risk is not forgotten, aligning with governance frameworks like NIST SP 800-37 or ISO 27001.

Exam trap

CompTIA often tests the misconception that risk acceptance can be a one-time, permanent decision without ongoing review, leading candidates to choose Option B, but the correct approach requires a defined expiry and review cycle to maintain accountability.

How to eliminate wrong answers

Option A is wrong because including only the analyst's personal opinion violates the requirement for objective, evidence-based reporting; risk acceptance decisions must be documented with business context, not subjective views. Option B is wrong because a permanent exception with no review bypasses the need for periodic reassessment, which is a key control in risk management frameworks to ensure the risk is still acceptable over time. Option C is wrong because omitting the accepted risk from the report hides critical information from the SOC manager, undermining the purpose of the report to provide full visibility into the system's risk posture.

63
MCQeasy

A security analyst has identified a critical vulnerability in a customer-facing web application. The analyst needs to communicate this to senior management. Which of the following is the best approach for this communication?

A.Send a brief email stating that a critical vulnerability exists and ask management to schedule a meeting.
B.Notify the development team only and have them fix it before informing management.
C.Provide a detailed technical analysis of the vulnerability, including exploit code.
D.Summarize the vulnerability in terms of business risk, potential financial impact, and recommended mitigation timeline.
AnswerD

Summarizing business impact and recommended actions is most effective for management.

Why this answer

Option D is correct because communicating a critical vulnerability to senior management requires translating technical risk into business impact. Security analysts must present findings in terms of potential financial loss, regulatory consequences, and a clear mitigation timeline, enabling informed decision-making without requiring deep technical expertise.

Exam trap

CompTIA often tests the distinction between technical reporting (for engineers) and business-risk communication (for management), trapping candidates who overemphasize technical detail or assume management needs exploit-level information.

How to eliminate wrong answers

Option A is wrong because a brief email with no context fails to convey urgency or actionable details, and asking management to schedule a meeting delays response to a critical vulnerability. Option B is wrong because bypassing management violates incident response protocols and could lead to uncoordinated fixes, legal liability, or non-compliance with disclosure requirements. Option C is wrong because providing exploit code and deep technical analysis to non-technical senior management is inappropriate; it risks information overload and potential misuse, and does not address the business risk they need to evaluate.

64
MCQeasy

A critical vulnerability affected the customer portal, but no evidence of exploitation was found. What should the executive summary emphasize? If the primary audience is legal/privacy stakeholder, which content choice is most appropriate?

A.A list of analyst shift times only
B.Every command the scanner executed
C.Business risk, customer impact assessment, remediation status, and remaining exposure
D.Raw packet captures from the scan
AnswerC

Executives need business impact and risk posture, not raw technical noise. The report should be tuned to legal/privacy stakeholder while preserving factual accuracy.

Why this answer

Option C is correct because the executive summary for legal/privacy stakeholders must focus on business risk, customer impact, remediation status, and remaining exposure. Since no exploitation was found, the summary should communicate the potential regulatory and privacy implications (e.g., GDPR, CCPA) and the steps taken to close the vulnerability, not technical details. This aligns with the CS0-003 objective of tailoring communication to the audience's need for risk-based, non-technical summaries.

Exam trap

Cisco often tests the misconception that an executive summary should include all technical findings, but the trap here is that legal/privacy stakeholders require a risk-focused, non-technical summary, not operational or scanner output details.

How to eliminate wrong answers

Option A is wrong because listing analyst shift times is irrelevant to a vulnerability report and provides no value to legal/privacy stakeholders who need risk and compliance context. Option B is wrong because every command the scanner executed is excessive technical detail that would overwhelm non-technical stakeholders and obscure the key message of no exploitation and remediation status.

65
Multi-Selectmedium

An organization is implementing a new security incident response plan and wants to establish clear communication protocols. Which three of the following are essential components of effective incident communication? (Choose three.)

Select 3 answers
.Defining a single point of contact (POC) for each stakeholder group
.Using only email for all incident updates to maintain a written record
.Establishing pre-approved templates for different incident types
.Including all employees in every incident notification to ensure transparency
.Creating an escalation matrix with authority levels for decision-making
.Automatically releasing incident details to the press within one hour

Why this answer

Defining a single point of contact (POC) for each stakeholder group ensures clear, controlled communication and prevents conflicting information. Pre-approved templates for different incident types enable rapid, consistent, and accurate notifications without needing to craft messages from scratch during a crisis. An escalation matrix with authority levels ensures that decisions are made by the appropriate personnel based on incident severity, preventing delays and unauthorized actions.

Exam trap

CompTIA often tests the distinction between 'transparency' and 'controlled communication' — candidates may incorrectly choose 'include all employees' thinking it promotes transparency, but the exam expects role-based, need-to-know notifications to avoid operational chaos.

66
MCQhard

A post-incident report finds that no one owned a failed alert integration. What should the corrective action include? If the primary audience is executive leadership, which content choice is most appropriate?

A.A vague recommendation to improve security
B.Deletion of the integration record
C.Named owner, due date, acceptance criteria, and retest plan
D.No action because the incident is closed
AnswerC

Corrective actions should be accountable and verifiable. The report should be tuned to executive leadership while preserving factual accuracy.

Why this answer

Option C is correct because a failed alert integration indicates a gap in accountability and process validation. The corrective action must assign a named owner, set a due date, define acceptance criteria, and include a retest plan to ensure the integration is properly configured and monitored. This aligns with ITIL's change management and incident management practices, where ownership and verification are critical to closing the loop on failed controls.

Exam trap

Cisco often tests the misconception that a vague recommendation or deleting a record is sufficient for corrective action, when in fact the exam emphasizes the need for specific, accountable, and verifiable remediation steps in post-incident reporting.

How to eliminate wrong answers

Option A is wrong because a vague recommendation to improve security lacks specificity and does not address the root cause of the failed integration; it provides no actionable steps for remediation or verification. Option B is wrong because deleting the integration record removes evidence of the failure and does not fix the underlying configuration or ownership issue; it also violates audit trail requirements and could mask recurring problems.

67
Multi-Selectmedium

A vulnerability report is going to system owners. Which elements make it actionable? (Choose three.)

Select 3 answers
A.Only a generic statement that risk exists
B.Affected assets and owners
C.Due dates based on severity or SLA
D.Remediation guidance and validation steps
AnswersB, C, D

Owners need to know what they must fix.

Why this answer

Option B is correct because identifying affected assets and their owners is essential for accountability and remediation. Without this information, system owners cannot determine which systems require patching or configuration changes, making the report non-actionable. This aligns with the NIST SP 800-40 Rev. 4 guidance on vulnerability management, which emphasizes asset ownership as a prerequisite for response.

Exam trap

Cisco often tests the misconception that a vulnerability report is actionable if it merely states risk exists, but without asset ownership and due dates, the report lacks the specificity required for system owners to take concrete steps.

68
MCQeasy

A security dashboard is being designed for the executive team. Which metric is MOST appropriate to display?

A.Current CPU utilization on firewalls
B.Overall risk posture score with trend over time
C.Patch installation status of all endpoints
D.Number of IDS alerts per hour
AnswerB

Provides a concise summary of security health.

Why this answer

The executive team requires a high-level, strategic view of security effectiveness, not granular operational data. The overall risk posture score with trend over time directly communicates the organization's security health and whether it is improving or deteriorating, enabling informed decision-making. This aligns with the Reporting and Communication domain's emphasis on translating technical metrics into business-relevant insights.

Exam trap

CompTIA often tests the distinction between operational metrics (for technical teams) and strategic metrics (for executives), and the trap here is that candidates mistake a detailed, operational metric like patch status or alert counts as appropriate for an executive dashboard, ignoring the need for aggregated, trended risk visibility.

How to eliminate wrong answers

Option A is wrong because current CPU utilization on firewalls is an operational metric relevant to network engineers for troubleshooting performance issues, not a strategic indicator for executives. Option C is wrong because patch installation status of all endpoints is a detailed, tactical metric that belongs in IT operations or vulnerability management dashboards, not an executive summary. Option D is wrong because the number of IDS alerts per hour is a raw, high-volume data point that lacks context and would overwhelm executives; it requires correlation and analysis to be meaningful.

69
Multi-Selectmedium

When briefing legal and privacy teams after a suspected data exposure, which details matter? (Choose two.)

Select 2 answers
A.Data types and jurisdictions potentially affected
B.A complete list of unrelated server patches
C.Speculation about attacker identity without evidence
D.Timeline of discovery, containment, and known access
AnswersA, D

Notification duties depend on data and jurisdiction.

Why this answer

Data types (e.g., PII, PHI, PCI) and affected jurisdictions determine legal notification obligations under regulations like GDPR, HIPAA, or CCPA. Jurisdictions dictate breach notification timelines and penalties, making this information critical for legal and privacy teams to assess risk and compliance. Without this detail, the response cannot be properly scoped or legally defensible.

Exam trap

Cisco often tests the distinction between operational details (like patch lists) and legally relevant information (data types and jurisdictions), trapping candidates who think all technical details are equally important for legal teams.

70
Multi-Selectmedium

A security analyst needs to communicate the findings of a penetration test to the IT operations team and the CISO. Which three of the following actions best support effective reporting and communication? (Choose three.)

Select 3 answers
.Customize the level of detail in the report for each audience
.Include raw command outputs and exploit code in the executive summary
.Prioritize findings based on risk to the organization’s mission
.Provide actionable remediation steps with ownership assignments
.Delay the report until all findings are fully verified with no uncertainty
.Submit the report as a confidential document without any verbal briefing

Why this answer

Customizing the level of detail for each audience ensures that technical teams receive the operational depth they need (e.g., raw findings, exploit paths) while executives get a high-level summary focused on business risk and strategic impact. This aligns with the principle of audience-aware reporting in penetration testing, where the CISO requires risk context and the IT operations team needs actionable technical details.

Exam trap

CompTIA often tests the misconception that including all raw technical data in the executive summary is thorough, when in fact it violates audience-specific communication best practices and can overwhelm non-technical readers.

71
Multi-Selectmedium

A security analyst is preparing a post-incident report for a recent data breach. The report must be tailored for multiple audiences, including executive leadership, legal counsel, and the technical remediation team. Which four of the following best practices should the analyst follow to ensure effective communication and reporting? (Choose four.)

Select 4 answers
.Including a high-level executive summary with business impact and risk exposure for the C-suite.
.Providing detailed technical indicators of compromise (IOCs) and remediation steps for the technical team.
.Including legal hold notices and chain-of-custody documentation for legal counsel.
.Using a single, standardized report format for all stakeholders to ensure consistency.
.Omitting the root cause analysis to avoid liability concerns in the legal review.
.Adding a timeline of events and actions taken for the incident response team.

Why this answer

Including a high-level executive summary with business impact and risk exposure is correct because executive leadership requires a non-technical overview that focuses on financial, legal, and reputational consequences. This aligns with the NIST SP 800-61 Rev. 2 recommendation to tailor incident reports to the audience, ensuring the C-suite can make informed strategic decisions without being bogged down by technical details.

Exam trap

CompTIA often tests the misconception that a single standardized report is efficient, but the trap is that it ignores the distinct information needs of different stakeholders, leading to ineffective communication and potential compliance failures.

72
Multi-Selectmedium

Which items help make a post-incident report useful for technical teams? (Choose two.)

Select 2 answers
A.Generic motivational slogans
B.Unrelated financial forecasts
C.Root cause and exploited control gaps
D.Specific remediation tasks with owners and validation steps
AnswersC, D

Technical teams need to know what failed.

Why this answer

Option C is correct because a post-incident report must include the root cause and exploited control gaps to enable technical teams to implement targeted remediation. Without identifying the specific vulnerability (e.g., unpatched CVE, misconfigured firewall rule, weak authentication mechanism) and the control failure that allowed the exploit, the report lacks actionable intelligence for hardening defenses.

Exam trap

Cisco often tests the misconception that a post-incident report should include broad business or motivational content, but the exam expects candidates to recognize that only technical, actionable details (like root cause and control gaps) are useful for remediation teams.

73
MCQeasy

A critical vulnerability affected the customer portal, but no evidence of exploitation was found. What should the executive summary emphasize? If the primary audience is SOC manager, which content choice is most appropriate?

A.Business risk, customer impact assessment, remediation status, and remaining exposure
B.Every command the scanner executed
C.Raw packet captures from the scan
D.A list of analyst shift times only
AnswerA

Executives need business impact and risk posture, not raw technical noise. The report should be tuned to SOC manager while preserving factual accuracy.

Why this answer

Option A is correct because an executive summary for a SOC manager must focus on business risk, customer impact, remediation status, and remaining exposure. Since no exploitation was found, the emphasis shifts to the potential impact and the steps taken to mitigate the vulnerability, aligning with the SOC manager's need to communicate risk to leadership and prioritize resources.

Exam trap

Cisco often tests the distinction between technical detail and executive-level reporting, trapping candidates who think raw data or scan logs are appropriate for a summary aimed at a SOC manager who needs actionable risk insights, not raw output.

How to eliminate wrong answers

Option B is wrong because listing every command the scanner executed is too technical and granular for an executive summary; it belongs in a detailed technical report for analysts, not a high-level overview for a SOC manager. Option C is wrong because raw packet captures from the scan are irrelevant to an executive summary; they provide no context on business risk or remediation and are only useful for deep forensic analysis, not for communicating the vulnerability's status to management.

74
MCQeasy

A medium-sized company has experienced a ransomware attack that encrypted critical file servers. The incident response team has contained the outbreak and restored data from backups. The CISO has requested a post-incident report. The report must include a timeline, root cause analysis, lessons learned, and recommendations. The security team is currently overwhelmed with recovery tasks. The CISO wants the report delivered in 24 hours. Which of the following is the BEST course of action for the security analyst assigned to write the report?

A.Wait until all recovery tasks are complete to ensure accurate information
B.Delegate the report writing to a junior analyst while focusing on technical recovery
C.Use the incident response playbook template to draft the report immediately, incorporating available information and noting gaps
D.Request an extension from the CISO due to resource constraints
AnswerC

Allows for a timely draft that can be refined later, meeting the deadline while documenting what is known.

Why this answer

Option C is correct because the CISO needs a timely post-incident report within 24 hours, and using the incident response playbook template allows the analyst to immediately draft the report with available information while noting gaps. This approach balances the urgency of the deadline with the need for structured documentation, even though recovery tasks are ongoing. It ensures that critical findings are captured promptly without waiting for full recovery, which could delay lessons learned and recommendations.

Exam trap

CompTIA often tests the tension between thoroughness and timeliness in incident reporting, and the trap here is that candidates may choose to wait for complete data (Option A) or delegate (Option B) instead of using a structured template to meet the deadline while acknowledging information gaps.

How to eliminate wrong answers

Option A is wrong because waiting until all recovery tasks are complete would likely exceed the 24-hour deadline, delaying the CISO's required report and potentially missing the window for actionable recommendations. Option B is wrong because delegating to a junior analyst without proper oversight could introduce inaccuracies in the timeline, root cause analysis, and lessons learned, especially if the junior lacks incident response experience. Option D is wrong because requesting an extension due to resource constraints may not be feasible given the CISO's explicit deadline, and it fails to leverage available templates and existing data to meet the requirement.

75
MCQeasy

A security analyst is preparing a monthly dashboard for the board of directors. Which metric would best demonstrate the effectiveness of the security program in reducing risk?

A.Number of security incidents detected.
B.Mean time to detect (MTTD) and mean time to respond (MTTR).
C.Percentage of employees who completed security awareness training.
D.Number of firewall rules configured.
AnswerB

These metrics directly reflect the efficiency of detection and response processes.

Why this answer

Mean time to detect (MTTD) and mean time to respond (MTTR) directly quantify the security program's operational efficiency in identifying and containing threats, which reduces the window of exposure and potential damage. A lower MTTD/MTTR indicates faster detection and response, directly correlating with reduced risk from incidents. This makes it the best metric for demonstrating risk reduction effectiveness to the board.

Exam trap

CompTIA often tests the misconception that volume or compliance metrics (like incident count or training completion) directly indicate risk reduction, when in fact operational efficiency metrics (MTTD/MTTR) are the true measure of a security program's effectiveness in minimizing impact.

How to eliminate wrong answers

Option A is wrong because the number of security incidents detected is a volume metric that does not indicate how quickly or effectively incidents are handled; a high number could reflect better detection rather than higher risk, and it provides no insight into response quality. Option C is wrong because the percentage of employees who completed security awareness training is a compliance or training metric that measures awareness, not the operational effectiveness of the security program in detecting and responding to active threats. Option D is wrong because the number of firewall rules configured is a configuration metric that does not measure risk reduction; more rules can increase complexity and attack surface without improving security posture.

Page 1 of 2 · 91 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Reporting And Communication questions.