CCNA Security Program Management and Oversight Questions

75 of 211 questions · Page 2/3 · Security Program Management and Oversight · Answers revealed

76
MCQmedium

After several employees clicked on a realistic phishing email, management wants a control that both improves user behavior and gives the security team a way to measure improvement over time. Which approach is best?

A.Send a company-wide reminder not to open suspicious emails
B.Run simulated phishing campaigns with immediate feedback and follow-up training
C.Block all external email messages at the gateway
D.Require employees to change passwords every week
AnswerB

Simulated phishing with feedback and training improves behavior and provides measurable results across multiple campaign rounds.

Why this answer

Simulated phishing campaigns with immediate feedback and follow-up training directly address user behavior by providing a safe, controlled environment where employees can learn to recognize phishing attempts. This approach also gives the security team measurable metrics (e.g., click rates over time) to track improvement, aligning with the goal of both behavioral change and quantifiable assessment.

Exam trap

CompTIA often tests the distinction between administrative controls (like policies or reminders) and technical controls that provide both behavioral change and measurable outcomes, leading candidates to choose a simple policy reminder (Option A) instead of a proactive, data-driven approach like simulated phishing.

How to eliminate wrong answers

Option A is wrong because a company-wide reminder is a one-time, passive communication that does not provide measurable data or actively change user behavior through practice and reinforcement. Option C is wrong because blocking all external email is an overly restrictive technical control that disrupts legitimate business communication and does not improve user awareness or provide a metric for behavioral improvement. Option D is wrong because requiring weekly password changes does not address phishing susceptibility, can lead to weaker password practices (e.g., predictable patterns), and provides no direct feedback or measurement of phishing awareness.

77
Multi-Selecthard

The exhibit shows a weekly risk register for a small enterprise. Which three findings should be remediated first based on likelihood of exploitation and business impact? Select three.

Select 3 answers
A.Finding 1, because the customer portal is internet-facing and protects a high-value administrative path.
B.Finding 2, because any default setting should always outrank all other issues automatically.
C.Finding 3, because broad payroll permissions can create both fraud and lateral-movement risk.
D.Finding 4, because a default printer password can be used as an easy foothold on the internal network.
E.Finding 5, because any outdated software should be fixed before higher-impact business systems.
AnswersA, C, D

Internet exposure plus high impact makes this one of the highest-priority risks in the register.

Why this answer

Finding 1 is correct because the customer portal is internet-facing and protects a high-value administrative path. An unpatched or misconfigured portal could allow an attacker to bypass authentication and directly access administrative functions, leading to a full system compromise. The combination of external exposure and high business impact makes this the highest priority for remediation.

Exam trap

The trap here is that candidates may assume all default settings or outdated software are equally critical, ignoring the risk assessment matrix that weighs both likelihood and business impact.

78
MCQeasy

An HR spreadsheet contains employee names, Social Security numbers, and bank account numbers. Which label is most appropriate under a Public, Internal, Confidential, and Restricted scheme?

A.Public, because it is used by the HR department and not shared externally.
B.Internal, because only employees should see it.
C.Confidential, because the information should be kept private but not tightly controlled.
D.Restricted, because it contains highly sensitive personal and financial data.
AnswerD

This is correct because Social Security numbers and bank account numbers are highly sensitive identifiers and financial data. Restricted labels are used for information that needs the strongest handling controls, limited access, and careful sharing rules. If exposed, this data could cause identity theft, fraud, and regulatory issues, so the strictest label is appropriate.

Why this answer

A spreadsheet containing employee names, Social Security numbers, and bank account numbers includes personally identifiable information (PII) and financial account data, which are subject to strict regulatory controls (e.g., GDPR, GLBA, or state breach notification laws). Under a Public/Internal/Confidential/Restricted classification scheme, 'Restricted' is the most appropriate label because it indicates the highest level of sensitivity and requires access control mechanisms such as encryption at rest (e.g., AES-256), strict least-privilege permissions, and audit logging to prevent unauthorized disclosure or modification.

Exam trap

The trap here is that candidates confuse 'Confidential' with 'Restricted' because both imply privacy, but 'Restricted' is the correct label for data that requires the highest level of control, such as PII and financial account numbers, whereas 'Confidential' is often used for less sensitive internal data like salary ranges or performance reviews.

How to eliminate wrong answers

Option A is wrong because 'Public' classification means data can be freely shared with anyone, but this spreadsheet contains highly sensitive personal and financial data that must never be exposed externally. Option B is wrong because 'Internal' classification allows access to all employees, but not all employees should have access to Social Security numbers and bank account numbers; this violates the principle of least privilege and could lead to data breaches. Option C is wrong because 'Confidential' typically implies moderate sensitivity with some access controls, but the presence of Social Security numbers and bank account numbers demands the highest level of protection, including mandatory encryption and strict access logging, which aligns with 'Restricted' rather than 'Confidential'.

79
MCQmedium

A software supplier used by your company is adding a new library to its product and says the change is "internal only." Your security team wants better visibility into future component risks before the next renewal. What requirement would BEST support supply chain due diligence?

A.Require the supplier to provide a marketing summary of its development process.
B.Require an updated software bill of materials and a notification process for material component changes.
C.Ask the supplier to promise that future vulnerabilities will never affect the product.
D.Approve the change if the new library is open source and widely used.
AnswerB

This is the best requirement because it improves transparency and ongoing risk awareness. An updated software bill of materials helps the organization understand what is inside the product, while a formal notification process ensures material changes are communicated before they create surprise exposure. Together, these controls support continuous supply chain due diligence rather than a one-time review at purchase time.

Why this answer

A Software Bill of Materials (SBOM) provides a detailed inventory of all components in a product, enabling the security team to assess risks from new libraries. Requiring an SBOM plus a notification process for material changes gives proactive visibility into component risks, directly supporting supply chain due diligence as recommended by frameworks like NIST SP 800-161.

Exam trap

The trap here is that candidates may think a marketing summary or a promise of no vulnerabilities is sufficient for due diligence, but CompTIA emphasizes that only a verifiable, technical artifact like an SBOM with change notifications provides the visibility required for ongoing risk management.

How to eliminate wrong answers

Option A is wrong because a marketing summary is a high-level, non-technical document that omits specific component details and version information needed for risk assessment. Option C is wrong because no supplier can guarantee zero future vulnerabilities; this is an unrealistic and unenforceable promise that bypasses due diligence. Option D is wrong because open-source and widely used libraries can still contain critical vulnerabilities (e.g., Log4j), and approval without vetting the specific version and its dependencies ignores supply chain risk.

80
MCQmedium

A security manager is preparing a quarterly report for the board of directors on the effectiveness of the organization's security program. The manager has access to detailed technical data, including firewall log statistics, patch compliance percentages, and number of phishing simulation clicks. Which of the following would be the most appropriate way to present this information to the board?

A.Provide a list of all firewall rule changes made during the quarter.
B.Show a trend chart of the number of security incidents categorized by severity, along with average time to resolve.
C.Include raw logs of the top 10 most frequent alerts from the SIEM.
D.Describe the technical architecture of the intrusion prevention system.
AnswerB

This option provides a high-level, actionable summary that demonstrates the security program's effectiveness. Incident trends by severity and resolution time are key performance indicators that the board can use to assess risk reduction and operational maturity.

Why this answer

Option B is correct because it presents security program effectiveness in a business-relevant format: trend charts of incidents by severity and resolution times directly address risk reduction and operational efficiency, which board members need for strategic oversight. Unlike raw technical data, this aggregated, visualized information enables non-technical stakeholders to assess whether the security program is improving over time.

Exam trap

The trap here is that candidates mistake operational granularity (firewall changes, raw logs) for meaningful board-level metrics, failing to recognize that executives need summarized, trend-based data that ties security activities to business outcomes like risk reduction and efficiency.

How to eliminate wrong answers

Option A is wrong because listing all firewall rule changes provides granular operational detail that is irrelevant for board-level oversight; it does not convey the overall security posture or effectiveness of the program. Option C is wrong because including raw SIEM alert logs overwhelms the audience with unprocessed, high-volume data that lacks context and trend analysis, failing to communicate the program's impact on risk reduction or incident response maturity.

81
Multi-Selecteasy

A help desk team is writing a procedure for resetting MFA after a user loses a phone. Which two details belong in the procedure rather than in the policy? Select two.

Select 2 answers
A.The exact step-by-step verification process the technician must follow
B.The specific screen clicks or tool used to reset the MFA device
C.A statement that all employees must use MFA to access company systems
D.A general goal of protecting accounts from unauthorized access
E.A broad rule that users should protect company credentials
AnswersA, B

Procedures should describe the specific actions to perform so technicians can follow the same process every time.

Why this answer

Option A is correct because a procedure must contain the exact step-by-step verification process the technician follows to confirm the user's identity before resetting MFA. This operational detail ensures consistency and security, whereas a policy would only state the high-level requirement (e.g., 'verify identity'). Without precise steps, technicians might skip critical checks, leading to unauthorized MFA resets.

Exam trap

The trap here is confusing policy (broad rules and goals) with procedure (specific, actionable steps), leading candidates to select high-level statements like 'all employees must use MFA' instead of the detailed verification and tool-specific steps that actually belong in a procedure.

82
MCQmedium

A vulnerability scan identifies four issues across a small company. Which item should the operations team remediate first?

A.A critical flaw on a disconnected training laptop that is used only in the lab
B.A high-severity flaw on an internet-facing customer portal with public exploit code available
C.A medium-severity flaw on an internal print server that stores no sensitive data
D.A low-severity flaw on an archive server scheduled for retirement next month
AnswerB

This is the best choice because risk is driven by both likelihood and impact. An internet-facing system with public exploit code has a much higher chance of being attacked, and a customer portal can affect sensitive data and business operations. Even if another issue has a higher severity label, exposure and active exploitability make this item the most urgent business risk.

Why this answer

Option B is correct because the internet-facing customer portal with a high-severity flaw and public exploit code presents the highest risk to the organization. The combination of high attack surface (exposed to the internet), high severity, and readily available exploit code means an attacker can easily compromise the system, leading to data breach, financial loss, or reputational damage. Remediation prioritization should follow risk-based principles, where likelihood and impact are both high.

Exam trap

The trap here is that candidates often focus solely on the severity score (critical vs. high) without considering the attack surface and exploitability, leading them to pick the critical flaw on the isolated laptop instead of the high-severity flaw on the internet-facing system.

How to eliminate wrong answers

Option A is wrong because a disconnected training laptop used only in a lab has no network connectivity, so the critical flaw cannot be exploited remotely; the risk is effectively zero until it is reconnected, making it a lower priority. Option C is wrong because a medium-severity flaw on an internal print server that stores no sensitive data has limited impact and a lower attack surface (internal only), so it does not warrant immediate remediation over an internet-facing high-severity issue. Option D is wrong because a low-severity flaw on an archive server scheduled for retirement next month poses minimal risk, and the server's impending decommissioning means the flaw will be eliminated soon without active remediation.

83
Multi-Selectmedium

HR needs to share a copy of employee records with a benefits contractor for testing. The contractor only needs names and coverage selections, not Social Security numbers or bank details. Which two actions best satisfy data handling requirements? Select two.

Select 2 answers
A.Redact or mask unnecessary sensitive fields before sharing the file.
B.Send the full employee record set because the contractor is trusted.
C.Restrict access to the file to approved HR and project staff only.
D.Upload the file to a public collaboration site so the contractor can retrieve it easily.
E.Keep an unrestricted copy on multiple shared drives for convenience.
AnswersA, C

Data minimization is a core handling requirement. Removing SSNs, bank data, and other unnecessary fields reduces privacy risk and limits exposure if the test data is mishandled.

Why this answer

Option A is correct because redacting or masking sensitive fields like Social Security numbers and bank details ensures that the contractor receives only the necessary data (names and coverage selections) while protecting personally identifiable information (PII). This aligns with the principle of data minimization and compliance with regulations such as GDPR or HIPAA, which require that only the minimum necessary data be shared for a specific purpose. Masking techniques, such as replacing SSNs with placeholders or applying irreversible hashing, prevent unauthorized exposure even if the file is intercepted.

Exam trap

The trap here is that candidates may assume trust (option B) or convenience (option D or E) justifies sharing full data, but the exam emphasizes that data handling requirements always mandate minimizing exposure and enforcing access controls regardless of trust level.

84
Multi-Selectmedium

A business unit asks for a 30-day exception to use an unsupported browser plug-in on two engineering workstations while a replacement is tested. Which three conditions should be required before approval? Select three.

Select 3 answers
A.A documented business justification for why the plug-in is still needed.
B.A defined expiration date and review point before the exception can be extended.
C.A compensating control such as isolating the workstations from the general user network.
D.An open-ended waiver so the team can continue if testing slips.
E.Verbal approval only, with no written record.
AnswersA, B, C

A justified business need shows the exception supports a real operational requirement, not convenience.

Why this answer

Option A is correct because a documented business justification ensures that the exception is necessary and aligns with organizational risk appetite. Without a clear reason, the exception could be granted for convenience rather than critical need, undermining security governance. This justification also provides an audit trail for why an unsupported, potentially vulnerable plug-in is still in use.

Exam trap

The trap here is that candidates might think only one or two conditions are sufficient, but CompTIA expects all three—justification, expiration, and compensating controls—to be required for a valid exception approval.

85
MCQmedium

Based on the exhibit, what is the best governance action before the sales team uses the legacy portal without MFA?

A.Update the policy immediately to allow password-only access for all legacy systems.
B.Create a formal time-bound exception with compensating controls, approval, and an expiration date.
C.Have the help desk approve the request informally in the ticket and proceed without further documentation.
D.Ignore the MFA requirement because the portal is owned by a trusted partner.
AnswerB

A formal exception preserves the existing policy while allowing a documented, limited deviation for business need. It should include a risk owner approval, compensating controls such as stricter monitoring or network restrictions, and a review or expiration date so the exception does not become permanent.

Why this answer

Option B is correct because governance requires that any exception to a security policy (such as bypassing MFA) must be formally documented, approved by management, time-bound, and include compensating controls to mitigate risk. In this scenario, the legacy portal lacks MFA support, so a formal exception with an expiration date ensures the risk is tracked and re-evaluated, rather than permanently weakening security posture.

Exam trap

CompTIA often tests the distinction between an informal workaround and a formal governance process, trapping candidates who think a quick approval or policy change is sufficient without understanding the need for documented risk acceptance and compensating controls.

How to eliminate wrong answers

Option A is wrong because immediately updating the policy to allow password-only access for all legacy systems would permanently weaken the security baseline and violate the principle of least privilege, rather than addressing the specific legacy portal issue with a controlled exception. Option C is wrong because informal help desk approval without documentation bypasses audit trails and accountability, failing to meet governance requirements for risk acceptance and compliance. Option D is wrong because ignoring the MFA requirement simply because the portal is owned by a trusted partner disregards the principle of defense in depth and assumes trust without verification, which is a common security failure.

86
Multi-Selecthard

An accounts payable specialist receives an email inside an existing vendor thread that asks for a last-minute bank-account change before a payment run. The wording is professional, the signature matches, and the request is urgent. Which three actions should the specialist take? Select three.

Select 3 answers
A.Verify the request through a known out-of-band contact method for the vendor.
B.Pause the payment and require secondary approval before any bank details are updated.
C.Report the message through the security and vendor-validation process.
D.Reply in the same thread because the address and signature look legitimate.
E.Process the change immediately to avoid delaying the vendor relationship.
AnswersA, B, C

Out-of-band verification breaks the attacker’s control of the compromised email thread and confirms the change independently.

Why this answer

Option A is correct because verifying the request through a known out-of-band contact method (e.g., a phone call to a previously documented vendor number) directly mitigates the risk of business email compromise (BEC). Attackers often hijack or spoof legitimate email threads, so in-band verification (replying within the thread) is unreliable. This aligns with the principle of dual control and independent verification for sensitive financial changes.

Exam trap

The trap here is that candidates assume a professional-looking email with a matching signature is sufficient proof of authenticity, overlooking that BEC attacks can perfectly replicate these details within a compromised thread.

87
MCQeasy

HR needs to send a benefits contractor a file for testing, but the contractor only needs employee names and plan selections. What is the best action before sharing the file?

A.Send the full file because the contractor is trusted
B.Remove all fields the contractor does not need for the task
C.Post the file to a public collaboration site with a password
D.Rename the file so the contents are harder to identify
AnswerB

Data minimization is the best choice because the contractor should receive only the information required to complete the testing task.

Why this answer

Option B is correct because data minimization is a core security principle: you should only share the minimum necessary data for the task. By removing all fields the contractor does not need (e.g., Social Security numbers, addresses, salary data), you reduce the attack surface and limit exposure of sensitive personally identifiable information (PII) in case of a breach or misuse.

Exam trap

The trap here is that candidates confuse trust with security, assuming a trusted third party eliminates the need for data minimization, when in reality least privilege applies regardless of trust level.

How to eliminate wrong answers

Option A is wrong because trust does not eliminate risk; a trusted contractor could still have a compromised endpoint or accidentally expose the full file, violating the principle of least privilege. Option C is wrong because posting the file to a public collaboration site, even with a password, exposes it to cloud storage risks (e.g., misconfigured permissions, password sharing, or brute-force attacks) and violates data minimization. Option D is wrong because renaming the file does not remove sensitive data; it only obscures the filename, leaving all sensitive fields intact and accessible if the file is opened.

88
MCQmedium

A development team needs to release a security fix to a customer portal, but the change must not introduce a new outage or bypass review controls. Which practice best supports a secure and repeatable release?

A.Apply the change directly in production so users get the fix immediately
B.Use an approved pipeline with peer review, automated testing, and rollback steps
C.Skip testing because security fixes should always be deployed quickly
D.Let any on-call developer approve and deploy without documentation
AnswerB

An approved pipeline with review, testing, and rollback provides controlled delivery while reducing deployment and recovery risk.

Why this answer

Option B is correct because an approved pipeline with peer review, automated testing, and rollback steps ensures that the security fix is deployed in a controlled, repeatable manner. This approach prevents unauthorized changes, validates the fix through testing, and provides a safety net via rollback, directly addressing the requirement to avoid new outages and bypass review controls.

Exam trap

The trap here is that candidates may confuse 'speed' with 'security' and choose direct production deployment (Option A) or skipping testing (Option C), failing to recognize that a controlled pipeline with rollback is the only way to meet both the security and reliability requirements simultaneously.

How to eliminate wrong answers

Option A is wrong because applying the change directly in production bypasses all review and testing controls, violating the requirement to avoid outages and maintain oversight. Option C is wrong because skipping testing for security fixes increases the risk of introducing new vulnerabilities or breaking functionality, contradicting the need for a secure and repeatable release. Option D is wrong because allowing any on-call developer to approve and deploy without documentation eliminates peer review and traceability, undermining change management and audit requirements.

89
MCQmedium

A records manager learns that emails related to a harassment investigation are scheduled for deletion next week under the retention policy. Legal issues a hold because the case may go to court. What should the records manager do?

A.Delete the emails after creating a summary report
B.Archive the emails permanently in the same mailbox
C.Suspend deletion until the legal hold is lifted
D.Anonymize the sender names and keep the messages
AnswerC

A legal hold overrides routine retention schedules, so deletion must stop until the matter is resolved.

Why this answer

A legal hold overrides standard retention policies because it preserves electronically stored information (ESI) that may be relevant to litigation. The records manager must immediately suspend deletion to avoid spoliation, which could result in legal sanctions. This aligns with the eDiscovery process and the duty to preserve evidence once litigation is reasonably anticipated.

Exam trap

CompTIA often tests the distinction between retention policies (which automate deletion based on time) and legal holds (which override those policies to preserve evidence), and the trap here is assuming that a summary report or anonymization satisfies legal preservation requirements when only a full suspension of deletion is acceptable.

How to eliminate wrong answers

Option A is wrong because deleting the emails after creating a summary report destroys the original ESI, which may be required as native evidence in court; a summary is not a substitute for the original messages. Option B is wrong because archiving emails permanently in the same mailbox does not prevent them from being overwritten or altered by normal mailbox operations, and it does not implement a proper legal hold that preserves the data in a forensically sound manner. Option D is wrong because anonymizing sender names alters the evidence, potentially destroying metadata and context needed for the investigation and violating the integrity of the ESI under legal hold requirements.

90
MCQmedium

A security manager at a healthcare organization is responsible for maintaining the information security policy. A project manager requests a policy exception to use a cloud-based analytics platform that stores patient data. The platform currently encrypts data at rest with AES-128 instead of the required AES-256. The security manager assesses the risk and determines that the likelihood of data exposure is low due to other compensating controls already in place, but the impact would be high. The residual risk is within the organization's risk appetite. Which of the following is the most appropriate action for the security manager to take?

A.Deny the exception and require the project to use an approved platform that meets the AES-256 requirement.
B.Approve the exception and document the compensating controls and a review date.
C.Accept the risk and allow the project to proceed without a formal exception.
D.Escalate the request to the chief information officer for a final decision.
AnswerB

This is correct because a formal exception process with documented compensating controls and a scheduled review ensures that the risk is managed, tracked, and reassessed over time. This aligns with security program management best practices.

Why this answer

Option B is correct because the security manager has assessed the risk, determined that compensating controls reduce the likelihood of data exposure, and confirmed that the residual risk is within the organization's risk appetite. Formally approving the exception with documented compensating controls and a review date ensures governance, accountability, and a timeline for reassessment, which aligns with the policy exception process in security program management.

Exam trap

The trap here is that candidates may assume any deviation from policy must be denied (Option A) or escalated (Option D), failing to recognize that a formal exception process with compensating controls and a review date is the correct risk-based action when residual risk is within appetite.

How to eliminate wrong answers

Option A is wrong because it ignores the risk assessment showing low likelihood and acceptable residual risk; a blanket denial without considering compensating controls is overly rigid and not risk-based. Option C is wrong because accepting the risk without a formal exception bypasses the policy exception process, leaving the deviation undocumented and unmonitored, which violates audit and compliance requirements. Option D is wrong because the security manager has the authority to approve exceptions within the risk appetite; escalating unnecessarily delays the project and abdicates the manager's responsibility for risk decisions.

91
MCQeasy

A company is considering a new SaaS vendor that will process customer records. What is the best first action before signing the contract?

A.Perform vendor due diligence and review the vendor's security controls
B.Allow the vendor access immediately and monitor for misuse afterward
C.Ask the vendor to send a marketing brochure and pricing sheet only
D.Wait until a security incident occurs before reviewing the vendor
AnswerA

Before onboarding a vendor that will handle sensitive records, the organization should evaluate the vendor's security posture, contractual terms, and control maturity.

Why this answer

Performing vendor due diligence and reviewing the vendor's security controls is the best first action because it proactively assesses the SaaS vendor's ability to protect customer records before any data is shared. This aligns with the principle of 'trust but verify' and ensures that the vendor's security posture meets the company's compliance requirements (e.g., GDPR, HIPAA) and risk tolerance before signing a legally binding contract.

Exam trap

The trap here is that candidates may think 'allowing access immediately and monitoring' is acceptable due to a false sense of security from logging tools, but CompTIA tests that proactive due diligence is mandatory before any data sharing, as monitoring alone cannot prevent contractual or compliance violations.

How to eliminate wrong answers

Option B is wrong because allowing immediate access without prior security review violates the principle of least privilege and exposes customer records to potential data breaches or unauthorized use, with no contractual safeguards in place. Option C is wrong because a marketing brochure and pricing sheet provide no technical or operational details about the vendor's security controls, encryption standards, or incident response capabilities, making it impossible to assess risk. Option D is wrong because waiting for a security incident before reviewing the vendor is a reactive, high-risk approach that could lead to regulatory fines, reputational damage, and legal liability for compromised customer data.

92
Multi-Selectmedium

The legal team wants to confirm that customer records are being deleted on schedule after the retention period expires. Which two artifacts best demonstrate compliance? Select two.

Select 2 answers
A.An approved retention schedule or retention policy that defines the deletion period.
B.A folder of employee social media posts about data cleanup.
C.System or audit logs showing the deletion job ran successfully.
D.A list of all printers in the office environment.
E.A draft policy from last year that was never approved.
AnswersA, C

A retention schedule establishes the rule the organization is supposed to follow. Without it, there is no clear basis for deciding when records should be deleted.

Why this answer

Option A is correct because an approved retention schedule or policy is the authoritative document that defines the required deletion period for customer records. It serves as the legal mandate against which compliance is measured. Option C is correct because system or audit logs provide verifiable evidence that the deletion job executed successfully, confirming that the policy was actually followed.

Together, these two artifacts demonstrate both the requirement (policy) and the execution (logs) needed to prove compliance.

Exam trap

The trap here is that candidates may confuse a draft or unapproved policy (Option E) with an approved one, or mistakenly think that informal evidence like social media posts (Option B) can substitute for authoritative documentation and verifiable logs.

93
Multi-Selecthard

After a phishing simulation, many employees still almost entered credentials into a fake login page. Leadership wants the fastest improvement without creating training fatigue or disrupting daily work. Which three measures are the best balance of security and usability? Select three.

Select 3 answers
A.Provide targeted microtraining only to users who clicked or nearly clicked.
B.Add a one-click report-phish button and acknowledge employee reports quickly.
C.Use just-in-time warning banners or link-check prompts when users follow external login pages.
D.Replace email access with a weekly manual approval queue for all messages.
E.Publicly identify the worst performers in team meetings to discourage mistakes.
AnswersA, B, C

Targeted coaching addresses the observed behavior without forcing unnecessary training on the entire workforce.

Why this answer

Option A is correct because targeted microtraining focuses only on the users who demonstrated risky behavior (clicking or nearly clicking), which directly addresses the root cause without wasting time on users who did not engage. This approach avoids training fatigue by keeping content brief and relevant, and it does not disrupt daily work for the majority of employees who already exhibit secure behavior.

Exam trap

The trap here is that candidates may confuse 'fastest improvement' with 'most aggressive technical control' (like option D) or 'public shaming' (like option E), failing to recognize that behavioral change through targeted, low-friction interventions (microtraining, reporting, and just-in-time prompts) yields faster and more sustainable results without alienating users.

94
MCQeasy

Based on the exhibit, what should the security team recommend before sharing the report?

A.Share the report exactly as requested, because the vendor signed a nondisclosure agreement.
B.Remove unnecessary personal fields and share only the minimum data needed for the analysis.
C.Keep all fields and encrypt the file before sending it to the vendor.
D.Store the report in a shared folder so the vendor can access it later if needed.
AnswerB

This is the correct privacy-by-design response because the vendor only needs department-level trends. The organization should minimize the data shared, especially sensitive or unnecessary fields like home addresses and medical leave codes. Limiting the dataset reduces privacy risk, supports compliance, and follows the principle of collecting and disclosing only what is needed for the stated business purpose.

Why this answer

Option B is correct because the principle of data minimization requires that only the minimum necessary data be shared to fulfill the analysis purpose. Removing unnecessary personal fields reduces the risk of exposing PII and aligns with privacy regulations such as GDPR and HIPAA, even when a nondisclosure agreement (NDA) is in place.

Exam trap

CompTIA often tests the misconception that a signed NDA or encryption alone is sufficient to share sensitive data, when in fact data minimization and least privilege are the primary security controls required.

How to eliminate wrong answers

Option A is wrong because an NDA does not justify sharing all data fields; it only provides a legal framework for confidentiality, not a technical safeguard against data exposure or misuse. Option C is wrong because encrypting the file protects data in transit but does not address the core issue of sharing unnecessary personal fields; encryption alone does not comply with data minimization principles. Option D is wrong because storing the report in a shared folder introduces additional access control risks and does not limit the data shared to only what is needed for analysis, violating the principle of least privilege.

95
MCQmedium

A company can patch only one of two internet-facing systems this week. System 1 has a critical vulnerability but is reachable only through the corporate VPN during maintenance windows. System 2 has a medium vulnerability and supports the public payment site, which shows active attack traffic every day. Which system should be prioritized first?

A.System 1, because the vulnerability is rated critical
B.System 2, because it is exposed to the public and directly supports a business-critical service
C.Neither system, because both are internet-facing and must wait for the next maintenance cycle
D.System 1, because VPN access always makes a vulnerability more dangerous than a public application issue
AnswerB

System 2 should be patched first because risk depends on both exposure and business impact. A medium issue on a public payment site with active attacks presents a higher real-world risk than a critical issue on a system with narrower access. The payment service is also directly tied to revenue and customer trust, so delaying its remediation would create greater business exposure.

Why this answer

System 2 should be prioritized because it is directly exposed to the public internet and supports a business-critical payment service that is under active attack daily. Even though System 1 has a critical vulnerability, it is only reachable through the corporate VPN during maintenance windows, which significantly reduces its attack surface and exploitability. In risk management, the likelihood of exploitation and business impact often outweigh the CVSS base score alone, making System 2 the higher priority.

Exam trap

The trap here is that candidates fixate on the CVSS critical rating (System 1) and ignore the crucial context of attack surface and active threat, leading them to choose A instead of applying risk-based prioritization.

How to eliminate wrong answers

Option A is wrong because it focuses solely on the CVSS severity rating (critical) without considering the reduced attack surface due to VPN-only access, which lowers the actual risk. Option C is wrong because delaying patching for both systems ignores the immediate threat to the public-facing payment service under active attack, violating the principle of prioritizing based on risk and business impact. Option D is wrong because VPN access does not inherently make a vulnerability more dangerous; in fact, it restricts the attack vector to authenticated users, whereas a public-facing system is exposed to the entire internet, including automated attack traffic.

96
MCQmedium

After several employees clicked on phishing emails, management wants to reduce future click rates and show measurable improvement across finance, HR, and executive assistants. Which control best meets that goal?

A.Send a one-time company-wide memo reminding users not to click suspicious links.
B.Use role-based security awareness training with phishing simulations and metrics tracking.
C.Disable all external email attachments for every department indefinitely.
D.Require employees to complete annual policy acknowledgment without testing.
AnswerB

Role-based awareness training with phishing simulations is the best fit because it directly targets user behavior and lets the security team measure results. Different job roles face different lures, so tailoring content to finance, HR, and executive assistants improves relevance. Tracking click rates, report rates, and repeat offenders also shows whether the program is working and supports continuous improvement.

Why this answer

Option B is correct because role-based security awareness training with phishing simulations and metrics tracking directly addresses the human factor by tailoring content to specific job roles (finance, HR, executive assistants) and provides measurable improvement through simulation click-rate data. This approach aligns with the NIST SP 800-50 framework for continuous security awareness, enabling management to track reduction in click rates over time.

Exam trap

The trap here is that candidates often choose Option A or D because they equate 'training' with a one-time communication or annual sign-off, failing to recognize that measurable improvement requires simulation, role-specific content, and ongoing metrics tracking as specified in the CompTIA SY0-701 objectives for security awareness programs.

How to eliminate wrong answers

Option A is wrong because a one-time memo lacks reinforcement, metrics, and simulation, so it cannot provide measurable improvement or change long-term behavior. Option C is wrong because disabling all external email attachments for every department indefinitely is overly restrictive, breaks legitimate business workflows (e.g., finance receiving invoices, HR receiving resumes), and does not train users to recognize phishing. Option D is wrong because annual policy acknowledgment without testing or simulation does not measure actual user behavior or reduce click rates; it only confirms policy receipt, not comprehension or application.

97
MCQmedium

An engineering tool runs on an unsupported operating system, but the tool is used only occasionally and can be replaced by a supported cloud service with little workflow impact. Which risk treatment is best?

A.Accept the risk because the tool is old and still functions
B.Transfer the risk to the cloud provider without making changes
C.Avoid the risk by retiring the unsupported system and replacing it with the supported service
D.Compensate for the risk by adding more user passwords
AnswerC

Avoiding the risk is the best treatment because the organization has a practical replacement that does not significantly disrupt the workflow. Retiring the unsupported system removes the vulnerability source instead of merely reducing exposure. When a lower-risk alternative is available and business impact is manageable, elimination of the risk is often better than accepting or compensating for it.

Why this answer

Option C is correct because the best risk treatment for an unsupported operating system that is only used occasionally and can be replaced with minimal workflow impact is to avoid the risk entirely. By retiring the unsupported system and migrating to the supported cloud service, the organization eliminates the security vulnerabilities and compliance issues associated with the outdated OS. This aligns with the risk avoidance strategy, which is preferred when the cost of mitigation is low and the risk is high.

Exam trap

The trap here is that candidates may confuse risk acceptance with a viable option when the tool 'still functions,' failing to recognize that unsupported systems pose an active security threat that cannot be safely accepted without compensating controls.

How to eliminate wrong answers

Option A is wrong because accepting the risk for an unsupported operating system ignores the lack of security patches, leaving the system vulnerable to exploits that could compromise the entire network. Option B is wrong because transferring the risk to a cloud provider without making changes implies that the unsupported system remains in place, and risk transfer typically involves insurance or contracts, not simply using a cloud service without migration. Option D is wrong because compensating with more user passwords does not address the core issue of an unsupported OS; password policies cannot patch kernel vulnerabilities or missing security updates.

98
MCQmedium

A finance application has a known vulnerability in a third-party reporting component. The vendor says a patch will not be available for six months, but the business cannot stop using the application. What is the BEST risk treatment for the organization to pursue next?

A.Avoid the risk by shutting down the finance application immediately.
B.Mitigate the risk by adding compensating controls and tracking residual risk until the patch is available.
C.Transfer the risk by asking the vendor to guarantee that no incident will occur.
D.Accept the risk because any delay in patching is automatically low priority.
AnswerB

This approach reduces the likelihood or impact of exploitation while keeping the business service running. Compensating controls such as increased monitoring, segmentation, additional access restrictions, and temporary workarounds are appropriate when a patch is unavailable. The organization can then document the remaining risk, assign an owner, and revisit the issue when the vendor releases the fix.

Why this answer

Option B is correct because when a known vulnerability exists in a third-party component and patching is delayed, the best risk treatment is to implement compensating controls (such as network segmentation, WAF rules, or input validation) to reduce the likelihood or impact of exploitation. This approach allows the business to continue operations while actively tracking residual risk until the vendor releases the patch. It aligns with the NIST risk management framework, which prioritizes mitigation when avoidance is not feasible.

Exam trap

The trap here is that candidates confuse 'accepting risk' with 'doing nothing,' but in CompTIA's framework, risk acceptance requires a formal decision by management after evaluating the risk level, not an automatic deferral due to a delayed patch.

How to eliminate wrong answers

Option A is wrong because shutting down the finance application immediately would avoid the risk but is not feasible as the business cannot stop using the application, making this an impractical business decision. Option C is wrong because risk transfer requires a third party to accept financial liability (e.g., through insurance or outsourcing), and asking a vendor to 'guarantee no incident' is not a valid risk transfer mechanism—vendors typically do not assume operational risk for unpatched vulnerabilities. Option D is wrong because accepting risk without analysis or compensating controls is negligent; the vulnerability is known and the application is critical, so acceptance should only be considered after a formal risk assessment and only if the residual risk is within the organization's appetite, not automatically due to a delayed patch.

99
Multi-Selecthard

A customer portal team must keep an unsupported Linux appliance online for 60 days while a replacement is built. The appliance processes payment tokens and cannot be patched until the vendor certifies the new image. Which two actions best reduce the residual risk during the 60-day window? Select two.

Select 2 answers
A.Move the appliance onto the flat user VLAN so the team can monitor it with standard workstation tools.
B.Restrict network paths to only the required upstream and downstream systems through firewall allow-lists.
C.Declare the risk fully accepted and make no configuration changes until the replacement is ready.
D.Add compensating controls such as application allow-listing, enhanced logging, and SIEM alerting.
E.Disable logging because the appliance is already at capacity and logs can slow it down.
AnswersB, D

This limits attack surface by allowing only necessary traffic, which directly reduces the likelihood of exploitation.

Why this answer

Option B is correct because restricting network paths to only required upstream and downstream systems via firewall allow-lists reduces the attack surface by limiting the appliance's exposure to unnecessary network traffic. This is a classic network segmentation compensating control that mitigates the risk of lateral movement from an unpatched, vulnerable system. By enforcing strict ingress/egress rules, the team can prevent unauthorized access and contain potential exploits during the 60-day window.

Exam trap

The trap here is that candidates may think 'accepting the risk' (Option C) is the only valid response when a patch cannot be applied, but CompTIA expects you to recognize that compensating controls must still be implemented to reduce residual risk to an acceptable level.

100
MCQmedium

A records manager discovers 18-month-old paper onboarding forms stored in a cabinet. The retention schedule says the forms must be destroyed after 12 months unless legal hold applies, and no hold has been issued. What is the best next step?

A.Keep the forms indefinitely in case a future audit asks for them.
B.Scan the forms into a shared folder and then throw away the paper.
C.Destroy the forms using an approved secure disposal method and document the action.
D.Return the forms to HR so they can be reused for new hires.
AnswerC

This is correct because the retention period has expired and no legal hold exists, so secure disposal is required.

Why this answer

Option C is correct because the retention schedule explicitly requires destruction after 12 months with no legal hold. An approved secure disposal method (e.g., cross-cut shredding or incineration) ensures the sensitive PII on onboarding forms is irrecoverable, and documenting the action provides an audit trail for compliance with data protection regulations like GDPR or HIPAA.

Exam trap

The trap here is that candidates may choose Option B (scanning) thinking digital preservation is safer, but the question tests the principle that retention schedules mandate destruction—not conversion—and that scanning without secure disposal still leaves the paper intact, violating policy.

How to eliminate wrong answers

Option A is wrong because indefinite retention violates the defined retention schedule and could expose the organization to non-compliance penalties for holding data longer than permitted. Option B is wrong because scanning into a shared folder without access controls or encryption creates a security risk and does not constitute destruction; the paper must still be securely disposed of, and the digital copy may itself require deletion per the schedule. Option D is wrong because reusing forms for new hires would mix old personal data with new, causing data integrity issues and violating privacy principles like data minimization.

101
MCQmedium

The SOC is writing step-by-step instructions for responding to a suspected malware infection on a laptop. The document should tell analysts exactly what to do first, second, and third during triage and containment. Which governance artifact should they create?

A.Policy, because it states the organization's broad security intent.
B.Procedure, because it gives a repeatable sequence of actions for a specific task.
C.Guideline, because it offers optional advice that analysts may choose to follow.
D.Standard, because it defines the organization's security goals at a high level.
AnswerB

A procedure is the right artifact when the team needs exact, repeatable instructions. In incident response, analysts need a consistent sequence for triage, containment, escalation, and evidence handling so that actions are predictable and auditable. Procedures support operational consistency and reduce confusion during stressful events, which is why they fit this scenario better than policies or guidelines.

Why this answer

A procedure is the correct governance artifact because it provides a detailed, step-by-step sequence of actions for a specific task—in this case, triaging and containing a suspected malware infection on a laptop. Unlike policies or standards, which set high-level intent or goals, a procedure ensures repeatable and consistent execution by analysts during incident response.

Exam trap

Cisco often tests the distinction between high-level governance documents (policies, standards) and operational documents (procedures, guidelines), and the trap here is that candidates confuse a procedure with a guideline because both provide instructions, but a procedure is mandatory and ordered, while a guideline is advisory and flexible.

How to eliminate wrong answers

Option A is wrong because a policy states the organization's broad security intent (e.g., 'All endpoints must be protected from malware'), not the specific step-by-step instructions needed for triage and containment. Option C is wrong because a guideline offers optional advice or best practices that analysts may choose to follow, but the question requires mandatory, ordered steps for a repeatable process. Option D is wrong because a standard defines mandatory security goals or requirements at a high level (e.g., 'All laptops must have antivirus software'), not the precise sequence of actions for a specific incident response task.

102
MCQeasy

The service desk needs a document that tells analysts exactly how to verify a caller and reset a password for a locked account. Which document type should they use?

A.Policy, because it states the organization's high-level security expectations
B.Guideline, because it offers helpful suggestions that staff may choose to follow
C.Procedure, because it provides exact steps staff must follow in order
D.Standard, because it defines a general topic without operational detail
AnswerC

A procedure is the best choice when staff need a repeatable, detailed sequence of actions for a task such as caller verification and password reset.

Why this answer

A procedure is the correct document type because it provides a step-by-step sequence of actions that staff must follow to complete a specific operational task, such as verifying a caller's identity and resetting a password. Unlike policies or standards, procedures are mandatory and detail the exact commands, verification checks, and escalation paths required to ensure consistent and secure execution of the task.

Exam trap

The trap here is confusing a procedure with a policy or standard, as candidates often think a high-level policy is sufficient for operational tasks, but the exam requires recognizing that procedures are the only document type that mandates exact, ordered steps for a specific task.

How to eliminate wrong answers

Option A is wrong because a policy states high-level security expectations and principles (e.g., 'passwords must be reset securely'), but does not provide the specific steps for verifying a caller or performing the reset. Option B is wrong because a guideline offers suggestions or best practices that staff may choose to follow, not the exact mandatory steps required for a consistent and secure password reset process. Option D is wrong because a standard defines a general topic or baseline requirement (e.g., 'passwords must be at least 8 characters') without the operational detail needed to execute a specific procedure.

103
MCQmedium

Based on the exhibit, what is the best next step before onboarding the vendor?

A.Approve the vendor because it already passed a penetration test.
B.Require a security addendum with breach-notification timing, subprocessor approval, and audit rights.
C.Ask the vendor to provide source code so developers can review it.
D.Move the workload to an internal shared drive until the vendor is ready.
AnswerB

This is the best action because the exhibit shows governance gaps that should be fixed before onboarding. Contractual controls can enforce notification, oversight, and accountability across the vendor and its subprocessors.

Why this answer

The exhibit indicates the vendor has not yet provided a security addendum, which is a critical contractual document that defines security obligations such as breach-notification timing, subprocessor approval, and audit rights. Without this addendum, the organization lacks enforceable guarantees for data protection and incident response, making onboarding premature. Option B directly addresses this gap by requiring the addendum before proceeding.

Exam trap

The trap here is that candidates may assume a penetration test is sufficient due diligence, overlooking that contractual security terms are legally binding and address ongoing compliance, not just a one-time technical check.

How to eliminate wrong answers

Option A is wrong because passing a penetration test does not replace the need for contractual security terms; a pen test is a point-in-time assessment, not a binding agreement for ongoing compliance. Option C is wrong because requesting source code is impractical and unnecessary for most vendor relationships—developers cannot realistically review proprietary code, and this does not address legal or operational security requirements. Option D is wrong because moving the workload to an internal shared drive introduces data exposure risks and does not resolve the missing vendor security addendum; it bypasses proper governance.

104
Multi-Selecteasy

A security manager wants one document that states employees must protect company laptops and another that defines exact required settings such as disk encryption and a 10-minute screen lock. Which two document types are the best fit? Select two.

Select 2 answers
A.Policy
B.Standard
C.Guideline
D.Procedure
E.Exception
AnswersA, B

A policy gives the organization’s high-level rule and management intent, such as requiring employees to protect laptops and company data.

Why this answer

A policy is a high-level statement of management intent, such as requiring employees to protect company laptops. A standard defines mandatory, specific technical settings, like requiring disk encryption (e.g., AES-256) and a 10-minute screen lock timeout. Together, they provide the overarching directive (policy) and the enforceable configuration baseline (standard).

Exam trap

The trap here is confusing 'policy' with 'guideline' or 'procedure'—candidates often pick 'guideline' for the technical settings because they think it's a recommendation, but standards are the only document type that mandates exact technical configurations.

105
Matchinghard

Match each requirement or instruction to the correct governance document type. Use each document type once.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Policy

Standard

Procedure

Guideline

Why these pairings

These matches align with common governance document types in IT security frameworks: policy provides high-level direction, standard sets mandatory rules, procedure gives step-by-step instructions, guideline offers non-mandatory recommendations, baseline defines minimum configurations, and framework provides a structured approach.

106
MCQhard

Based on the exhibit, which control option provides the greatest net annual financial benefit for the organization?

A.Option A, because it reduces loss enough to justify the control cost better than the smaller controls.
B.Option B, because its large reduction in annual loss outweighs the higher implementation cost.
C.Option C, because transferring the risk is always cheaper than engineering a technical fix.
D.Option D, because low upfront cost makes it the most economical option regardless of residual loss.
AnswerB

Option B reduces annual loss expectancy from $260,000 to $40,000, creating $220,000 in annual savings before cost. After subtracting the $120,000 control cost, it still delivers the highest net benefit among the choices. Quantitative risk decisions should compare expected loss reduction against implementation cost, and this option provides the strongest financial return.

Why this answer

Option B is correct because it provides the greatest net annual financial benefit. The annual loss reduction of $150,000 minus the annual implementation cost of $75,000 yields a net benefit of $75,000, which is higher than any other option. This demonstrates that a larger upfront investment can be justified when the reduction in annualized loss expectancy (ALE) significantly outweighs the control cost.

Exam trap

The trap here is that candidates often choose the option with the lowest implementation cost (Option D) or the highest loss reduction (Option A) without calculating the net benefit, failing to recognize that the greatest net financial benefit comes from the optimal balance between cost and loss reduction, not from minimizing cost or maximizing reduction alone.

How to eliminate wrong answers

Option A is wrong because although it reduces loss, its net benefit ($50,000 reduction - $25,000 cost = $25,000) is lower than Option B's net benefit of $75,000, so it does not provide the greatest net annual financial benefit. Option C is wrong because transferring risk (e.g., cyber insurance) is not always cheaper; in this scenario, the net benefit of Option C ($100,000 reduction - $60,000 cost = $40,000) is still less than Option B's net benefit, and risk transfer often involves premiums, deductibles, and residual risk that can make it less economical than a technical control. Option D is wrong because low upfront cost does not guarantee the greatest net benefit; its net benefit ($30,000 reduction - $10,000 cost = $20,000) is the lowest among all options, and ignoring residual loss can lead to underestimating long-term financial impact.

107
Multi-Selecthard

A developer requests a 45-day exception to use an unsupported browser plug-in on two engineering workstations so a legacy design tool can finish a customer deliverable. Which three conditions should be required before approving the exception? Select three.

Select 3 answers
A.Document a business justification that explains why the plug-in is required for the deliverable.
B.Convert the exception into a permanent waiver to avoid repeated review overhead.
C.Set a defined end date and require review before the exception expires.
D.Apply compensating controls, such as host isolation, restricted user access, or limiting use to named workstations.
E.Allow the requestor to self-approve the exception if the project deadline is urgent.
AnswersA, C, D

A justified exception must tie the request to a real business need, not convenience or preference.

Why this answer

Option A is correct because documenting a business justification provides a formal record of why the exception is necessary, ensuring that the risk of using an unsupported browser plug-in is understood and accepted by management. This aligns with the principle of risk acceptance, where the business need outweighs the security risk for a limited time. Without a clear justification, the exception could be granted without proper oversight, potentially leading to unchecked vulnerabilities.

Exam trap

The trap here is that candidates may mistakenly think converting an exception to a permanent waiver reduces administrative overhead, but CompTIA emphasizes that exceptions must remain temporary and reviewed, as permanent waivers bypass the risk management process and can lead to unmanaged security gaps.

108
MCQeasy

The help desk needs a document that tells analysts exactly how to verify a caller, reset a password, and record the ticket when a user is locked out. What type of document is this?

A.Procedure
B.Policy
C.Standard
D.Guideline
AnswerA

A procedure is the right document when staff need exact step-by-step instructions. In this situation, the help desk needs a repeatable process for identity verification, password reset actions, and documentation requirements. Procedures reduce mistakes because they tell employees what to do in sequence rather than leaving the process open to interpretation.

Why this answer

A procedure is the correct type of document because it provides step-by-step instructions for performing a specific task, such as verifying a caller's identity, resetting a password, and recording a ticket. Unlike a policy, which states high-level rules, a procedure details the exact actions to take in a given scenario, making it ideal for help desk operations.

Exam trap

The trap here is that candidates often confuse 'procedure' with 'policy' because both are security documents, but a policy sets the 'what' and 'why' (e.g., 'passwords must be reset securely'), while a procedure defines the 'how' (e.g., 'call the user back at their verified phone number before resetting').

How to eliminate wrong answers

Option B is wrong because a policy defines high-level rules and objectives (e.g., 'passwords must be reset securely') but does not provide the step-by-step instructions needed for the help desk to execute the task. Option C is wrong because a standard specifies mandatory technical requirements or baselines (e.g., 'passwords must be at least 12 characters') but does not describe the process of verification, reset, and ticket recording. Option D is wrong because a guideline offers general advice or best practices (e.g., 'consider using multi-factor authentication') but lacks the precise, mandatory steps required for consistent execution in a help desk workflow.

109
MCQmedium

A project team must share a spreadsheet containing customer names, account numbers, and purchase history with an external auditor. The auditor only needs account numbers and totals. What is the best privacy control?

A.Send the full spreadsheet through regular email to avoid delaying the audit
B.Redact unneeded personal data and transfer only the minimum necessary information through an approved encrypted channel
C.Upload the spreadsheet to a public file-sharing site and protect it with a password
D.Compress the file with a password and reuse the same password for all auditors
AnswerB

This is the best privacy control because it applies data minimization and secure transmission together. The auditor receives only what is needed to complete the review, which reduces exposure of personal information and limits the blast radius if the file is mishandled. Using an approved encrypted channel also helps protect the data in transit and supports governance requirements.

Why this answer

Option B is correct because it applies the principle of data minimization and secure transmission. Redacting unneeded personal data (customer names) ensures only the minimum necessary information (account numbers and totals) is shared, reducing exposure. Transferring via an approved encrypted channel (e.g., SFTP, HTTPS, or encrypted email) protects data in transit from interception, which is required for compliance with regulations like GDPR or PCI DSS.

Exam trap

The trap here is that candidates may think password-protecting a file or using a public sharing site is sufficient, but the exam tests the understanding that data minimization and approved encrypted channels are required for privacy compliance, not just any form of access control.

How to eliminate wrong answers

Option A is wrong because sending the full spreadsheet through regular email exposes all customer personal data in transit and at rest, violating data minimization and encryption requirements (email is often unencrypted or uses opportunistic TLS). Option C is wrong because uploading to a public file-sharing site, even with a password, relies on the security of the third-party service and the password alone, which does not guarantee encryption at rest or proper access controls, and the file may be cached or indexed. Option D is wrong because compressing with a password and reusing the same password for all auditors violates the principle of unique credentials per user, lacks audit trails, and does not ensure encryption of the file in transit or at rest (ZIP encryption is weak and can be cracked).

110
MCQmedium

A development team needs to release an urgent fix for a customer portal on Friday evening. The business wants the change to be reversible if something breaks, and security does not want the team to skip release controls. Which requirement should be part of the change process?

A.Deploy directly to production as soon as the patch compiles successfully.
B.Require a documented test in a lower environment and a rollback plan before production approval.
C.Turn off logging during deployment to avoid filling the disk with change records.
D.Allow the release only if the developer verbally confirms the code is safe.
AnswerB

Testing in a lower environment and documenting a rollback plan are core secure change-management practices. They reduce the chance of introducing an outage and make recovery faster if the fix has unexpected side effects. This approach supports controlled release, accountability, and operational resilience while still allowing urgent changes to move forward in a safe way.

Why this answer

Option B is correct because it enforces a documented test in a lower environment and a rollback plan, which satisfies both the business requirement for reversibility and the security requirement to maintain release controls. This aligns with the change management process in the SY0-701 domain of Security Program Management and Oversight, ensuring that changes are validated before production deployment and can be undone if issues arise.

Exam trap

The trap here is that candidates may think an urgent fix justifies skipping controls (Option A) or that disabling logging is acceptable to avoid disk issues (Option C), but the exam emphasizes that security controls and reversibility must be maintained even for emergency changes.

How to eliminate wrong answers

Option A is wrong because deploying directly to production as soon as the patch compiles skips all release controls, such as testing and approval, which violates security policy and increases risk of unplanned downtime. Option C is wrong because turning off logging during deployment would disable audit trails and monitoring, making it impossible to detect or investigate security incidents or deployment failures, which contradicts security best practices and compliance requirements.

111
MCQmedium

Based on the exhibit, what is the best next step before the marketing SaaS platform goes live?

A.Proceed only after the business owner formally accepts the remaining risk in writing.
B.Ignore the residual risk because the vendor has a current SOC report.
C.Require the security team to approve the launch verbally so the project does not slow down.
D.Cancel the contract immediately because any medium risk rating is unacceptable.
AnswerA

The exhibit already shows compensating controls and a measured residual risk rating. When the remaining risk is understood and the business impact of delay is significant, the proper next step is a formal acceptance by the appropriate risk owner. That creates accountability and preserves an auditable record of the decision.

Why this answer

The exhibit shows a residual risk rating of 'Medium' after the vendor's SOC report was reviewed. In the SY0-701 risk management framework, the business owner is the risk owner who must formally accept any residual risk before a system goes live, as they are accountable for the business impact. Proceeding without documented acceptance violates the principle of risk acceptance and could lead to unapproved exposure.

Exam trap

The trap here is that candidates assume a vendor SOC report fully transfers risk to the vendor, but CompTIA emphasizes that residual risk always remains and must be formally accepted by the business owner, not just the security team.

How to eliminate wrong answers

Option B is wrong because a current SOC report only provides a point-in-time assurance of the vendor's controls; it does not eliminate residual risk, which must still be formally accepted by the business owner. Option C is wrong because verbal approval bypasses the required documented risk acceptance process and audit trail, violating governance and compliance requirements. Option D is wrong because a 'Medium' risk rating is not automatically unacceptable; risk acceptance decisions are based on the organization's risk appetite, and cancellation is an extreme response without considering mitigation or acceptance.

112
Multi-Selecteasy

An HR analyst must send a salary file to an external auditor. The auditor only needs names, departments, and salary totals, not Social Security numbers or bank account details. Which two actions should the analyst take first? Select two.

Select 2 answers
A.Remove unnecessary sensitive fields before sharing
B.Use an approved encrypted transfer method
C.Upload the file to a public link and send the URL by email
D.Rename the file to a less obvious name and send it normally
E.Save the file locally on a USB drive and hand-deliver it
AnswersA, B

Data minimization reduces exposure by ensuring the auditor receives only the information needed for the stated business purpose.

Why this answer

Option A is correct because removing unnecessary sensitive fields (like Social Security numbers and bank account details) before sharing the file reduces the risk of exposing personally identifiable information (PII) and aligns with the principle of data minimization. This step ensures that only the required data (names, departments, salary totals) is transmitted, which is a foundational security control before any data transfer occurs.

Exam trap

The trap here is that candidates may think renaming a file (Option D) or using a USB drive (Option E) provides sufficient security, when in fact these methods lack encryption and proper access controls, which are essential for protecting sensitive data in transit.

113
Matchinghard

Match each procurement or oversight need to the best vendor due diligence artifact or clause. Use each item once.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

SOC 2 Type II report

Data processing agreement (DPA)

Software bill of materials (SBOM)

Right-to-audit clause

Disaster recovery test report

Why these pairings

These artifacts support vendor due diligence: questionnaires assess controls, SOC 2 reports provide independent assurance, audit clauses enable customer verification, DPAs govern data handling, BCPs ensure resilience, and pen tests validate security.

114
MCQeasy

A legacy production scanner cannot support MFA, but it must remain available for six months until replacement hardware arrives. What is the best security response?

A.Permanently waive MFA for the scanner and leave the exception open-ended.
B.Approve a time-bound exception with compensating controls and a review date.
C.Shut down the scanner immediately until MFA can be enabled.
D.Create a shared administrator account so operators can sign in more easily.
AnswerB

A time-bound exception allows the business to keep operating while security reduces risk through other controls such as network restriction, monitoring, or limited access. Adding a review date keeps the exception temporary and accountable, which is the best governance practice.

Why this answer

Option B is correct because it balances security with operational necessity by implementing a time-bound exception with compensating controls (e.g., network segmentation, strict access logging, or IP whitelisting) and a mandatory review date. This ensures the legacy scanner remains available for six months while mitigating the risk of unauthorized access, aligning with the principle of least privilege and security program oversight.

Exam trap

The trap here is that candidates may choose Option C (immediate shutdown) thinking it is the only secure choice, but the question explicitly states the scanner must remain available, making a risk-accepted, time-bound exception with compensating controls the correct security program management response.

How to eliminate wrong answers

Option A is wrong because permanently waiving MFA for the scanner leaves an open-ended exception with no expiration or review, violating security policy and increasing long-term risk. Option C is wrong because immediately shutting down the scanner disrupts production operations unnecessarily, as a time-bound exception with compensating controls can safely bridge the six-month gap. Option D is wrong because creating a shared administrator account bypasses accountability and audit trails, directly contradicting MFA's purpose of ensuring non-repudiation and secure authentication.

115
MCQhard

Based on the exhibit, which artifact is the strongest evidence that the firewall change was reviewed and approved before implementation?

A.The engineer's post-implementation email, because it confirms someone checked the change.
B.The firewall logs, because they show the rule was applied successfully on the device.
C.The change request record with CAB approval timestamp and implementation time.
D.The vendor's maintenance notice, because it explains why the rule was needed.
AnswerC

This is the best evidence because it shows formal review and approval occurred before the change was implemented. Auditors want controlled, time-stamped proof of authorization, not just technical confirmation that the firewall rule changed or an informal email afterward. The change record directly supports compliance with change management requirements.

Why this answer

Option C is correct because the change request record with a CAB approval timestamp and implementation time provides a clear, auditable trail that the firewall change was formally reviewed and authorized by the Change Advisory Board before it was executed. This aligns with the change management process required for security program oversight, ensuring that changes are not implemented without proper governance.

Exam trap

The trap here is that candidates often confuse post-implementation verification (Option A) or technical success logs (Option B) with the governance requirement for pre-approval, which is the core of change management oversight.

How to eliminate wrong answers

Option A is wrong because a post-implementation email only confirms that someone checked the change after it was made, not that it was reviewed and approved before implementation. Option B is wrong because firewall logs show the rule was applied successfully on the device, but they do not provide any evidence of pre-approval or review by a change board. Option D is wrong because a vendor's maintenance notice explains the technical need for the rule but does not document any internal review or approval process.

116
MCQmedium

A project team needs to use an unapproved file-sharing application for two weeks because the approved platform cannot support an external client collaboration feature. What is the best security action?

A.Deny the request permanently and avoid discussing the business need
B.Approve a documented temporary exception with compensating controls and a review date
C.Immediately rewrite the policy so all users may use the unapproved application
D.Ask the team to create a detailed step-by-step procedure for using the application
AnswerB

A temporary exception is the best choice when a business need exists and the risk can be managed. Document the reason, identify compensating controls such as encryption or restricted access, assign an owner, and set an expiration date. That approach preserves governance, keeps the risk visible, and avoids turning a temporary deviation into an indefinite shadow process.

Why this answer

Option B is correct because it follows the principle of risk acceptance through a formal exception process. By documenting a temporary exception with compensating controls (e.g., data encryption, access logging, and usage monitoring) and setting a review date, the organization maintains security oversight while addressing the legitimate business need. This approach aligns with the SY0-701 domain of Security Program Management, which emphasizes balancing security with operational requirements through managed risk.

Exam trap

The trap here is that candidates may choose Option D, thinking that a detailed procedure mitigates risk, but CompTIA tests the understanding that procedures without compensating controls do not reduce the inherent risk of using an unapproved application.

How to eliminate wrong answers

Option A is wrong because it ignores the business need entirely, which can lead to shadow IT or unauthorized workarounds that bypass security controls entirely. Option C is wrong because immediately rewriting policy for a temporary, isolated need creates unnecessary risk exposure for all users and violates change management principles. Option D is wrong because a detailed procedure does not address the underlying security risk of using an unapproved application; it only documents how to use it unsafely.

117
MCQmedium

Several employees reported a text message that looked like it came from the VPN support team and linked to a fake sign-in page. Management wants to reduce future success of these attacks and improve how quickly users report suspicious messages. What should the security team implement?

A.Send one annual lecture to all staff and close the ticket
B.Run role-based smishing simulations and provide a simple reporting workflow
C.Disable text messaging for every employee mobile device
D.Require managers to approve every external message before users open it
AnswerB

Simulations plus an easy reporting path build recognition habits and give the team measurable improvement data.

Why this answer

Option B is correct because smishing simulations train users to recognize phishing SMS attacks in a controlled environment, directly reducing susceptibility. A simple reporting workflow (e.g., a dedicated email address or button in the messaging app) lowers the friction for users to report suspicious messages, enabling faster incident response. This combination addresses both the reduction of attack success and the improvement of reporting speed.

Exam trap

The trap here is that candidates may choose Option C (disable text messaging) because it seems like a definitive technical control, but the question specifically asks to reduce future success and improve reporting speed, which requires user training and a streamlined reporting process, not a blanket ban that breaks business functionality.

How to eliminate wrong answers

Option A is wrong because a single annual lecture provides no ongoing reinforcement or practical testing, and closing the ticket without further action leaves the organization vulnerable to evolving smishing tactics. Option C is wrong because disabling text messaging for all employees is impractical and would disrupt legitimate business communications, violating the principle of least privilege and operational continuity. Option D is wrong because requiring managers to approve every external message before users open it creates an unsustainable bottleneck, delays response, and does not scale; it also fails to address the root cause of user susceptibility to social engineering.

118
Matchinghard

Match each risk-register description to the correct risk term. Use each term once.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Likelihood

Impact

Inherent risk

Residual risk

Risk appetite

Why these pairings

Each term is paired with its standard definition from risk management frameworks, ensuring clarity on the differences between inherent, residual, appetite, and tolerance.

119
MCQmedium

Based on the exhibit, which contract change would most directly reduce the organization's third-party response risk?

A.Add a breach notification timeframe and a right-to-review assurance clause in the contract.
B.Ask the vendor to provide a color logo and updated marketing brochure for the pilot.
C.Allow the vendor to start first and decide later whether to add security terms.
D.Replace the pilot with a purely internal spreadsheet process to avoid any contract review.
AnswerA

These clauses directly improve the organization's ability to respond if the vendor is compromised. Notification timing reduces delay in containment and response, while assurance review rights support ongoing third-party oversight and risk evaluation.

Why this answer

Adding a breach notification timeframe and a right-to-review assurance clause directly reduces third-party response risk by ensuring the vendor must promptly report security incidents and allow the organization to audit their security posture. This contractual change enforces accountability and timely action, which is critical for minimizing the impact of a breach originating from the third party.

Exam trap

The trap here is that candidates may confuse operational or marketing changes (like logos or starting without terms) with actual risk-reducing security controls, or they may think avoiding the third party entirely is the only safe option, missing that contractual security clauses are the standard way to manage third-party risk.

How to eliminate wrong answers

Option B is wrong because requesting a color logo and updated marketing brochure is a branding or marketing request, not a security control, and does nothing to address third-party response risk. Option C is wrong because allowing the vendor to start first and decide later whether to add security terms eliminates any contractual leverage, leaving the organization exposed to unmitigated risks during the pilot. Option D is wrong because replacing the pilot with a purely internal spreadsheet process avoids the contract review but also abandons the business need for the third-party service, which is not a practical risk reduction strategy and may introduce other operational risks.

120
Matchingmedium

Match each business scenario to the most appropriate risk treatment. 1. A legacy reporting server is expensive to replace, and leadership is willing to monitor the low expected loss for now. 2. A public web portal is being hit by credential stuffing, so the team adds MFA and rate limiting. 3. The organization wants protection from a costly third-party outage by purchasing cyber insurance. 4. A proposed project would collect regulated data that the business has decided not to process at all.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Accept

Mitigate

Transfer

Avoid

Why these pairings

Risk acceptance acknowledges the risk without action; mitigation reduces risk via controls; transfer shifts risk to insurance; avoidance eliminates the risk activity; reduction and sharing are related but less direct matches to the scenarios.

121
MCQhard

Based on the exhibit, what is the best next step before the hotfix is released?

A.Deploy immediately because the issue is customer-facing and urgent.
B.Close the ticket after deployment and create a postmortem if users complain.
C.Ask support to warn users that sign-in may fail during the next hour.
D.Pause release until the change is formally approved, tested, and has a documented rollback path.
AnswerD

The exhibit shows multiple process gaps: skipped tests, unresolved integration test failure, no documented rollback plan, and only verbal approval. Even an emergency fix should follow an emergency change process with documented authorization and enough validation to reduce the chance of making the outage worse. The safest next step is to complete the required change controls before production deployment.

Why this answer

Option D is correct because releasing a hotfix without formal approval, testing, and a documented rollback path violates the change management policy required by security program management. Even for urgent customer-facing issues, skipping these steps risks introducing new vulnerabilities or breaking other systems, which could lead to a larger outage. The exhibit indicates a need for controlled change processes, so pausing until the change is properly vetted ensures stability and security.

Exam trap

The trap here is that candidates may prioritize speed over security, assuming that a customer-facing issue justifies skipping change management, but the exam emphasizes that formal approval and testing are non-negotiable even for urgent fixes.

How to eliminate wrong answers

Option A is wrong because deploying immediately without testing or approval bypasses change management controls, potentially causing unintended side effects or security gaps. Option B is wrong because closing the ticket after deployment and only creating a postmortem if users complain ignores proactive risk management and fails to document the change properly, which is a key oversight in security program management. Option C is wrong because asking support to warn users is a temporary workaround that does not address the root cause or ensure the fix is safe; it also lacks the formal approval and testing required for a hotfix.

122
Drag & Dropmedium

Drag and drop the steps to perform a password reset for a user in Active Directory into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Password reset in AD is done via ADUC; the admin must have appropriate permissions, and it's good practice to enforce change at next logon.

123
MCQmedium

A legacy payroll server contains a critical vulnerability. The vendor says a patch is 45 days away, and the system must remain available for payroll processing. Which risk treatment is the best short-term choice?

A.Accept the risk until the patch arrives because the server is needed for payroll processing.
B.Mitigate the risk with compensating controls such as segmentation, restricted access, and monitoring.
C.Avoid the risk by permanently decommissioning the server this week.
D.Transfer the risk by purchasing support coverage and waiting for the patch.
AnswerB

Mitigation is the best short-term treatment because the server must remain available and the vendor cannot patch it yet. Compensating controls can reduce exposure by limiting who can reach the system, narrowing network paths, and improving detection. This lowers likelihood without shutting down payroll operations. It is the most practical choice when full remediation is delayed.

Why this answer

Option B is correct because compensating controls like network segmentation, strict access controls, and enhanced monitoring can reduce the risk of exploitation while keeping the legacy payroll server operational. This approach directly addresses the need for availability during the 45-day patch window, aligning with the principle of defense-in-depth for unpatched systems.

Exam trap

The trap here is that candidates may confuse 'accepting the risk' (Option A) as a valid short-term strategy, but CompTIA expects you to recognize that acceptance without active monitoring or controls is not appropriate when the vulnerability is critical and the system handles sensitive data.

How to eliminate wrong answers

Option A is wrong because accepting the risk without any active countermeasures leaves the critical vulnerability exposed, which could lead to a breach of sensitive payroll data; acceptance is only appropriate when the impact is negligible, which is not the case here. Option C is wrong because permanently decommissioning the server avoids the risk but violates the requirement that the system must remain available for payroll processing, making it an impractical short-term choice. Option D is wrong because purchasing support coverage does not transfer the technical risk of exploitation; it only provides vendor support, and waiting for the patch still leaves the vulnerability unmitigated during the 45-day period.

124
MCQmedium

A business owner asks whether to proceed with a medium-risk issue on an internal reporting system. The vulnerability is unlikely to be exploited because the system is reachable only from a segmented admin network, and no sensitive data is stored there. The owner wants to postpone remediation until the next planned upgrade window. Which risk treatment is being chosen?

A.Risk avoidance, because the system will be upgraded later.
B.Risk acceptance, because the business is choosing to live with the remaining risk for now.
C.Risk transfer, because the upgrade window shifts responsibility to the vendor.
D.Risk escalation, because the issue is being sent to the help desk for tracking.
AnswerB

This is the correct treatment because leadership is knowingly accepting the residual risk until the planned upgrade.

Why this answer

Option B is correct because risk acceptance is the deliberate decision to acknowledge and tolerate a risk without immediate remediation. In this scenario, the business owner understands the vulnerability is low-likelihood (segmented admin network, no sensitive data) and chooses to postpone fixing it until the next planned upgrade, thereby accepting the residual risk for that period.

Exam trap

Cisco often tests the distinction between risk acceptance and risk avoidance, where candidates mistakenly think postponing remediation equals avoidance rather than a conscious decision to live with the risk temporarily.

How to eliminate wrong answers

Option A is wrong because risk avoidance would mean eliminating the risk entirely (e.g., removing the system or blocking all access), not merely postponing remediation to a later upgrade. Option C is wrong because risk transfer shifts financial liability to a third party (e.g., purchasing cyber insurance or outsourcing), not delaying an internal fix. Option D is wrong because risk escalation involves formally notifying higher management or a risk committee to decide on a response, not simply sending a ticket to the help desk for tracking.

125
Matchingmedium

Match each data example to the most appropriate classification label. 1. A public marketing flyer approved for external posting. 2. An internal org chart and office directory meant only for employees. 3. A customer case file with contact details and order history. 4. A vault export containing API keys and encryption secrets.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Public

Internal

Confidential

Restricted

Why these pairings

These matches follow a typical data classification scheme: Public for non-sensitive info, Internal for company-only data, Confidential for customer PII, and Restricted for highly sensitive secrets.

126
Multi-Selecteasy

After a phishing campaign, several employees entered credentials on a fake login page. Management wants a control that both improves user behavior and gives the security team a way to measure whether click rates are going down. Which two actions best meet that goal? Select two.

Select 2 answers
A.Send a reminder email once a year and stop there
B.Run role-based phishing awareness training
C.Disable all external email for every employee
D.Use simulated phishing exercises with reporting metrics
E.Tell users to ignore suspicious messages unless IT calls first
AnswersB, D

Role-based training helps employees recognize threats that match their actual job responsibilities and exposure.

Why this answer

Role-based phishing awareness training (B) directly improves user behavior by tailoring content to specific job functions, making the training more relevant and effective. Simulated phishing exercises with reporting metrics (D) provide a measurable way for the security team to track click rates over time, enabling data-driven assessment of improvement. Together, they address both behavioral change and quantifiable measurement.

Exam trap

CompTIA often tests the distinction between passive awareness (like annual emails) and active, measurable training (like simulated phishing with metrics), leading candidates to mistakenly select a single control that only addresses one aspect of the goal.

127
Multi-Selectmedium

A weekly risk review lists several findings. Which two should be addressed first based on likelihood of exploitation and business impact? Select two.

Select 2 answers
A.An internet-facing VPN appliance with a known exploit and no vendor patch available yet.
B.An internal lab system with an outdated browser component, isolated from production and not customer-facing.
C.A public payroll portal that still uses default administrator credentials.
D.A training virtual machine used offline once per month in a disconnected lab.
E.A documentation site with a spelling error in its banner text.
AnswersA, C

Exposure is public, exploitation is likely, and the business impact could be broad if the device is compromised.

Why this answer

Option A is correct because an internet-facing VPN appliance with a known exploit presents a high likelihood of exploitation — attackers actively scan for such vulnerabilities — and the lack of a vendor patch means no immediate mitigation is available, leaving the business exposed to potential data breaches or network compromise. The combination of high exploitability (public-facing, known exploit) and high business impact (VPN access often leads to internal network access) makes this a critical risk that must be addressed first.

Exam trap

CompTIA often tests the concept that default credentials on a public-facing system (Option C) are a critical risk because they are trivially exploitable (no exploit development needed) and directly impact business operations, such as payroll data exposure, making it a top priority alongside unpatched internet-facing appliances.

128
Multi-Selectmedium

A security manager is writing baseline requirements for all corporate laptops. Which three statements belong in the standard rather than in a policy or guideline? Select three.

Select 3 answers
A.Full-disk encryption must be enabled using approved encryption software.
B.The screen must lock after 10 minutes of inactivity.
C.Users should consider keeping their devices updated whenever convenient.
D.Local administrator rights are not allowed on standard user laptops.
E.Employees must follow the company's acceptable use policy at all times.
AnswersA, B, D

Standards define mandatory technical requirements, and this statement specifies an enforceable configuration.

Why this answer

Option A is correct because it is a mandatory, enforceable requirement that specifies exactly what must be done (enable full-disk encryption) and with what (approved encryption software). This level of specificity and obligation belongs in a standard, which defines compulsory technical controls, unlike a policy (high-level intent) or guideline (suggested best practice).

Exam trap

The trap here is that candidates confuse the permissive language of a guideline ('should consider') with the mandatory language of a standard ('must'), leading them to incorrectly select option C as a valid standard statement.

129
MCQmedium

The CIO wants to compare two mitigation options for a payment system outage and justify the budget request in dollars. The team already knows the likely downtime window, annual incident frequency, and estimated revenue loss per hour. Which approach would best support the decision?

A.Qualitative risk analysis
B.Quantitative risk analysis
C.Risk avoidance
D.Risk acceptance
AnswerB

Quantitative analysis uses measurable values like frequency, downtime, and financial loss to compare options and justify spending in monetary terms.

Why this answer

Quantitative risk analysis (Option B) is correct because it uses numerical data—such as the likely downtime window, annual incident frequency, and estimated revenue loss per hour—to calculate a monetary value (e.g., Annualized Loss Expectancy). This directly supports the CIO's need to compare mitigation options in dollars and justify a budget request with hard numbers, unlike qualitative methods that rely on subjective ratings.

Exam trap

The trap here is that candidates confuse qualitative risk analysis with quantitative risk analysis, assuming that any risk assessment involving 'analysis' can produce dollar figures, but qualitative methods only yield ordinal rankings, not monetary values.

How to eliminate wrong answers

Option A is wrong because qualitative risk analysis uses subjective ratings (e.g., high/medium/low) rather than hard dollar figures, so it cannot provide the precise monetary comparison the CIO needs for budget justification. Option C is wrong because risk avoidance means eliminating the activity causing the risk (e.g., discontinuing the payment system), which is not a comparison of mitigation options but a drastic measure that would halt business operations. Option D is wrong because risk acceptance means acknowledging the risk without taking action, which does not involve comparing mitigation options or justifying a budget request—it simply accepts the potential loss.

130
MCQmedium

A hospital's claims portal has two open risks. Risk A is an internet-facing login page with a low-severity software flaw, but monitoring shows a steady increase in automated login attempts. Risk B is an internal file share with a medium-severity patch gap, but only a small admin group can access it and no exploitation is observed. Leadership can fund only one remediation this month. Which risk should be prioritized first?

A.Prioritize Risk A because it is exposed to the internet and already shows active attack interest.
B.Prioritize Risk B because a medium-severity flaw is always more important than a low-severity flaw.
C.Accept Risk A because no confirmed compromise has occurred yet.
D.Transfer Risk A to an insurer because public-facing exposure cannot be reduced.
AnswerA

Risk A has the higher overall business risk because exposure and observed attack activity raise the likelihood of exploitation. Even if the flaw is rated low severity, an internet-facing system is more likely to be targeted quickly and broadly. Prioritization should consider both impact and likelihood, not severity alone. Addressing the public login page first reduces the chance of a successful compromise across a high-value service.

Why this answer

Risk A should be prioritized because the internet-facing login page is exposed to the public attack surface, and the steady increase in automated login attempts indicates active reconnaissance or credential-stuffing attacks. Even though the software flaw is low severity, the combination of internet exposure and active attacker interest significantly elevates the likelihood of exploitation, making it a higher priority than an internal file share with no observed exploitation.

Exam trap

The trap here is that candidates fixate on severity ratings (low vs. medium) without considering the risk equation, especially the critical factor of active attack interest and internet exposure, which the SY0-701 exam emphasizes in the context of threat intelligence and attack surface management.

How to eliminate wrong answers

Option B is wrong because it incorrectly assumes severity alone determines priority; in risk management, likelihood (internet exposure, active attack interest) and impact must be weighed together, and a medium-severity flaw with no exploitation and limited access is less urgent than a low-severity flaw under active attack. Option C is wrong because accepting a risk without remediation is only appropriate when the residual risk is within the organization's tolerance, but here the active attack interest and internet exposure create an unacceptable level of risk that requires immediate action.

131
MCQeasy

A file contains employee Social Security numbers and bank account details. The company uses the labels Public, Internal, Confidential, and Restricted. Which label is most appropriate?

A.Public, because employees may need to share it with outside vendors
B.Internal, because only company staff should see it
C.Confidential, because the information is sensitive but not highly regulated
D.Restricted, because it contains highly sensitive personal and financial information
AnswerD

Restricted is the best fit when the data includes highly sensitive personal and financial details needing strict access control.

Why this answer

Social Security numbers and bank account details are classified as personally identifiable information (PII) and financial data, which are subject to strict regulatory requirements (e.g., GDPR, PCI DSS). The 'Restricted' label is designed for the most sensitive data that requires the highest level of access control and encryption, making it the correct choice for this scenario.

Exam trap

The trap here is that candidates may confuse 'Confidential' with 'Restricted', assuming any sensitive data fits the 'Confidential' label, but 'Restricted' is specifically reserved for data that is both highly sensitive and subject to regulatory compliance requirements.

How to eliminate wrong answers

Option A is wrong because labeling this data as 'Public' would allow unrestricted access, violating data privacy regulations and exposing the company to legal penalties. Option B is wrong because 'Internal' is typically used for data that is not sensitive but should not be shared externally, whereas SSNs and bank details require more stringent controls. Option C is wrong because 'Confidential' is often used for sensitive business data (e.g., trade secrets), but it does not imply the highest level of protection needed for highly regulated personal financial information; 'Restricted' is the appropriate label for such data.

132
MCQhard

Based on the exhibit, what should the records manager do next?

A.Delete the records on schedule because the retention period is still the primary rule.
B.Move the records to long-term archive and continue the normal deletion schedule.
C.Print the records, delete the digital copies, and keep the paper copies instead.
D.Suspend deletion and preserve all related records until the legal hold is formally lifted.
AnswerD

A legal hold takes precedence over the routine retention schedule. Because counsel explicitly instructed the organization to preserve all related communications and prevent deletion or alteration, the records manager must stop auto-deletion and ensure the data remains intact. This supports legal defensibility and audit readiness while avoiding accidental spoliation of evidence.

Why this answer

Option D is correct because when a legal hold is in effect, it overrides any standard retention or deletion policies. The records manager must suspend all deletion activities and preserve all related records until the legal hold is formally lifted, as failure to do so could result in spoliation of evidence and legal penalties.

Exam trap

The trap here is that candidates may assume retention schedules are absolute, but legal holds are a higher-priority legal obligation that overrides standard data lifecycle policies.

How to eliminate wrong answers

Option A is wrong because it ignores the legal hold, which supersedes the retention period as the primary rule when litigation is pending. Option B is wrong because moving records to long-term archive does not satisfy the legal hold requirement; the hold requires preservation of all records, not just a change in storage location, and continuing a normal deletion schedule could destroy relevant data. Option C is wrong because printing digital copies and deleting the originals would destroy metadata and potentially violate the legal hold, as the original digital records may be required for e-discovery in their native format.

133
MCQmedium

A security manager issues a mandatory document that requires all corporate laptops to use full-disk encryption, automatic screen lock after 10 minutes, and approved endpoint protection software. The document will be checked during compliance reviews. Which governance artifact is this?

A.Policy
B.Standard
C.Procedure
D.Guideline
AnswerB

A standard defines mandatory, measurable requirements such as required encryption, timeout values, and approved tools.

Why this answer

The document is a mandatory requirement that must be followed and is enforced through compliance reviews, which aligns with the definition of a policy. Policies are high-level, mandatory directives that set the overall security stance of an organization, such as requiring full-disk encryption (e.g., AES-256) and automatic screen lock after 10 minutes. This document is not a standard because it does not provide specific technical configurations or baselines, nor is it a procedure or guideline, as it lacks step-by-step instructions or optional recommendations.

Exam trap

The trap here is confusing a policy (high-level mandate) with a standard (specific mandatory technical baseline), as many candidates assume any mandatory document is automatically a policy, but the level of detail (e.g., exact timeout values, encryption type) indicates a standard.

How to eliminate wrong answers

Option A is wrong because a policy is a high-level mandatory directive, but the question describes a document that mandates specific technical controls (full-disk encryption, screen lock timeout, endpoint protection), which is more prescriptive than a typical policy. Option C is wrong because a procedure provides step-by-step instructions on how to implement a control, not a mandatory requirement for what controls must be in place. Option D is wrong because a guideline offers recommendations or best practices that are not mandatory, whereas this document is explicitly mandatory and checked during compliance reviews.

134
Multi-Selecteasy

A small company can only remediate two findings this week. Which two should be fixed first based on risk to the business? Select two.

Select 2 answers
A.An internet-facing VPN appliance with a critical vulnerability and a public exploit
B.An internal training VM used by one student with a medium vulnerability and no sensitive data
C.A production print server that still uses the default administrator password and is accessible to finance users
D.A discontinued server already removed from the network but still listed in inventory
E.A low-severity cosmetic issue on a noncritical dashboard page
AnswersA, C

An exposed system with a known exploit creates both high likelihood and high impact, so it should be handled immediately.

Why this answer

Option A is correct because an internet-facing VPN appliance with a critical vulnerability and a public exploit represents an immediate, high-impact risk. Attackers can leverage the public exploit to gain unauthorized remote access to the internal network, potentially compromising all connected systems and data. The combination of internet exposure and known exploit makes this the highest priority for remediation.

Exam trap

The trap here is that candidates may prioritize based on severity alone (e.g., medium vs. critical) without considering exposure and business context, or they may mistakenly think a decommissioned server still poses a risk when it is already offline.

135
MCQhard

Based on the exhibit, what should the security team add before approving the vendor's requested change?

A.A broader employee awareness training requirement for the vendor's staff.
B.A contract clause requiring prior written approval for new subprocessors and flow-down security obligations.
C.A larger cyber insurance policy to cover possible losses if the vendor is breached.
D.A request for the vendor to send monthly screenshots of its backup jobs.
AnswerB

This is the strongest control because the risk comes from an unapproved change in the supply chain. Prior approval gives the customer visibility into who will process the data, and flow-down obligations ensure the subcontractor must meet the same security requirements. That directly addresses third-party risk, unlike insurance or generic training.

Why this answer

The exhibit shows the vendor requesting a change to use a new subprocessor for data storage. The security team must ensure that the vendor's contract includes a clause requiring prior written approval for new subprocessors and that security obligations flow down to them. This directly addresses the risk of unauthorized data handling by third parties, which is a key concern in vendor risk management.

Exam trap

CompTIA often tests the distinction between reactive controls (like insurance or monitoring) and proactive contractual controls (like approval clauses) in vendor change management scenarios, leading candidates to pick a monitoring or financial solution instead of the correct governance measure.

How to eliminate wrong answers

Option A is wrong because broader employee awareness training for the vendor's staff does not address the specific risk of a new subprocessor being introduced without oversight; training is a general control, not a contractual safeguard for subprocessor changes. Option C is wrong because a larger cyber insurance policy covers financial losses after a breach but does not prevent the unauthorized use of a subprocessor or enforce security obligations proactively. Option D is wrong because monthly screenshots of backup jobs provide only a point-in-time verification of backups, not a mechanism to control or approve changes to subprocessors or ensure security requirements are met.

136
MCQhard

Based on the exhibit, which risk treatment should the security manager recommend first?

A.Accept the risk and document it for the next quarterly review.
B.Avoid the risk by permanently shutting down the file transfer service.
C.Mitigate the risk by replacing or isolating the appliance and removing direct internet exposure.
D.Transfer the risk by purchasing cyber insurance and keeping the current configuration.
AnswerC

Mitigation is best because the asset is unsupported, internet-facing, and processes sensitive tax data. The cost to replace is manageable compared with the exposure. A WAF alone does not adequately protect an unsupported service, so the manager should reduce the vulnerability and exposure directly.

Why this answer

The exhibit shows a legacy file transfer appliance with direct internet exposure and known unpatched vulnerabilities. The most immediate and effective risk treatment is to mitigate the risk by replacing or isolating the appliance and removing its direct internet exposure. This directly reduces the likelihood of exploitation by eliminating the attack surface, which aligns with the principle of defense-in-depth and is the first step before considering acceptance, avoidance, or transfer.

Exam trap

The trap here is that candidates may confuse 'transfer the risk' (Option D) with a proactive security measure, when in fact cyber insurance is a financial risk transfer that does not address the technical vulnerability, whereas mitigation (Option C) directly reduces the likelihood of exploitation.

How to eliminate wrong answers

Option A is wrong because accepting the risk without any compensating controls would leave a vulnerable, internet-facing appliance actively exploitable, which is irresponsible and violates the principle of due care. Option B is wrong because permanently shutting down the file transfer service would disrupt business operations and likely violate service-level agreements, making it an overly drastic and unnecessary first step when isolation and patching are feasible. Option D is wrong because transferring the risk via cyber insurance does not reduce the likelihood or impact of a breach; it only provides financial compensation after an incident, leaving the vulnerable appliance exposed and operational.

137
MCQhard

Based on the exhibit, what is the best data-handling action before sharing the file with the third party?

A.Send the full spreadsheet encrypted and let the vendor filter out the extra columns.
B.Redact the unnecessary sensitive fields and provide only the minimum necessary extract after approval.
C.Mark the spreadsheet as internal and share it through the benefits contractor's cloud portal.
D.Send the file unchanged because the contractor signed a nondisclosure agreement.
AnswerB

This follows data minimization and handling requirements. The third party only needs names, email addresses, and benefits selections, so bank and government-ID fields should be removed before sharing. Encryption alone is not enough because the recipient would still receive more data than needed. This approach reduces privacy exposure and aligns with the policy note in the exhibit.

Why this answer

Option B is correct because data minimization and the principle of least privilege require that only the minimum necessary sensitive data be shared with a third party. Redacting unnecessary sensitive fields and obtaining approval ensures compliance with data protection policies and reduces the risk of unauthorized exposure, even if the recipient has signed an NDA.

Exam trap

CompTIA often tests the misconception that a signed NDA or encryption alone is sufficient to share all data, when in fact data minimization and formal approval are required to meet security and compliance standards.

How to eliminate wrong answers

Option A is wrong because sending the full spreadsheet with extra columns still exposes sensitive data that the vendor does not need, violating data minimization and increasing breach risk. Option C is wrong because marking the spreadsheet as 'internal' and sharing via the contractor's cloud portal does not remove sensitive fields and may bypass proper access controls, as the portal may not enforce data redaction. Option D is wrong because a nondisclosure agreement does not justify sharing all data unchanged; it does not eliminate the need to limit data to the minimum necessary for the task.

138
MCQmedium

Based on the exhibit, which missing control best improves oversight of the supplier?

A.Right-to-audit clause.
B.Allow the supplier to choose any encryption algorithm it wants.
C.Disable all contract reviews after signature.
D.Require the vendor to use employee badges for all facilities.
AnswerA

This is the best missing control because it allows the organization to verify security claims, inspect evidence, and validate subcontractor oversight when needed.

Why this answer

A right-to-audit clause is the missing control that best improves oversight of the supplier because it grants the organization contractual authority to examine the supplier's security controls, processes, and compliance evidence. Without this clause, the organization has no formal mechanism to verify that the supplier is adhering to agreed-upon security requirements, leaving oversight entirely dependent on trust.

Exam trap

The trap here is that candidates often confuse operational controls (like physical badges) with governance controls (like audit rights), failing to recognize that oversight requires a contractual mechanism to verify compliance, not just a procedural requirement.

How to eliminate wrong answers

Option B is wrong because allowing the supplier to choose any encryption algorithm it wants removes control over cryptographic strength and compliance with standards (e.g., FIPS 140-2), potentially permitting weak or deprecated algorithms like DES or RC4. Option C is wrong because disabling all contract reviews after signature eliminates the ability to reassess terms, update security requirements, or address changing risks, which is essential for ongoing oversight. Option D is wrong because requiring the vendor to use employee badges for all facilities addresses physical access control but does not provide oversight of the supplier's broader security practices, such as data handling, incident response, or subcontractor management.

139
Multi-Selectmedium

A records manager confirms that paper onboarding forms containing government IDs are past retention, no legal hold exists, and the files are no longer needed. Which three actions should happen next? Select three.

Select 3 answers
A.Destroy the forms using approved secure disposal methods.
B.Record the destruction according to retention and disposal procedures.
C.Verify that no legal hold or regulatory exception applies.
D.Store the forms in a desk drawer for another quarter just in case.
E.Email scans of the forms to managers so they can keep a copy.
AnswersA, B, C

Secure destruction ensures sensitive personal information cannot be recovered after the retention period ends.

Why this answer

Option A is correct because once records are past their retention period, no legal hold exists, and they are no longer needed, the organization must destroy them using approved secure disposal methods (e.g., cross-cut shredding, incineration, or pulping) to prevent unauthorized access to sensitive PII. This aligns with the principle of data minimization and compliance with privacy regulations like GDPR or HIPAA.

Exam trap

The trap here is that candidates may think 'just in case' retention (Option D) is a safe fallback, but CompTIA emphasizes that records past retention with no legal hold must be destroyed immediately to avoid non-compliance and security risks.

140
MCQhard

Based on the exhibit, which metric best shows that employees are recognizing and escalating phishing attempts more quickly?

A.Click rate, because a lower click rate is the only useful awareness metric.
B.Training completion rate, because it proves every employee attended the awareness session.
C.Median report time, because it shows how quickly users notify security after spotting a phish.
D.Number of simulation emails sent, because a larger campaign is always a better metric.
AnswerC

Median report time best demonstrates faster recognition and escalation, which reduces attacker dwell time and improves response. In the exhibit, the median time dropped from 8 minutes to 3 minutes, showing better behavior under pressure. Click rate is still useful, but quick reporting is the stronger indicator of resilience and response readiness.

Why this answer

The median report time directly measures the speed at which employees notify the security team after identifying a phishing simulation email. A decreasing median report time indicates that users are recognizing phishing attempts more quickly and escalating them, which is the key behavioral change this metric captures. Unlike click rate, which only measures failure, report time measures the positive action of reporting.

Exam trap

Cisco often tests the distinction between metrics that measure awareness (e.g., training completion) versus metrics that measure behavioral change (e.g., median report time), and candidates mistakenly choose click rate because it is a common phishing metric, but it does not capture the speed of escalation.

How to eliminate wrong answers

Option A is wrong because click rate measures the percentage of users who clicked a phishing link, which indicates failure to recognize a phish, not the speed of recognition or escalation; a lower click rate is useful but does not show how quickly users report. Option B is wrong because training completion rate only proves attendance, not whether employees learned to recognize or escalate phishing attempts; it is a proxy for exposure, not effectiveness. Option D is wrong because the number of simulation emails sent is a measure of campaign scale, not user behavior; a larger campaign does not inherently indicate faster recognition or reporting.

141
MCQeasy

A policy states that sensitive data must be encrypted, but it does not say which encryption strength to use. The security architect wants a document that lists the exact approved encryption settings for systems to follow. What document is needed?

A.A procedure, because it explains the step-by-step order for handling every file.
B.A standard, because it specifies the required technical values and configurations.
C.A guideline, because it gives suggestions that teams may choose to adopt.
D.A memo, because it is the fastest way to tell teams about a new requirement.
AnswerB

A standard is the right document when the organization needs exact, mandatory technical settings such as approved encryption strength or configuration values. The policy provides the high-level requirement, while the standard translates that requirement into measurable controls that systems and auditors can follow consistently.

Why this answer

A standard is the correct document because it mandates specific, measurable technical requirements—such as exact encryption algorithms (e.g., AES-256), key lengths, and cipher modes (e.g., GCM)—that systems must follow to comply with the policy. Unlike a policy, which states a goal (e.g., 'encrypt sensitive data'), a standard provides the enforceable configuration baseline that the security architect needs.

Exam trap

The trap here is confusing a standard with a guideline: candidates often pick 'guideline' because both documents provide technical details, but a standard is mandatory and prescriptive, while a guideline is advisory and flexible.

How to eliminate wrong answers

Option A is wrong because a procedure details the step-by-step order for performing a task (e.g., how to encrypt a file using a specific tool), not the approved encryption settings themselves. Option C is wrong because a guideline offers recommendations or best practices that teams may choose to adopt, but the security architect requires mandatory, exact values, not optional suggestions. Option D is wrong because a memo is an informal communication method, not a formal document that defines technical requirements; it lacks the authority and precision needed for enforcing encryption configurations.

142
MCQhard

Based on the exhibit, which governance artifact is being described?

A.Policy, because it states broad organizational intent without requiring specific settings.
B.Standard, because it defines mandatory requirements but does not describe a step-by-step process.
C.Procedure, because it explains the exact sequence an administrator should follow to secure the device.
D.Baseline, because it defines the approved minimum configuration that systems must meet.
AnswerD

The exhibit is labeled as a minimum configuration and lists required settings that establish the approved security floor for all laptops. That is the classic purpose of a baseline. It provides a reference point for configuration consistency and drift detection, and it is often approved by security and technical owners together. The annual review cycle also fits a controlled baseline update process.

Why this answer

The exhibit describes a baseline because it specifies the approved minimum configuration settings that systems must meet, such as requiring AES-256 encryption, disabling weak protocols like SSL and TLS 1.0, and enforcing a minimum password length of 14 characters. These are mandatory security thresholds, not broad intent, step-by-step instructions, or optional standards.

Exam trap

The trap here is that candidates confuse a standard with a baseline, but a standard is a broader mandatory requirement (e.g., 'use encryption') while a baseline specifies the exact minimum acceptable configuration (e.g., 'use AES-256 with a key length of 256 bits').

How to eliminate wrong answers

Option A is wrong because a policy states broad organizational intent and high-level goals, not specific configuration settings like 'AES-256 encryption' or 'disable SSL/TLS 1.0'. Option B is wrong because a standard defines mandatory requirements but does not include the specific numeric thresholds or approved minimum values that a baseline does; the exhibit lists exact minimums (e.g., 14-character passwords), which is characteristic of a baseline. Option C is wrong because a procedure provides a step-by-step sequence of actions, whereas the exhibit only lists required configuration states without any ordered instructions.

143
MCQmedium

Based on the exhibit, which metric best indicates improved phishing resistance?

A.Training completion rate.
B.Number of phishing emails sent by attackers.
C.Phish report rate.
D.Total number of help desk tickets.
AnswerC

The report rate directly reflects whether employees are identifying suspicious messages and escalating them, which is a strong sign of improved phishing resistance.

Why this answer

The phish report rate measures how many users report a simulated phishing email to the security team, which directly indicates their ability to recognize and respond to phishing attempts. A higher report rate demonstrates improved security awareness and resistance because users are actively identifying threats rather than ignoring or falling for them. This metric is a key performance indicator in security awareness programs because it reflects behavioral change, not just training completion.

Exam trap

CompTIA often tests the misconception that training completion rate (Option A) is the best indicator of security awareness, but the exam emphasizes that behavioral metrics like phish report rate are more meaningful because they measure actual user response to threats.

How to eliminate wrong answers

Option A is wrong because training completion rate only measures whether users finished the training module, not whether they retained or applied the knowledge to resist phishing attacks. Option B is wrong because the number of phishing emails sent by attackers is an external threat metric that the organization cannot control and does not reflect user resistance or program effectiveness. Option D is wrong because the total number of help desk tickets is a broad metric that includes many unrelated issues (e.g., password resets, software problems) and does not specifically measure phishing resistance or user reporting behavior.

144
Multi-Selecteasy

A security manager is creating a document that requires every corporate laptop to use full-disk encryption, automatic screen locking after 10 minutes, and approved antivirus software. Which two governance artifacts best fit those requirements? Select two.

Select 2 answers
A.Policy
B.Standard
C.Procedure
D.Guideline
E.Baseline
AnswersB, E

A standard defines mandatory requirements, such as required security settings that all laptops must meet.

Why this answer

Option B (Standard) is correct because a standard defines mandatory technical configurations, such as requiring full-disk encryption (e.g., AES-256 via BitLocker or FileVault), automatic screen locking after 10 minutes, and approved antivirus software. Standards are specific, enforceable baselines that implement the broader intent of a policy, making them the appropriate artifact for these concrete security controls.

Exam trap

The trap here is confusing a policy (broad intent) with a standard (specific mandatory configuration), leading candidates to select 'Policy' when the question explicitly lists precise technical requirements that belong in a standard.

145
Multi-Selectmedium

A manufacturing company must keep a legacy scheduling application running for 60 days while replacement testing finishes. The application supports production orders, and the business cannot tolerate a shutdown. Which three conditions should be required before approving the temporary exception? Select three.

Select 3 answers
A.Assign a named risk owner who is authorized to accept the residual risk.
B.Set a clear expiration date and mandatory review point before renewal.
C.Implement a compensating control such as network restriction or added monitoring.
D.Rely on the vendor's promise that a better version will be available eventually.
E.Approve an unlimited waiver so operations do not need to revisit the issue.
AnswersA, B, C

Accountability matters because only an authorized business owner should accept the remaining exposure for a temporary exception.

Why this answer

Assigning a named risk owner who is authorized to accept residual risk is a fundamental requirement for any risk exception. This ensures accountability and that a specific individual with the authority to accept the potential consequences of running an unsupported system is identified. Without a designated owner, the exception lacks governance and could lead to unmanaged exposure.

Exam trap

The trap here is that candidates might think only one or two of these conditions are needed, but the SY0-701 exam expects all three—risk owner, expiration/review, and compensating controls—to be present for a valid risk exception.

146
MCQeasy

After several rounds of phishing simulations, management wants a metric that best shows employees are improving at recognizing suspicious messages. Which metric should security track?

A.The number of training emails sent to employees each month.
B.The percentage of users who report simulated phishing emails to security.
C.The number of spam emails blocked by the mail gateway.
D.The number of help desk tickets closed within the month.
AnswerB

Reporting suspicious messages is a strong behavioral indicator that users recognize phishing and know what to do with it. An increasing report rate is a practical metric for awareness improvement because it measures real user action, not just training attendance.

Why this answer

The percentage of users who report simulated phishing emails to security directly measures behavioral change, showing that employees are actively recognizing and acting on suspicious messages. This metric reflects the effectiveness of security awareness training by tracking the desired response—reporting—rather than passive metrics like email volume or ticket counts.

Exam trap

CompTIA often tests the distinction between input metrics (e.g., training sent) and outcome metrics (e.g., user reporting), leading candidates to choose a metric that sounds related but does not measure actual behavioral improvement.

How to eliminate wrong answers

Option A is wrong because the number of training emails sent measures only the volume of communication, not whether employees learned or applied the training; it is an input metric, not an outcome. Option C is wrong because spam emails blocked by the mail gateway is a technical control metric, unrelated to employee behavior or phishing recognition skills. Option D is wrong because help desk tickets closed within the month measures operational efficiency, not employee ability to identify phishing attempts.

147
MCQmedium

Based on the exhibit, what is the best risk response for the security team to recommend before the customer portal goes live?

A.Accept the risk now, because the WAF rule lowers exposure enough for launch.
B.Mitigate the risk by remediating the vulnerability before production release.
C.Transfer the risk to the hosting provider through a service-level agreement.
D.Avoid the risk by permanently canceling the customer portal project.
AnswerB

This is the best choice because the exhibit shows a high-likelihood, high-impact issue with a fix available in time for launch. The policy also says critical internet-facing vulnerabilities should not be accepted when remediation is available. A real fix reduces the underlying exposure more effectively than a temporary control.

Why this answer

The exhibit shows a critical SQL injection vulnerability in the customer portal that has been partially mitigated by a WAF rule. However, WAF rules can be bypassed (e.g., through encoding tricks or HTTP parameter pollution), so the residual risk remains high. The best response is to remediate the vulnerability in the application code before launch, which directly removes the root cause and aligns with the principle of defense in depth.

Exam trap

The trap here is that candidates assume a WAF provides complete protection and thus choose 'accept the risk,' but the SY0-701 exam emphasizes that compensating controls like WAFs are not a substitute for fixing the underlying vulnerability.

How to eliminate wrong answers

Option A is wrong because accepting risk with only a WAF rule in place is insufficient—WAFs are not foolproof and can be evaded by sophisticated SQLi payloads, leaving the database exposed. Option C is wrong because transferring risk to a hosting provider via SLA does not absolve the organization of liability for application-layer vulnerabilities; the provider typically only covers infrastructure uptime, not code-level flaws. Option D is wrong because permanently canceling the project is an extreme avoidance response that ignores the business need and the feasibility of fixing the vulnerability before launch.

148
MCQmedium

A company is signing a contract with a SaaS expense platform. Security wants the vendor to notify the company within 24 hours of a confirmed incident, maintain customer data segregation, and allow the company to verify security commitments if required. Which control should be added to the agreement?

A.A non-disclosure agreement only
B.A security addendum with SLA terms
C.A verbal assurance from the account representative
D.The vendor's standard public terms without changes
AnswerB

A security addendum can define incident notice windows, segregation requirements, and enforceable service commitments.

Why this answer

A security addendum or contract clause set is the right place to define incident notification timing, data segregation expectations, and verification rights. These requirements need to be written into a binding agreement so both sides understand their responsibilities and so the customer has leverage if the vendor does not comply. This is stronger than informal assurances or generic privacy language.

Why others are wrong: An NDA is about secrecy, not measurable security obligations. A verbal promise is not enforceable and is weak evidence for oversight or audits. Default public terms often favor the vendor and may not cover incident timing or security commitments in enough detail. The organization needs a contract mechanism that clearly states the control expectations, not just a confidentiality promise.

149
MCQmedium

A development manager wants to copy a production customer database into a test environment so testers can reproduce a bug. The database contains names, addresses, and payment tokens. What is the best security practice before the copy is made?

A.Copy the production database unchanged and limit access to the QA team.
B.Mask, tokenize, or replace sensitive fields with approved test data before moving it.
C.Compress the database export to reduce storage and transfer time.
D.Encrypt the database backup and give developers the decryption key.
AnswerB

Masking or tokenizing sensitive fields is the best practice because it preserves the data structure needed for testing while reducing privacy risk. The test environment should not contain raw customer information unless there is a strong approved need. Using approved test data limits exposure if the environment is compromised or shared more broadly than intended.

Why this answer

Option B is correct because copying production data containing sensitive information (names, addresses, payment tokens) into a test environment without sanitization violates data minimization and privacy principles (e.g., GDPR, PCI DSS). The best practice is to apply data masking, tokenization, or substitution with realistic but non-sensitive test data before the copy, ensuring that the test environment does not expose real customer data. This prevents accidental data leakage and reduces compliance risk while still allowing testers to reproduce the bug with functionally equivalent data.

Exam trap

The trap here is that candidates may think limiting access (Option A) is sufficient, but the exam emphasizes that data protection must be applied to the data itself, not just to access controls, especially when moving data to a less secure environment.

How to eliminate wrong answers

Option A is wrong because copying the production database unchanged and limiting access to the QA team does not eliminate the sensitive data from the test environment; any access control misconfiguration or insider threat could expose real customer data, and it violates the principle of least privilege and data minimization. Option C is wrong because compressing the database export only reduces storage and transfer time but does nothing to protect sensitive fields; it is a performance optimization, not a security control.

150
MCQmedium

A payroll SaaS provider has passed initial review, but before contract signing it announces that customer data will be processed by a new subcontractor in another country. The business wants to keep the onboarding timeline short, but security still needs assurance that the change does not increase exposure. What is the BEST next step?

A.Approve the vendor because the primary provider already passed the initial review.
B.Update the third-party risk assessment and require evidence of the subcontractor's controls before approval.
C.Wait until the first quarterly audit to review the subcontractor change.
D.Accept the change if the vendor provides a marketing brochure describing its security program.
AnswerB

This is the best next step because the change in subcontracting materially alters the risk profile. Security should reassess the provider, review the downstream party's controls, and confirm contractual obligations such as incident notification, data handling, and location requirements. This balances speed with due diligence and ensures the organization has current evidence before customer data is exposed to a new party.

Why this answer

The correct answer is B because the introduction of a new subcontractor in a different country represents a material change to the data processing environment, which invalidates the initial risk assessment. Security must update the third-party risk assessment to evaluate the subcontractor's controls, such as data protection, encryption standards, and compliance with local regulations, before approval. This ensures that the change does not increase exposure, even if the primary provider passed initial review.

Exam trap

The trap here is that candidates assume passing initial review means all future changes are automatically acceptable, overlooking the need for reassessment when the data processing environment changes, especially with a new subcontractor in a different country.

How to eliminate wrong answers

Option A is wrong because approving the vendor solely based on the primary provider's initial review ignores the material change introduced by the subcontractor, which could have weaker security controls or different legal obligations. Option C is wrong because waiting until the first quarterly audit leaves a gap where the subcontractor could be processing data without any assurance of security, increasing exposure during that period. Option D is wrong because a marketing brochure is not a reliable source of evidence; it lacks verifiable details about the subcontractor's actual security controls, such as encryption protocols, access controls, or audit reports.

← PreviousPage 2 of 3 · 211 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Security Program Management and Oversight questions.