CCNA Security Program Management and Oversight Questions

61 of 211 questions · Page 3/3 · Security Program Management and Oversight · Answers revealed

151
MCQmedium

An external auditor asks for proof that quarterly privileged access reviews were completed and that any exceptions were tracked to closure during the last year. Which evidence is MOST appropriate to provide?

A.A screenshot of one administrator's account showing current privileges.
B.Signed access review records and remediation tickets from the access management process.
C.The security policy that says access reviews must happen every quarter.
D.An email from the system administrator stating that reviews were completed on time.
AnswerB

This is the best evidence because it directly shows the process was performed and that findings were handled. Signed review records demonstrate that quarterly reviews occurred, and remediation or exception tickets show that identified issues were tracked and resolved. Auditors look for traceable, repeatable evidence rather than isolated screenshots or verbal confirmation, so process records are the strongest support.

Why this answer

Option B is correct because signed access review records provide verifiable proof that quarterly reviews were conducted, and remediation tickets demonstrate that any exceptions (e.g., excessive privileges) were tracked and resolved. This aligns with the principle of audit evidence: it must be objective, verifiable, and show a complete chain of actions from review to closure. A screenshot or policy alone lacks the audit trail of actual completion and exception handling.

Exam trap

The trap here is that candidates confuse policy documentation (Option C) or informal communication (Option D) with actual audit evidence, failing to recognize that only signed records and remediation tickets provide the verifiable, objective proof required by an external auditor.

How to eliminate wrong answers

Option A is wrong because a screenshot of one administrator's current privileges only shows a point-in-time snapshot, not evidence that quarterly reviews were completed or that exceptions were tracked to closure over the last year. Option C is wrong because a security policy stating that reviews must happen every quarter is a directive, not proof that the reviews actually occurred or that exceptions were resolved. Option D is wrong because an email from the system administrator is hearsay evidence; it is not an objective, auditable record and does not provide the signed review records or remediation tickets required for compliance.

152
MCQmedium

A security manager at a hospital is reviewing the annual vendor risk assessment for a cloud-based electronic health record (EHR) provider. The provider's SOC 2 Type II report, issued six months ago, identifies a significant deficiency in logical access controls: the provider failed to revoke access for former employees in a timely manner. The provider's management has asserted that this deficiency has been fully remediated, but the next SOC 2 audit is not scheduled for another eight months. The hospital's data protection policy requires that any vendor handling protected health information (PHI) must have a current SOC 2 Type II report with no unresolved significant deficiencies. Which of the following is the most appropriate next step for the security manager?

A.Accept the vendor's assertion that the deficiency has been remediated and continue the relationship as is.
B.Require the vendor to provide a bridge letter from their external auditor confirming that the remediation has been implemented and is operating effectively.
C.Immediately terminate the contract with the EHR provider and begin the process of selecting a new vendor.
D.Increase the frequency of manual access reviews performed by the hospital's internal IT staff on the vendor's systems.
AnswerB

A bridge letter provides independent assurance that the deficiency has been corrected, bridging the gap until the next full audit. This satisfies policy requirements and is a standard practice in vendor risk management.

Why this answer

The hospital's policy requires a current SOC 2 Type II report with no unresolved significant deficiencies. Since the deficiency was reported but is claimed to be fixed, a bridge letter from the external auditor provides independent assurance that the remediation is effective and operating as intended, bridging the gap until the next formal audit. This is the most appropriate step because it maintains compliance without prematurely terminating a critical vendor relationship.

Exam trap

The trap here is that candidates may think a vendor's self-attestation (Option A) is sufficient, but the SY0-701 exam emphasizes that independent third-party verification (like a bridge letter) is required when a significant deficiency exists and the next audit is months away.

How to eliminate wrong answers

Option A is wrong because accepting the vendor's assertion without independent verification violates the hospital's policy requiring a current SOC 2 Type II report with no unresolved significant deficiencies; self-attestation is not sufficient for compliance. Option C is wrong because immediately terminating the contract is overly drastic and disruptive to patient care, and the deficiency has been asserted as remediated; a less severe step like obtaining a bridge letter should be taken first. Option D is wrong because increasing manual access reviews by hospital staff on the vendor's systems does not address the vendor's internal control deficiency; the hospital cannot directly audit the vendor's logical access controls, and this action does not satisfy the policy requirement for a current SOC 2 report.

153
MCQmedium

A cloud-hosted invoicing app has a critical vulnerability, but the vendor says a patch will not be available for six weeks. The team adds a web application firewall rule, restricts access to the app subnet, and increases monitoring until the patch arrives. What is this best described as?

A.Risk avoidance, because the system is being shut down permanently.
B.Risk transfer, because the vendor is responsible for the vulnerability.
C.Compensating control, because temporary safeguards reduce exposure until the patch is available.
D.Residual risk acceptance, because the vulnerability is being ignored until next quarter.
AnswerC

This is the best answer because the organization is using an alternative safeguard to reduce risk while waiting for the vendor fix.

Why this answer

Option C is correct because the team deployed temporary security measures—a web application firewall (WAF) rule, subnet access restrictions, and enhanced monitoring—to reduce the risk exposure while waiting for the vendor's patch. These are compensating controls, which are alternative safeguards that mitigate a vulnerability when the primary control (the patch) cannot be implemented immediately. The scenario explicitly states the patch is six weeks away, making these interim measures a textbook compensating control.

Exam trap

The trap here is that candidates confuse 'compensating control' with 'risk acceptance' because both involve living with a vulnerability, but compensating controls actively reduce risk through temporary safeguards, whereas risk acceptance means no additional controls are applied.

How to eliminate wrong answers

Option A is wrong because risk avoidance would mean permanently shutting down or removing the invoicing app, but the team kept it running with additional safeguards. Option B is wrong because risk transfer involves shifting the financial impact of a risk to a third party (e.g., cyber insurance), not assigning responsibility for a vulnerability to the vendor. Option D is wrong because residual risk acceptance implies knowingly tolerating the remaining risk after controls are applied, but here the team actively implemented controls to reduce exposure, not ignored the vulnerability until next quarter.

154
MCQeasy

An employee receives an email that appears to be from the CEO and asks for gift cards before a meeting. What should the employee do first?

A.Report the message through the approved security channel and verify the request by a separate method.
B.Buy the gift cards immediately so the CEO is not delayed.
C.Forward the email to coworkers so they can watch for the same request.
D.Reply to the sender and ask for more details in the same email thread.
AnswerA

This is correct because urgent gift card requests are a common social engineering tactic. The safest first step is to report the message and verify the request using a known, separate contact method. That prevents accidental compliance and helps the security team evaluate whether the email is fraudulent.

Why this answer

Option A is correct because the first action in response to a suspected phishing or social engineering attack is to report it through the approved security channel, which ensures the incident is logged and can be investigated. Separately verifying the request—such as by calling the CEO or using a known, trusted contact method—confirms the legitimacy of the request without relying on the potentially compromised email thread. This aligns with security policy best practices for incident response and prevents unauthorized disclosure of funds or credentials.

Exam trap

The trap here is that candidates may think immediate action (buying gift cards) shows responsiveness, but the exam emphasizes that verification and reporting are the mandatory first steps in any social engineering incident response.

How to eliminate wrong answers

Option B is wrong because immediately purchasing gift cards based on an unsolicited email bypasses all verification and security controls, directly enabling a common social engineering scam. Option C is wrong because forwarding the email to coworkers could spread the phishing attempt, potentially compromising additional accounts or systems, and violates the principle of containment. Option D is wrong because replying in the same email thread keeps the attacker in the communication loop and does not verify the sender's identity; the attacker may simply provide more convincing details to manipulate the employee.

155
MCQmedium

After a phishing campaign, 18 employees entered credentials on a fake login page. Management wants a program that both reduces future click rates and provides measurable improvement over time. What should security implement?

A.A one-time company email reminding employees to be careful
B.Simulated phishing with targeted follow-up training and metrics
C.An updated password complexity rule for all users
D.A banner that all external email is untrusted
AnswerB

Simulated phishing lets the team measure behavior, reinforce learning, and track improvement over time.

Why this answer

Option B is correct because simulated phishing campaigns directly address the human factor by providing a controlled, repeatable test that measures click rates over time. When an employee falls for the simulation, targeted follow-up training (e.g., micro-learning modules) reinforces secure behavior, and the metrics (e.g., click-through rate, reporting rate) allow management to track improvement. This aligns with the security program management goal of continuous improvement through measurable security awareness.

Exam trap

The trap here is that candidates often choose a technical control (like password complexity or email banners) thinking it addresses phishing, but the question specifically asks for a program that reduces click rates and provides measurable improvement—which requires a behavioral, training-based approach with metrics, not a static technical fix.

How to eliminate wrong answers

Option A is wrong because a one-time email reminder provides no mechanism to measure improvement over time and does not actively test or reinforce behavior; it is a static, non-iterative control. Option C is wrong because password complexity rules do not address phishing click rates—they mitigate credential strength but do not prevent users from entering credentials on a fake page. Option D is wrong because an external email banner is a passive indicator that relies on user attention and does not provide training or metrics to reduce click rates or measure improvement.

156
MCQmedium

Based on the exhibit, what is the best risk treatment recommendation for the security manager?

A.Accept the risk because backups are already enabled.
B.Mitigate the risk with compensating controls until the migration is complete.
C.Avoid the risk by immediately retiring the portal.
D.Transfer the risk by purchasing cyber insurance only.
AnswerB

This is the best fit because the business must keep the service running, and approved budget exists for additional controls. Compensating controls can reduce exposure without shutting the portal down.

Why this answer

Mitigation is the strongest recommendation here because the portal must stay available for 90 more days, yet the risk score is high and existing controls are limited. Since the organization has budget for compensating controls, the manager should reduce likelihood and impact through measures such as tighter access restrictions, additional monitoring, or isolation. That preserves the business function while lowering exposure until migration is complete.

Why others are wrong: Accepting the risk leaves a high-likelihood, high-impact exposure in place without additional protection. Avoiding the risk would effectively shut down a required business service before the replacement is ready. Transferring the risk through insurance may help with financial loss, but it does not actually reduce the portal’s attack surface or the chance of disruption.

157
MCQmedium

A records manager finds a folder of payroll reports on a shared drive. The business says the reports are no longer active, but legal retention rules require keeping them for another two years. What is the best action?

A.Delete the reports immediately because the business no longer uses them
B.Move the reports to an approved archive and retain them for the required period
C.Email the reports to each manager so they can keep their own copy
D.Rename the folder so users do not notice it on the shared drive
AnswerB

An approved archive preserves the records for the retention period while keeping them controlled and available for audit or legal needs.

Why this answer

Option B is correct because the reports are subject to a legal retention policy requiring two more years of storage. Moving them to an approved archive ensures they remain accessible for compliance purposes while removing them from the active shared drive, which reduces the risk of accidental modification or deletion. This aligns with data lifecycle management and legal hold procedures.

Exam trap

The trap here is that candidates may assume 'no longer active' means the data can be deleted, ignoring the overriding legal retention requirement, or they may think renaming or distributing files is a valid workaround instead of using a proper archive solution.

How to eliminate wrong answers

Option A is wrong because deleting the reports immediately violates the legal retention requirement, exposing the organization to non-compliance penalties. Option C is wrong because emailing reports to managers creates uncontrolled copies, increases the risk of data leakage, and does not ensure centralized retention or auditability. Option D is wrong because renaming the folder does not address the retention requirement and may lead to data loss or unauthorized access if the folder is still on the shared drive.

158
MCQeasy

A company wants every corporate laptop to use the same required screen-lock timeout, disk encryption setting, and local administrator restriction. Which document should define these mandatory settings?

A.A guideline, because it offers flexible suggestions for users
B.A standard, because it specifies required configuration values
C.A procedure, because it explains the business reason for security rules
D.A memo, because it is the fastest way to communicate changes
AnswerB

A standard sets the exact mandatory baseline that all devices must follow consistently.

Why this answer

A standard is the correct document type because it mandates specific, measurable configuration values (e.g., screen-lock timeout of 300 seconds, AES-256 disk encryption, removal of local admin rights) that all corporate laptops must enforce. Standards are binding and establish a baseline for security compliance, unlike guidelines which are advisory. This aligns with the company's requirement for mandatory, uniform settings across all devices.

Exam trap

The trap here is confusing a 'standard' (which sets mandatory, measurable requirements) with a 'guideline' (which is optional and advisory), leading candidates to pick A because they think 'required' implies flexibility, when in fact standards are the only document type that enforces specific configuration values.

How to eliminate wrong answers

Option A is wrong because a guideline offers flexible suggestions or recommendations, not mandatory requirements, so it cannot enforce the required screen-lock timeout, disk encryption, or local administrator restriction. Option C is wrong because a procedure describes step-by-step instructions for performing a task (e.g., how to configure the screen-lock timeout), not the mandatory configuration values themselves; it explains the 'how,' not the 'what must be set.'

159
MCQeasy

A company wants to state that customer data must not be emailed externally unless a manager approves the exception. Which document type should contain this rule?

A.Policy, because it establishes mandatory organizational rules
B.Guideline, because it gives staff flexible suggestions about email use
C.Procedure, because it lists the exact button clicks for sending email
D.Standard, because it provides a general recommendation for communication
AnswerA

A policy is the correct choice when the company wants to set a mandatory rule that applies organization-wide and governs behavior.

Why this answer

A policy is the correct document type because it establishes mandatory organizational rules that must be followed. The requirement that customer data must not be emailed externally without manager approval is a binding directive, not a suggestion or a step-by-step guide. Policies define high-level security requirements that all employees must comply with, making them the appropriate vehicle for this rule.

Exam trap

The trap here is that candidates often confuse 'policy' with 'standard' or 'guideline', mistakenly thinking a rule about data transmission is a technical standard or a flexible suggestion, when in fact it is a mandatory organizational directive that must be enforced.

How to eliminate wrong answers

Option B is wrong because a guideline provides flexible suggestions or best practices, not mandatory rules; this requirement is a strict prohibition, not a recommendation. Option C is wrong because a procedure lists detailed step-by-step instructions (e.g., exact button clicks in an email client), not a high-level rule about data handling. Option D is wrong because a standard specifies technical specifications or configurations (e.g., encryption protocols like TLS 1.2), not a general rule about data transmission approval.

160
MCQmedium

A security manager is creating a company-wide requirement that all Windows laptops must have full-disk encryption, screen lock after 10 minutes, and approved antivirus enabled. Administrators can choose the exact implementation details, but the minimum settings must be mandatory across the fleet. Which governance artifact should the manager update?

A.Policy
B.Standard
C.Procedure
D.Guideline
AnswerB

A standard defines mandatory, specific requirements such as minimum security settings that must be followed consistently across systems.

Why this answer

A policy is a high-level management directive that mandates specific security outcomes (e.g., 'all laptops must have full-disk encryption, screen lock after 10 minutes, and approved antivirus enabled') without prescribing the exact technical implementation. The security manager is setting mandatory minimum requirements, which is the defining characteristic of a policy. Standards, by contrast, provide the specific technical configurations or baselines (e.g., 'use BitLocker with AES-256'), which the administrators will choose later.

Exam trap

CompTIA often tests the distinction between policy and standard by presenting a scenario where the manager sets mandatory outcomes but leaves implementation choices to administrators, leading candidates to incorrectly select 'Standard' because they associate 'mandatory settings' with technical baselines.

How to eliminate wrong answers

Option A is wrong because a policy is exactly the artifact the manager should update—it sets mandatory requirements without dictating implementation details, which matches the scenario. Option C is wrong because a procedure is a step-by-step guide (e.g., 'click Start > Settings > Update & Security > Device encryption') that describes how to implement a standard or policy, not the artifact that defines the mandatory minimum settings themselves.

161
MCQeasy

A vendor-supported application cannot be patched for 30 days, but the business must keep it online. What is the best short-term risk treatment?

A.Accept the risk without any additional controls
B.Apply a compensating control, such as restricting access and monitoring traffic
C.Delete the application so the vulnerability no longer exists
D.Transfer the risk by telling users to work faster
AnswerB

A compensating control reduces the risk while the permanent fix is unavailable and the system must remain online.

Why this answer

Option B is correct because when a known vulnerability cannot be patched immediately, applying a compensating control—such as restricting network access via firewall rules (e.g., allowing only specific source IPs) and enabling deep packet inspection (DPI) or an intrusion prevention system (IPS) to monitor for exploit attempts—reduces the risk to an acceptable level without taking the application offline. This approach aligns with the principle of defense in depth, buying time until the vendor patch is available.

Exam trap

The trap here is that candidates often confuse 'risk acceptance' (Option A) as a valid short-term treatment, but the question explicitly requires the best treatment when the business must keep the application online, making compensating controls the correct choice over passive acceptance.

How to eliminate wrong answers

Option A is wrong because accepting the risk without any additional controls ignores the active threat and leaves the organization exposed to exploitation of the unpatched vulnerability, which is not a prudent short-term treatment. Option C is wrong because deleting the application is an extreme measure that eliminates the vulnerability but also removes the business functionality entirely, failing the requirement to keep the application online. Option D is wrong because transferring risk by telling users to work faster is not a valid risk treatment; risk transfer involves insurance or outsourcing, not a behavioral directive, and does nothing to mitigate the technical vulnerability.

162
MCQeasy

After a phishing simulation, many users still nearly entered credentials on the fake page. Security wants the fastest improvement without scheduling long training sessions. What is the best response?

A.Require a full-day classroom course for every employee immediately.
B.Ignore the results because no actual breach occurred.
C.Send a short targeted awareness message with examples, warning signs, and reporting steps.
D.Reset every employee password as the main way to prevent future clicks.
AnswerC

This is the best option because it provides immediate reinforcement with minimal disruption. Targeted communication can quickly remind users what phishing looks like, what clues to watch for, and how to report suspicious messages. It is practical, timely, and easier to absorb than a long training event when the goal is rapid behavior improvement.

Why this answer

Option C is correct because a short targeted awareness message directly addresses the observed risky behavior with minimal time investment, providing immediate reinforcement of warning signs and reporting procedures. This approach leverages just-in-time training, which is proven to improve retention and behavior change more effectively than lengthy sessions, aligning with the goal of fastest improvement without disrupting operations.

Exam trap

CompTIA often tests the misconception that immediate technical controls (like password resets) are the fastest fix, when in reality, behavioral reinforcement through targeted communication yields quicker and more sustainable improvement in user vigilance.

How to eliminate wrong answers

Option A is wrong because requiring a full-day classroom course is time-intensive and contradicts the requirement for fastest improvement; it also risks overwhelming employees with information that may not be retained. Option B is wrong because ignoring the results ignores a clear security gap—users nearly entered credentials, indicating a need for awareness improvement to prevent future real attacks. Option D is wrong because resetting every employee password does not address the root cause (user behavior) and is an administrative burden that does not prevent future clicks on phishing pages.

163
MCQmedium

A security manager at a healthcare organization is reviewing the results of a third-party vendor risk assessment for a cloud-based email service that will store protected health information (PHI). The assessment reveals that the vendor encrypts data at rest using AES-256 but does not support customer-managed encryption keys. The vendor's data center is located in a country that is not subject to HIPAA jurisdiction. The vendor's previous penetration test report is over 18 months old. Which of the following is the most appropriate risk management action for the security manager to take?

A.Accept the risk because the vendor uses strong encryption.
B.Request the vendor to obtain a current SOC 2 Type II report and review the findings before making a decision.
C.Terminate the contract immediately and select a different vendor.
D.Require the vendor to implement customer-managed keys and provide a new penetration test report within 30 days.
AnswerB

A SOC 2 Type II report provides an independent assessment of a service organization's controls over a period of time, including security, availability, and confidentiality. This is directly relevant for a cloud email service handling PHI. Reviewing this report gives the manager sufficient evidence to decide whether the vendor's current controls meet organizational and regulatory requirements.

Why this answer

Option B is correct because a SOC 2 Type II report provides an independent assessment of a vendor's controls over security, availability, processing integrity, confidentiality, and privacy over a period of time. Given the vendor's lack of customer-managed keys and outdated penetration test, the security manager needs a current, comprehensive audit report to evaluate whether compensating controls adequately mitigate the risks of storing PHI outside HIPAA jurisdiction. This action allows an informed risk acceptance or mitigation decision without prematurely terminating a potentially compliant service.

Exam trap

The trap here is that candidates may assume strong encryption (AES-256) alone is sufficient for HIPAA compliance, ignoring the broader context of jurisdictional risk, key management, and the need for current third-party audit evidence.

How to eliminate wrong answers

Option A is wrong because accepting risk solely based on AES-256 encryption ignores other critical factors: the vendor's data center is outside HIPAA jurisdiction, the penetration test is stale, and the lack of customer-managed keys reduces the organization's control over PHI. Option C is wrong because immediate contract termination is an extreme and premature action without first evaluating the vendor's current security posture through a SOC 2 Type II report; the vendor may still meet HIPAA requirements through other controls. Option D is wrong because requiring the vendor to implement customer-managed keys and provide a new penetration test within 30 days is likely infeasible and outside the security manager's authority to unilaterally impose contractual changes; a more measured approach is to first request an existing audit report.

164
Multi-Selectmedium

A security analyst is reviewing the organization’s security awareness program. Which three of the following are key metrics that demonstrate the effectiveness of the program? (Choose three.)

Select 3 answers
.Percentage of employees who complete annual security training
.Number of phishing simulation clicks before and after training
.Total count of security incidents reported by employees
.Average time to patch critical vulnerabilities in production systems
.Number of firewall rule changes approved per quarter
.Percentage of servers with full disk encryption enabled

Why this answer

The percentage of employees who complete annual security training is a key metric because it measures participation in the foundational awareness activity. The number of phishing simulation clicks before and after training directly quantifies behavioral change, showing whether training reduces susceptibility to social engineering. The total count of security incidents reported by employees indicates whether the program has successfully fostered a culture of reporting, which is critical for early threat detection.

Exam trap

The trap here is that candidates confuse operational security metrics (like patch time or encryption coverage) with human-centric awareness metrics, leading them to select technical controls that do not measure employee behavior or program effectiveness.

165
MCQmedium

A security manager wants every corporate laptop to use the same mandatory settings, including disk encryption, a 10-minute screen lock, and removal of local administrator rights. Which document should define these specific requirements?

A.Policy
B.Standard
C.Guideline
D.Procedure
AnswerB

A standard is the correct document for exact, mandatory configuration requirements. It provides specific, consistent rules such as encryption requirements, lock timers, and privilege restrictions so administrators can implement the same baseline across all laptops. Standards translate policy intent into enforceable technical expectations and make compliance measurable.

Why this answer

A standard defines mandatory, specific technical requirements that must be uniformly applied across all systems, such as enforcing AES-256 disk encryption, a 600-second screen lock timeout, and removal of local administrator rights. Unlike a policy, which is high-level and goal-oriented, a standard provides the precise configuration settings that implement the policy's intent. This aligns with the CompTIA SY0-701 domain of Security Program Management and Oversight, where standards bridge the gap between policy and technical implementation.

Exam trap

The trap here is confusing the broad, principle-based nature of a policy with the specific, mandatory technical requirements of a standard, leading candidates to choose 'Policy' when the question explicitly asks for a document that defines 'specific requirements'.

How to eliminate wrong answers

Option A is wrong because a policy is a high-level statement of management intent and security goals (e.g., 'all laptops must be secured'), not a document that specifies mandatory technical settings like disk encryption algorithms or exact timeout values. Option C is wrong because a guideline is a set of recommended practices or suggestions that are not mandatory, whereas the question explicitly requires 'mandatory settings' that must be enforced on every corporate laptop.

166
MCQhard

Based on the exhibit, which document type should the service desk use for the locked-account workflow?

A.Policy, because it states broad rules for account access.
B.Standard, because it defines the minimum password requirements for all users.
C.Procedure, because it lists the exact steps analysts must follow in sequence.
D.Guideline, because it gives flexible suggestions for handling locked accounts.
AnswerC

A procedure is the correct document when management wants analysts to perform a task exactly the same way every time. The exhibit contains sequential steps for identity verification, password reset, ticket recording, and user confirmation. That is operational guidance, not a broad policy statement or an optional guideline.

Why this answer

A procedure document is the correct choice because it provides a step-by-step sequence of actions that service desk analysts must follow to unlock an account. The locked-account workflow requires precise, ordered steps (e.g., verifying identity, checking lockout status, resetting the account) to ensure consistency and security, which aligns with the definition of a procedure.

Exam trap

The trap here is confusing a procedure with a policy or standard, as candidates often think 'rules for account access' (policy) or 'password requirements' (standard) apply to the workflow, but only a procedure provides the exact sequential steps needed for operational tasks.

How to eliminate wrong answers

Option A is wrong because a policy states high-level rules and objectives (e.g., 'accounts must be locked after 3 failed attempts') but does not provide the specific steps for unlocking. Option B is wrong because a standard defines mandatory requirements like minimum password length or complexity, not the workflow for handling locked accounts. Option D is wrong because a guideline offers flexible suggestions or best practices, whereas the locked-account workflow requires strict adherence to a defined sequence to avoid security gaps.

167
MCQhard

Based on the exhibit, what is the best next request before approving the vendor?

A.Ask for a fresh marketing brochure that describes the vendor's security controls in detail.
B.Accept the internal penetration test summary because it proves the controls were tested recently.
C.Request only the shared responsibility matrix again, since it covers all security responsibilities.
D.Request a current SOC 2 Type II report or equivalent independent operating-effectiveness attestation.
AnswerD

The business specifically wants independent evidence that controls operated effectively during a recent period. A SOC 2 Type II report is designed for that purpose, whereas a Type I report only addresses control design at a point in time. Because the current packet lacks both timely independent assurance and contractual safeguards, the SOC 2 Type II request is the most defensible next step.

Why this answer

Option D is correct because a SOC 2 Type II report provides an independent, third-party attestation of the effectiveness of a vendor's security controls over a period of time (typically 6–12 months). This is the most reliable evidence for verifying that the vendor's operational security controls are working as intended, which is critical before approving a vendor. The internal penetration test summary (Option B) lacks independence and may not cover all relevant controls, while a marketing brochure (Option A) is not a verifiable audit artifact.

The shared responsibility matrix (Option C) defines roles but does not attest to control effectiveness.

Exam trap

The trap here is that candidates may think an internal penetration test summary (Option B) is sufficient because it 'proves the controls were tested recently,' but the exam emphasizes that independence and sustained operational effectiveness (as shown in a SOC 2 Type II) are required for vendor approval, not just a point-in-time internal test.

How to eliminate wrong answers

Option A is wrong because a marketing brochure is a self-promotional document with no independent verification or audit rigor; it cannot substitute for a formal attestation report like SOC 2. Option B is wrong because an internal penetration test summary is not independent—it was performed by the vendor's own team or a hired firm without the objectivity of a third-party auditor, and it only tests a snapshot in time rather than sustained operational effectiveness. Option C is wrong because a shared responsibility matrix only clarifies which party is responsible for which security controls; it does not provide any evidence that those controls are actually implemented or operating effectively.

168
MCQmedium

A business-critical internal reporting portal is exposed to all employees. A scan finds a high-severity vulnerability, but the vendor says a fix will not be available for 30 days. The application is only used by finance once a month, and the business can tolerate a brief outage if needed. Which risk treatment is the BEST immediate action?

A.Accept the risk because the application is used infrequently and the impact is limited.
B.Apply compensating controls, such as restricting access and adding a temporary control, until the vendor patch is available.
C.Transfer the risk by purchasing cyber insurance for the application.
D.Avoid the risk by permanently decommissioning the reporting portal.
AnswerB

This is the best choice because it reduces the likelihood of exploitation while the patch is unavailable. Restricting access to only the users who truly need the system, adding temporary network or application-layer controls, and documenting the residual risk are practical mitigation steps. The scenario shows the business can tolerate a short interruption, so a short-term reduction in exposure is more appropriate than doing nothing or permanently shutting the system down.

Why this answer

Option B is correct because applying compensating controls—such as restricting access to only the finance team and implementing a temporary web application firewall (WAF) rule—immediately reduces the attack surface while the vendor develops a patch. This aligns with the risk treatment of mitigation, as it lowers the likelihood of exploitation without requiring a full fix. The business can tolerate a brief outage, so a temporary access control list (ACL) or IP whitelist is a practical, immediate measure.

Exam trap

The trap here is that candidates may choose 'Accept the risk' (Option A) because the app is used infrequently, but they overlook that a high-severity vulnerability in an internal portal still poses a significant risk of lateral movement or data exposure, making acceptance inappropriate without compensating controls.

How to eliminate wrong answers

Option A is wrong because accepting the risk ignores the high-severity nature of the vulnerability; even infrequent use can lead to a data breach if exploited, and the impact may be greater than assumed. Option C is wrong because transferring risk via cyber insurance does not prevent the vulnerability from being exploited; it only provides financial reimbursement after an incident, which is not an immediate security control. Option D is wrong because permanently decommissioning the portal is an extreme measure that would disrupt the monthly finance reporting, and the business only tolerates a brief outage, not permanent loss of the application.

169
MCQmedium

Based on the exhibit, what is the best response to the facilities manager's request?

A.Provide the export because the requester is a manager with a legitimate business relationship to employees.
B.Deny the request and direct the manager to use an approved work-contact list or seek privacy review.
C.Send the data to the manager if the manager promises not to share it externally.
D.Store the export in a shared drive so multiple teams can use it for convenience.
AnswerB

The privacy notice clearly limits home addresses and personal phone numbers to defined HR and payroll purposes. The facilities request exceeds that purpose, so the correct action is to deny the export unless a formal privacy review approves another use. Where possible, use a work-contact list that contains less sensitive information.

Why this answer

The facilities manager's request to export employee contact information for a separate system likely violates data privacy policies and potentially regulations like GDPR or CCPA. Option B is correct because the proper procedure is to deny the ad-hoc export and direct the manager to use an approved work-contact list or seek a privacy review, ensuring data handling complies with organizational data governance and privacy requirements.

Exam trap

The trap here is that candidates may assume a manager's role and business relationship automatically grant data access, overlooking the need for formal privacy review and approved data handling procedures.

How to eliminate wrong answers

Option A is wrong because being a manager with a legitimate business relationship does not automatically authorize bulk export of employee personal data; privacy policies and data classification require a formal review. Option C is wrong because a verbal promise not to share data externally is not a security control; data handling must be enforced through technical and policy mechanisms, not trust. Option D is wrong because storing the export in a shared drive increases exposure risk and violates the principle of least privilege; convenience does not override data protection requirements.

170
MCQmedium

A security manager is leading a risk assessment for the organization. The team identifies a legacy application that contains a known critical vulnerability. The vendor has discontinued support and no patch is available. The manager calculates that the annualized loss expectancy (ALE) for exploiting this vulnerability is $50,000. Implementing a third-party web application firewall (WAF) as a compensating control would cost $80,000 per year. The organization's leadership decides that accepting the risk is the most cost-effective approach. Which of the following documents should the security manager update to formally record this risk acceptance decision and obtain the necessary sign-off?

A.Business impact analysis (BIA)
B.Risk register
C.Security baseline configuration document
D.Incident response plan
AnswerB

Correct. The risk register is used to track identified risks, their characteristics, and the chosen treatment. Updating it with the acceptance decision, rationale, and approval is essential for risk governance.

Why this answer

The risk register is the correct document to update because it formally tracks identified risks, their assessed impact, and the chosen risk response (acceptance). Recording the decision to accept the $50,000 ALE risk and obtaining sign-off ensures auditability and accountability, which is a key requirement in risk management frameworks like NIST SP 800-37.

Exam trap

The trap here is that candidates confuse the risk register with the BIA, mistakenly thinking the BIA is used to document risk acceptance decisions, when in fact the BIA only quantifies impact and does not track risk treatment or sign-off.

How to eliminate wrong answers

Option A is wrong because a business impact analysis (BIA) identifies critical business functions and quantifies the impact of disruptions, but it does not track risk treatment decisions or obtain sign-off for risk acceptance. Option C is wrong because a security baseline configuration document defines secure configuration standards for systems (e.g., CIS benchmarks), not risk acceptance decisions or sign-off processes.

171
Multi-Selecteasy

An employee receives a text message claiming their email password expired and asks them to tap a link and confirm a one-time code. Which two responses are appropriate? Select two.

Select 2 answers
A.Do not tap the link or share the one-time code
B.Report the message through the company's approved security channel
C.Reply to the sender and ask them to prove they are legitimate
D.Enter the code to see whether the message is real
E.Forward the text to coworkers so they can compare it
AnswersA, B

The safest response is to avoid interacting with the message, because the attacker is trying to steal credentials or MFA access.

Why this answer

Option A is correct because tapping the link or sharing the one-time code would allow an attacker to complete a credential harvesting or MFA bypass attack. The message is a classic phishing attempt designed to trick the recipient into providing a one-time code that the attacker can use to authenticate as the victim. The correct response is to never interact with the link or code.

Exam trap

The trap here is that candidates may think entering the code or replying to the sender is a safe way to verify the message, not realizing that the one-time code is a real authentication token that the attacker is actively trying to intercept.

172
MCQeasy

After a phishing-awareness campaign, which metric best shows that employees are becoming more resistant to phishing attempts?

A.The number of spam emails received by the mail gateway
B.The average length of employee passwords
C.The count of antivirus alerts on endpoints
D.The percentage of users who click phishing test links
AnswerD

A lower click rate on phishing simulations is a direct and practical indicator that training is improving user resistance and awareness.

Why this answer

Option D is correct because the percentage of users who click phishing test links directly measures behavioral change in response to simulated phishing attacks. A decreasing click rate indicates that employees are better at recognizing and avoiding phishing attempts, which is the primary goal of a phishing-awareness campaign.

Exam trap

The trap here is that candidates may confuse security awareness metrics with technical controls (e.g., spam filtering or antivirus), but the question specifically asks for a metric showing employee behavioral change, not infrastructure effectiveness.

How to eliminate wrong answers

Option A is wrong because the number of spam emails received by the mail gateway reflects external threat volume, not employee behavior or resistance to phishing. Option B is wrong because password length is a measure of authentication strength, not phishing resistance; phishing bypasses passwords by stealing them directly. Option C is wrong because antivirus alerts on endpoints indicate malware detection, which may result from many causes (e.g., drive-by downloads) and does not specifically measure employee susceptibility to phishing links.

173
MCQeasy

A company has two security issues to address this week. One is a public-facing login portal that uses default administrator credentials. The other is an internal lab system used only by one tester. Which issue should be prioritized first?

A.The internal lab system, because it is easier to fix quickly
B.The public-facing login portal, because it has a higher likelihood and impact
C.Both issues have the same priority because they are both vulnerabilities
D.Neither issue should be addressed until the next annual review
AnswerB

This system is exposed to untrusted users and already has default credentials, which greatly raises both likelihood and impact.

Why this answer

The public-facing login portal with default administrator credentials is a critical risk because it is exposed to the internet, making it easily discoverable and exploitable by attackers. Default credentials are widely known and often targeted in automated attacks, leading to a high likelihood of compromise and potential impact such as data breach or system takeover. This aligns with risk management principles where priority is given to vulnerabilities with the highest risk score (likelihood × impact).

Exam trap

The trap here is that candidates mistakenly prioritize based on ease of fix or treat all vulnerabilities as equal, rather than applying a formal risk assessment that weighs likelihood and impact to determine priority.

How to eliminate wrong answers

Option A is wrong because prioritizing based on ease of fix ignores risk assessment; the internal lab system is isolated and used by one tester, so its likelihood and impact are low, making it a lower priority. Option C is wrong because not all vulnerabilities have equal priority; risk is calculated by likelihood and impact, and the public-facing portal clearly has higher values in both dimensions. Option D is wrong because delaying remediation until the next annual review violates the principle of timely risk mitigation, especially for an internet-exposed system with default credentials that can be exploited immediately.

174
MCQeasy

A coworker asks for a spreadsheet containing employee home addresses and personal phone numbers so they can build a team contact list. What is the best response?

A.Share the spreadsheet, because the request is from another employee inside the company.
B.Confirm the requester is authorized and only provide the minimum personal data allowed by policy.
C.Email the full spreadsheet, because internal data is not protected by privacy rules.
D.Delete the spreadsheet immediately so the information cannot be misused.
AnswerB

The best response is to verify authorization and limit the data shared to the minimum needed. Privacy and data-handling rules often restrict personal information such as home addresses and personal phone numbers. Even internal requests should follow approved business purpose, least privilege, and data minimization principles before any disclosure occurs.

Why this answer

Option B is correct because it aligns with the principle of least privilege and data minimization, which are core to security program management. Even internal requests must be verified for authorization, and only the minimum personal data required for the stated purpose should be shared, as per organizational policy and privacy regulations like GDPR or CCPA.

Exam trap

The trap here is that candidates may assume internal requests are automatically safe, ignoring the need for authorization and data minimization, which is a common misconception tested in SY0-701.

How to eliminate wrong answers

Option A is wrong because it assumes that internal employment automatically grants authorization to access sensitive PII, which violates data access control policies. Option C is wrong because internal data, especially PII like home addresses and phone numbers, is protected by privacy rules and regulations; emailing the full spreadsheet without controls exposes the organization to data breach risks. Option D is wrong because deleting the spreadsheet is an overreaction that does not address the legitimate business need and may violate data retention policies; the correct action is to follow policy for authorized access.

175
MCQmedium

A project lead needs to send a spreadsheet labeled confidential to an external auditor. The file contains employee names, salaries, and performance notes. Which handling step best protects the data while still supporting the business need?

A.Email the attachment unencrypted if the auditor signed an NDA
B.Use an approved encrypted file-sharing portal with named recipients and access logging
C.Upload the spreadsheet to a public link so the auditor can access it easily
D.Remove the confidential label before sending it to avoid confusion
AnswerB

Approved encrypted sharing limits access to intended recipients and creates traceability for audit and oversight.

Why this answer

Option B is correct because using an approved encrypted file-sharing portal with named recipients and access logging ensures data-in-transit and data-at-rest encryption, restricts access to only the intended auditor, and provides an audit trail for compliance. This approach meets the business need of securely sharing confidential employee data while supporting regulatory requirements like GDPR or HIPAA, unlike unencrypted email which exposes data to interception.

Exam trap

The trap here is that candidates may think an NDA alone provides sufficient protection, overlooking that encryption and access controls are required to prevent data breaches during transmission and storage.

How to eliminate wrong answers

Option A is wrong because emailing an unencrypted attachment, even with an NDA in place, exposes the data to interception during transit (e.g., via TLS stripping or man-in-the-middle attacks) and does not provide encryption or access controls. Option C is wrong because uploading the spreadsheet to a public link makes the data accessible to anyone with the link, violating confidentiality and lacking authentication or logging. Option D is wrong because removing the confidential label does not change the sensitivity of the data; it merely obscures the classification, leading to potential mishandling and non-compliance with data protection policies.

176
MCQeasy

A security team wants to reduce repeated user mistakes after a phishing campaign without overwhelming employees with long training sessions. Which approach is best?

A.Send a short, targeted reminder to the affected users with a clear reporting path
B.Require every employee to attend a full-day security class immediately
C.Wait until the next annual training cycle and do nothing now
D.Disable email access for all employees until they pass a new test
AnswerA

A short targeted reminder is practical, timely, and focused on the specific behavior that needs improvement.

Why this answer

Option A is correct because it applies targeted, immediate reinforcement to the specific users who made mistakes, using a short reminder that clarifies the reporting path. This approach leverages just-in-time training, which has been shown to improve retention and behavior change without overwhelming employees. It directly addresses the root cause—repeated user errors—by providing a clear, actionable step (e.g., 'Report suspicious emails using the PhishAlarm button') rather than generic awareness.

Exam trap

The trap here is that candidates may choose option B (full-day class) because they overestimate the value of comprehensive training, failing to recognize that targeted, immediate reinforcement is more effective for correcting specific, repeated mistakes without causing training fatigue.

How to eliminate wrong answers

Option B is wrong because a full-day security class is overly time-consuming and likely to cause training fatigue, reducing overall effectiveness and not targeting the specific users who made mistakes. Option C is wrong because waiting until the next annual training cycle leaves the repeated mistakes unaddressed, allowing the same vulnerabilities to persist and potentially lead to a successful breach. Option D is wrong because disabling email access for all employees is a drastic, disruptive measure that punishes the entire workforce, including those who did not make mistakes, and does not provide any educational value or fix the underlying behavior.

177
MCQhard

Based on the exhibit, what is the best handling decision for the requested file?

A.Share the full file by email as Confidential because only the last four digits of the SSN are included.
B.Label it Public because the contractor needs the information to troubleshoot effectively.
C.Mark it Internal and place it on the shared project drive for easy access.
D.Treat it as Restricted, redact unnecessary fields, and provide only the minimum approved dataset through a logged encrypted transfer.
AnswerD

The file contains customer PII, financial information, and case notes, so it should be handled as Restricted rather than merely Confidential. The policy requires minimization, masking where possible, owner approval, time-limited access, and logged sharing. Because the request comes from an external contractor, the organization should provide only the least amount of data needed, with encryption and formal approval.

Why this answer

Option D is correct because the file contains personally identifiable information (PII) in the form of a Social Security Number (SSN), which requires handling under a Restricted classification per most data governance frameworks. The correct procedure is to redact unnecessary fields, such as the full SSN, and transmit only the minimum approved dataset via a logged encrypted transfer (e.g., using SFTP or HTTPS with TLS 1.2+) to ensure confidentiality, integrity, and auditability. This aligns with the principle of least privilege and data minimization, which are core to security program management.

Exam trap

The trap here is that candidates may assume that sharing only the last four digits of an SSN makes the data safe to send via email (Option A), but CompTIA tests that any PII, even partial, requires Restricted handling and encrypted transfer to prevent data breaches and comply with regulations like GDPR or HIPAA.

How to eliminate wrong answers

Option A is wrong because sharing the full file by email, even with only the last four digits of the SSN, violates data minimization and exposes residual PII; email is not an approved secure channel for Restricted data and lacks encryption at rest and in transit guarantees. Option B is wrong because labeling the file Public would allow unrestricted access, which is inappropriate for any data containing SSN fragments; the contractor's need to troubleshoot does not override data classification policies. Option C is wrong because marking the file Internal and placing it on a shared project drive does not provide access controls or encryption sufficient for PII, and it fails to redact unnecessary fields, exposing the full SSN to unauthorized personnel.

178
MCQeasy

A department finished using paper forms that contain customer information, and the retention period has expired. What is the best next step?

A.Store them indefinitely in a cabinet for future reference
B.Dispose of them using approved secure destruction methods
C.Send them to another team without checking the retention schedule
D.Scan them to personal email so the department can keep a copy
AnswerB

Approved secure destruction ensures the expired records cannot be easily recovered or misused later.

Why this answer

Option B is correct because once the retention period has expired, the organization must securely destroy the paper forms to prevent unauthorized access to customer information. Approved secure destruction methods for paper records include cross-cut shredding, incineration, or pulping, which render the data irrecoverable and comply with data protection regulations like GDPR or HIPAA.

Exam trap

The trap here is that candidates may think indefinite storage (A) is acceptable for future reference, but the expired retention period legally requires destruction, not just storage.

How to eliminate wrong answers

Option A is wrong because storing expired records indefinitely violates data minimization principles and retention policies, increasing the risk of data breaches and non-compliance with regulations. Option C is wrong because sending records to another team without verifying the retention schedule could propagate sensitive data beyond its authorized lifecycle, leading to unauthorized access or legal penalties. Option D is wrong because scanning customer information to personal email bypasses organizational controls, creates an unsecured copy, and violates data handling policies, potentially exposing the data to loss or interception.

179
MCQeasy

A vendor says a patch for a critical flaw in a public-facing application will not be available for 30 days, but the service must stay online. What is the best short-term risk treatment?

A.Accept the risk without making any changes because the patch is not available yet.
B.Avoid the risk by permanently shutting down the application.
C.Transfer the risk to an insurance policy and wait for the patch.
D.Implement compensating controls, such as tighter filtering and temporary restrictions, until the patch is released.
AnswerD

This is the best option because the business must keep the application online, but the known vulnerability still needs risk reduction. Compensating controls are temporary safeguards that lower exposure when a permanent fix is unavailable. Examples include stricter access filtering, disabling unnecessary features, or adding monitoring until the vendor patch can be applied safely.

Why this answer

Option D is correct because when a critical patch is unavailable, the best short-term risk treatment is to implement compensating controls that reduce the likelihood or impact of exploitation. For a public-facing application, this could include deploying a web application firewall (WAF) with tighter rule sets, rate limiting, IP allowlisting, or temporarily disabling non-essential functionality. These controls provide a defense-in-depth layer until the vendor releases the patch, keeping the service online while reducing risk.

Exam trap

CompTIA often tests the misconception that risk acceptance is a valid short-term treatment when a patch is delayed, but the key is that acceptance is only appropriate after evaluating and documenting the risk, not as a default action without controls.

How to eliminate wrong answers

Option A is wrong because accepting the risk without any changes leaves the application fully exposed to a known critical flaw, which is irresponsible and could lead to a breach. Option B is wrong because permanently shutting down the application avoids the risk but disrupts business operations entirely, which is not a short-term treatment and fails the requirement that the service must stay online. Option C is wrong because transferring the risk to an insurance policy does not reduce the technical exposure; insurance covers financial loss after an incident but does not prevent exploitation of the vulnerability.

180
MCQeasy

During a tabletop exercise, the team realizes no one has a list of who to notify if the online ordering system goes down. Which continuity planning element is missing?

A.Data retention schedule, because it defines how long records are kept.
B.Communication plan, because it defines who must be contacted and how.
C.Asset inventory, because it lists all hardware and software in use.
D.Network segmentation, because it separates sensitive systems from user networks.
AnswerB

A communication plan identifies the people, groups, and channels used during an outage or incident. If no one knows who to notify, the organization lacks a key continuity component that supports coordinated response and stakeholder awareness.

Why this answer

A communication plan is the missing continuity planning element because it specifically defines the stakeholders who must be notified during an outage (e.g., internal teams, vendors, customers) and the methods of contact (e.g., email, SMS, phone tree). Without this plan, the team cannot execute the notification procedures required by the business continuity plan (BCP) to coordinate response and recovery efforts for the online ordering system.

Exam trap

The trap here is that candidates confuse an asset inventory (which lists what you have) with a communication plan (which lists who to call), leading them to pick Option C because they think knowing the system's hardware is necessary for notification, but the question specifically asks about 'who to notify,' not 'what is affected.'

How to eliminate wrong answers

Option A is wrong because a data retention schedule governs how long records are kept (e.g., 90 days for transaction logs per PCI DSS), not who to notify during an outage. Option C is wrong because an asset inventory lists hardware and software (e.g., server models, OS versions) but does not define notification contacts or escalation paths. Option D is wrong because network segmentation (e.g., VLANs, firewall zones) isolates sensitive systems for security, but it does not address the operational need to contact personnel when a system fails.

181
MCQmedium

Based on the exhibit, which document should be updated first to reflect the new ticketing platform while keeping approval requirements unchanged?

A.Policy, because every tool change requires rewriting the corporate mandate.
B.Standard, because the approval workflow and evidence rules are still the same.
C.Procedure, because the step-by-step instructions and screenshots are now outdated.
D.Guideline, because optional content should always be revised before mandatory content.
AnswerC

Procedures contain the operational steps people follow to complete a task. Since the workflow and approval rules remain the same but the tool interface changed, the step-by-step guide should be updated first. That keeps the control intent intact while preventing user confusion and process errors.

Why this answer

The procedure document contains the step-by-step instructions, including screenshots and specific commands for the old ticketing platform. Since the new platform changes the user interface and workflow steps, the procedure must be updated first to ensure technicians can follow accurate instructions. Policies and standards define high-level rules and approval requirements, which remain unchanged, so they do not need immediate revision.

Exam trap

The trap here is that candidates confuse 'procedure' with 'standard' or 'policy,' assuming any tool change requires updating the highest-level document, when in fact only the detailed implementation steps (procedure) need revision if the rules and requirements remain unchanged.

How to eliminate wrong answers

Option A is wrong because a policy is a high-level mandate that sets overall direction and requirements; changing a specific tool does not automatically require rewriting the entire policy, especially when approval requirements stay the same. Option B is wrong because a standard defines mandatory rules and baselines (e.g., evidence retention periods), and while the approval workflow and evidence rules are unchanged, the standard does not include the step-by-step instructions that are now outdated. Option D is wrong because a guideline is optional and non-binding; revising optional content before mandatory content is not a priority, and the question specifically asks for the document that should be updated first to reflect the new platform.

182
MCQhard

Based on the exhibit, which action should the security team prioritize next?

A.Send a company-wide reminder to never click links in email, regardless of sender.
B.Focus only on punitive action for users who failed the simulation.
C.Run the same broad awareness module again for all employees at the same time.
D.Deploy role-based phishing training, recurring simulations, and a simple reporting workflow.
AnswerD

The metrics show that departments with the most realistic, job-specific lures are clicking more often and reporting less frequently. Role-based training addresses the exact patterns employees encounter, while recurring simulations let the security team measure improvement over time. A clear reporting workflow also increases the chance that suspicious messages reach security quickly for validation and containment.

Why this answer

Option D is correct because the exhibit (not shown here, but implied by the question) likely shows that a phishing simulation has been completed and that the organization needs to move from a one-size-fits-all awareness approach to a sustainable, role-based security training program. Deploying role-based phishing training, recurring simulations, and a simple reporting workflow addresses the root cause of user susceptibility by tailoring content to specific job functions, reinforcing learning through repetition, and enabling users to report suspicious emails easily, which aligns with NIST SP 800-50 and the continuous improvement cycle of security awareness programs.

Exam trap

The trap here is that candidates often choose a quick, one-time fix (like a company-wide reminder or repeating the same module) instead of recognizing that effective security awareness requires a continuous, role-based, and measurable program with a reporting mechanism, which is a core concept in Security Program Management and Oversight for SY0-701.

How to eliminate wrong answers

Option A is wrong because a company-wide reminder to never click links in email is overly broad, unrealistic for daily work, and does not address the need for role-specific training or a reporting mechanism; it also ignores that some legitimate business email requires clicking links. Option B is wrong because focusing only on punitive action for users who failed the simulation is counterproductive, as it discourages reporting and learning, and does not address the systemic need for improved training and a positive security culture. Option C is wrong because running the same broad awareness module again for all employees at the same time fails to provide role-based customization, does not incorporate recurring simulations to reinforce learning, and lacks a simple reporting workflow, which are essential for effective phishing defense as recommended by industry frameworks like the SANS Security Awareness Maturity Model.

183
MCQmedium

A security team is defining the minimum approved configuration for all new Linux web servers. The document must require specific logging settings, approved packages, and disabled services, and administrators must check servers against it during audits. Which governance artifact best fits this need?

A.Guideline, because it suggests recommended settings without requiring enforcement.
B.Baseline, because it defines the minimum approved configuration that systems should meet.
C.Policy, because it is the high-level statement of intent for the organization.
D.Procedure, because it explains the exact steps to install and configure each server.
AnswerB

A baseline is the correct artifact when an organization wants a documented, measurable starting configuration for systems. It captures the approved minimum settings, such as required services, logging, and packages, and supports consistent builds and compliance checks. Because the question describes a configuration that administrators will audit against, a baseline fits better than a guideline or a general policy.

Why this answer

A baseline is the correct governance artifact because it defines the minimum approved configuration that systems must meet, including specific logging settings, approved packages, and disabled services. In the context of Linux web servers, a baseline ensures consistent security posture by providing a measurable standard that administrators can audit against, such as verifying that rsyslog is configured for remote logging, only packages like Apache or Nginx from approved repositories are installed, and services like Telnet or FTP are disabled. This aligns with the requirement for enforcement and auditability, unlike a guideline which is merely advisory.

Exam trap

The trap here is that candidates confuse 'policy' with 'baseline' because both are governance documents, but a policy is a broad directive (e.g., 'secure all systems') while a baseline provides the specific, auditable technical controls (e.g., 'disable Telnet, enable auditd, use only Apache 2.4') that administrators must enforce.

How to eliminate wrong answers

Option A is wrong because a guideline suggests recommended settings without requiring enforcement, but the scenario explicitly requires administrators to check servers against the document during audits, implying mandatory compliance. Option C is wrong because a policy is a high-level statement of intent (e.g., 'all servers must be secure') that lacks the specific technical details (e.g., exact logging settings, package lists, disabled services) needed for a configuration audit; a baseline operationalizes policy into measurable technical requirements.

184
Multi-Selecthard

A records manager finds paper onboarding forms and scanned copies that contain government ID numbers. The retention period has expired, no legal hold exists, and the forms are no longer needed. Which three actions should occur before disposal? Select three.

Select 3 answers
A.Verify the retention schedule and confirm that no legal hold or exception applies.
B.Move the forms to an unsecured archive so they can be retrieved later if needed.
C.Destroy the paper copies with an approved secure method such as cross-cut shredding or pulping.
D.Securely delete the electronic copies from active storage and follow backup-retention rules for residual copies.
E.Keep personal copies because auditors might ask informally later.
AnswersA, C, D

You should never destroy records until retention and legal obligations are checked and documented.

Why this answer

Option A is correct because before any disposal, the records manager must verify the retention schedule and confirm that no legal hold or exception applies. This ensures compliance with organizational policy and legal requirements, preventing premature destruction of records that may still be needed for litigation or audit purposes.

Exam trap

The trap here is that candidates may think moving records to an unsecured archive (Option B) is a safe intermediate step, but the CompTIA SY0-701 exam emphasizes that once retention expires and no hold exists, secure destruction is mandatory—not relocation.

185
MCQeasy

A business wants to keep operating even if a supplier-related loss occurs, so it purchases cyber insurance to offset possible costs. Which risk treatment is being used?

A.Avoidance, because the company is eliminating the supplier relationship
B.Mitigation, because insurance removes the risk before it happens
C.Acceptance, because the company is doing nothing about the exposure
D.Transfer, because some financial impact is shifted to another party
AnswerD

Risk transfer is the correct answer because insurance moves some of the financial burden to the insurer while the company continues the activity.

Why this answer

Purchasing cyber insurance transfers the financial risk of a supplier-related loss to the insurance company. This is a classic risk transfer strategy, where the business does not eliminate or reduce the likelihood of the loss but shifts the financial impact to another party via a contractual agreement.

Exam trap

The trap here is confusing risk transfer (shifting financial impact) with risk mitigation (reducing likelihood or impact), leading candidates to incorrectly select mitigation when insurance is involved.

How to eliminate wrong answers

Option A is wrong because avoidance would mean terminating the supplier relationship entirely, not purchasing insurance. Option B is wrong because mitigation involves implementing controls (e.g., firewalls, redundancy) to reduce the likelihood or impact of a risk, not transferring it via insurance. Option C is wrong because acceptance means acknowledging the risk without taking any action, whereas purchasing insurance is an active treatment.

186
MCQeasy

A security team wants every company laptop to have the same screen-lock timeout, disk encryption setting, and local firewall configuration. Which type of document should define these mandatory settings?

A.A guideline, because employees can decide whether to follow it.
B.A standard, because it specifies mandatory technical requirements.
C.A risk register, because it tracks all security vulnerabilities on laptops.
D.A business impact analysis, because it identifies the most important laptop functions.
AnswerB

A standard is the correct document for mandatory, measurable security settings such as screen-lock timeouts, encryption, and firewall configuration. Standards turn policy intent into specific requirements that can be checked and enforced across devices, which helps keep configurations consistent and easier to audit.

Why this answer

A standard is the correct document type because it defines mandatory technical requirements that must be uniformly enforced across all company laptops. In this scenario, the screen-lock timeout, disk encryption setting (e.g., BitLocker or FileVault), and local firewall configuration (e.g., Windows Defender Firewall with Advanced Security) are non-negotiable controls that must be applied identically to every device to meet security policy. Standards are binding and often reference specific configuration baselines, such as CIS Benchmarks or NIST SP 800-53, ensuring consistent implementation.

Exam trap

The trap here is confusing a standard with a guideline, as many candidates assume any security document is advisory, but standards are explicitly mandatory and enforceable, unlike guidelines which are optional recommendations.

How to eliminate wrong answers

Option A is wrong because a guideline is advisory and suggests best practices that employees may choose to follow or ignore, whereas the scenario requires mandatory settings that must be enforced. Option C is wrong because a risk register is a document that identifies, assesses, and tracks security vulnerabilities and risks, not a document that defines mandatory technical configurations for laptops. Option D is wrong because a business impact analysis (BIA) identifies critical business functions and the impact of their disruption, not the specific technical settings like screen-lock timeout or disk encryption.

187
MCQmedium

A software supplier used by your organization begins subcontracting a critical part of its service to an unknown hosting company. Which contractual control would BEST help manage this supply chain risk?

A.Require the supplier to send monthly sales updates to the procurement team.
B.Require advance notice and approval for subcontractor changes, plus right-to-audit and security obligations.
C.Ask the supplier to place all responsibility for the subcontractor on the customer.
D.Disable all vendor access immediately without reviewing the change.
AnswerB

This is the strongest contractual approach because it gives the organization visibility into changes, authority to review added risk, and leverage to enforce security requirements. When a supplier introduces a new subcontractor, advance notice, approval rights, and auditability help prevent hidden dependencies from undermining security expectations or compliance obligations.

Why this answer

Option B is correct because it establishes a contractual control that requires the supplier to notify and obtain approval before subcontracting critical services, while also imposing right-to-audit and security obligations. This directly addresses supply chain risk by ensuring the organization can vet and monitor the subcontractor's security posture, as recommended by NIST SP 800-161 for supply chain risk management.

Exam trap

The trap here is that candidates confuse operational reporting (Option A) with security governance, or they assume immediate termination (Option D) is a valid risk response without considering contractual due process and business continuity.

How to eliminate wrong answers

Option A is wrong because monthly sales updates are a financial or operational reporting requirement, not a security control; they provide no visibility into the subcontractor's security practices or compliance with the organization's security policies. Option C is wrong because shifting all responsibility for the subcontractor to the customer defeats the purpose of contractual controls—it removes the supplier's accountability and leaves the organization without any enforceable security requirements on the subcontractor. Option D is wrong because immediately disabling all vendor access without reviewing the change is a reactive, disruptive response that violates change management best practices; it should be preceded by a risk assessment and coordinated with the supplier to avoid unnecessary service disruption.

188
MCQeasy

After reviewing a risk memo, the operations director signs off on continuing to use an older application because the cost of replacement is too high right now. Which risk management action did the director take?

A.Risk transfer, because the risk was moved to another company.
B.Risk acceptance, because management chose to live with the remaining risk.
C.Risk avoidance, because the application is still being used.
D.Risk mitigation, because the replacement cost was too high.
AnswerB

Risk acceptance is the correct term when management knowingly approves continued operation despite identified risk. The director is not eliminating the issue or moving it elsewhere; instead, they are choosing to tolerate the residual risk for business reasons such as cost or timing. This is a normal part of risk management when the risk is understood and documented.

Why this answer

The operations director chose to continue using the older application despite the identified risk, explicitly because the cost of replacement was too high. This is the definition of risk acceptance: management acknowledges the risk and decides to tolerate the residual risk without implementing additional controls. The director did not transfer, avoid, or mitigate the risk; they accepted it as a cost of business.

Exam trap

The trap here is confusing 'acceptance' with 'avoidance' — candidates often think that continuing to use the application means avoiding the risk, but avoidance requires stopping the risky activity entirely, not just living with it.

How to eliminate wrong answers

Option A is wrong because risk transfer would involve shifting the financial impact of the risk to a third party (e.g., purchasing cyber insurance or outsourcing the application), not simply continuing to use it. Option C is wrong because risk avoidance means ceasing the activity that generates the risk (e.g., decommissioning the application), but the director explicitly chose to keep using it. Option D is wrong because risk mitigation would involve implementing controls to reduce the likelihood or impact of the risk (e.g., patching or adding a WAF), not rejecting mitigation due to cost.

189
MCQmedium

An organization is evaluating a payroll SaaS provider after the procurement team asks for evidence that the vendor's security controls were designed and operating effectively during the past year. Which document should the security team review first?

A.Memorandum of understanding
B.SOC 2 Type II report
C.Software license agreement
D.Network diagram of the vendor's data center
AnswerB

A SOC 2 Type II report provides an independent assessment of control design and operating effectiveness over a defined period.

Why this answer

A SOC 2 Type II report provides an independent auditor's assessment of a service organization's controls over a period of time (typically 6–12 months), confirming that security controls were not only designed but also operating effectively. This directly meets the procurement team's need for evidence of the vendor's security posture over the past year, as required for evaluating a SaaS provider handling sensitive payroll data.

Exam trap

The trap here is that candidates may confuse a SOC 2 Type I report (which only tests control design at a point in time) with a Type II report (which tests operating effectiveness over a period), or they may mistakenly think a network diagram or legal agreement provides evidence of control effectiveness.

How to eliminate wrong answers

Option A is wrong because a Memorandum of Understanding (MOU) is a non-binding agreement outlining mutual intentions and responsibilities, not an audited report of control effectiveness. Option C is wrong because a Software License Agreement defines usage rights, fees, and legal terms, but does not provide evidence of security control design or operational effectiveness. Option D is wrong because a network diagram shows the vendor's data center architecture but offers no proof that security controls were actually implemented or operating effectively over the past year.

190
Matchinghard

Match each awareness-program metric or pattern to the best interpretation. Use each interpretation once.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Improved phishing resistance

Better escalation culture

Faster detection and triage

Targeted refresher coaching needed

Why these pairings

Phishing click rate measures susceptibility, reporting rate indicates vigilance, training completion rate shows participation, repeat offender rate identifies high-risk users, time to report reflects responsiveness, and knowledge assessment score measures understanding.

191
Matchinghard

Match each business situation to the best risk treatment. Use each treatment once.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Accept risk

Mitigate risk

Transfer risk

Avoid risk

Why these pairings

Risk treatment decisions are based on likelihood and impact: accept low risks, avoid high-high risks, mitigate medium risks, and transfer risks that are high likelihood but low impact or low likelihood but high impact.

192
MCQmedium

A security manager at a financial services company is evaluating the effectiveness of a newly deployed security awareness training program. The program included modules on recognizing phishing emails, password security, and tailgating. One month after the training, the manager wants to assess whether employees are applying the learned behaviors to reduce the risk of phishing attacks. Which of the following metrics would provide the most valid indication of the training's behavioral impact?

A.The percentage of employees who completed the training modules.
B.The average score on the post-training knowledge quiz.
C.The number of reported phishing incidents to the security team.
D.The reduction in the employee click-through rate on simulated phishing campaigns.
AnswerD

Simulated phishing campaigns provide a controlled test of employee behavior. Comparing pre-training and post-training click-through rates directly measures whether employees are applying the training to avoid clicking malicious links.

Why this answer

Option D is correct because the reduction in the employee click-through rate on simulated phishing campaigns directly measures a change in behavior—specifically, whether employees are applying the training to avoid clicking malicious links. Unlike knowledge scores or completion rates, this metric captures real-world application of the learned behavior in a controlled, measurable environment.

Exam trap

The trap here is that candidates confuse knowledge assessment (quiz scores) or participation metrics (completion rates) with behavioral metrics, but the exam specifically tests the distinction between measuring 'knowing' versus 'doing' in security awareness programs.

How to eliminate wrong answers

Option A is wrong because completion rates only measure participation, not whether employees actually learned or changed their behavior; a 100% completion rate could still result in no reduction in phishing susceptibility. Option B is wrong because post-training quiz scores measure knowledge retention, not behavioral application; an employee can ace a quiz yet still click a phishing link in practice. Option C is wrong because the number of reported phishing incidents can increase due to improved reporting behavior, which is a positive outcome, but it does not directly measure whether employees are avoiding phishing clicks—it measures reporting, not click reduction.

193
MCQeasy

A department wants to keep using a cloud printing service even though the vendor has not yet completed the company's security questionnaire. The business owner agrees to add extra log monitoring until the review is finished. What is the best term for the added monitoring?

A.A compensating control, because it reduces risk while the normal control is unavailable.
B.Residual risk, because all risk is eliminated once monitoring is added.
C.Risk acceptance, because the business owner has approved continued use of the service.
D.Due diligence, because the company is actively reviewing the vendor.
AnswerA

A compensating control is an alternative safeguard used when the preferred control is missing, delayed, or not fully effective. Extra log monitoring helps reduce exposure while the vendor review is still in progress. It does not eliminate the underlying vendor risk, but it is a reasonable temporary measure to reduce likelihood of missing suspicious activity.

Why this answer

The added log monitoring is a compensating control because it provides an alternative security measure to mitigate risk while the primary control (the vendor's completed security questionnaire) is not yet in place. Compensating controls are temporary or alternative safeguards that reduce risk exposure when the preferred control cannot be implemented immediately. In this scenario, the monitoring does not eliminate the need for the questionnaire but reduces the risk of undetected malicious activity until the vendor's security posture is formally assessed.

Exam trap

The trap here is that candidates confuse risk acceptance (which involves no new controls) with risk mitigation (which involves implementing a compensating control), leading them to pick Option C despite the clear action of adding monitoring.

How to eliminate wrong answers

Option B is wrong because residual risk is the risk that remains after controls are applied, not the control itself; adding monitoring reduces but does not eliminate all risk, so the statement 'all risk is eliminated' is incorrect. Option C is wrong because risk acceptance is a management decision to acknowledge and tolerate a risk without implementing additional controls, but here the business owner is actively adding extra log monitoring, which is a risk mitigation action, not pure acceptance. Option D is wrong because due diligence refers to the ongoing investigation and review process (like completing the security questionnaire), not the specific technical control (log monitoring) implemented to reduce risk during that review.

194
MCQeasy

A development team wants to skip testing and deploy a major application change directly to production to meet a release date. What should the security team require?

A.Disable logging temporarily so the release is less likely to fail.
B.Require change approval and testing in a nonproduction environment first.
C.Deploy only to one server and monitor from there before deciding.
D.Let developers decide without review because they understand the code best.
AnswerB

Change approval and testing in a separate environment are basic controls that reduce the chance of introducing defects or security issues into production. This approach supports safe deployment while still allowing the project to move forward in a controlled way.

Why this answer

Option B is correct because security policy requires that all changes to production systems undergo formal change management, including approval and testing in a nonproduction environment first. Skipping testing violates the principle of change control and could introduce vulnerabilities or misconfigurations that compromise confidentiality, integrity, or availability. The security team must enforce this process to ensure the change is reviewed for security impact and validated before deployment.

Exam trap

The trap here is that candidates may think a phased rollout (Option C) is an acceptable compromise, but the SY0-701 exam emphasizes that change approval and testing in a nonproduction environment are mandatory before any production deployment, regardless of scale.

How to eliminate wrong answers

Option A is wrong because disabling logging would remove the audit trail needed to detect and investigate security incidents, violating compliance requirements and best practices. Option C is wrong because deploying to a single server without prior testing still bypasses the required change approval and nonproduction validation, and monitoring alone cannot catch all security flaws or configuration errors. Option D is wrong because developers may not have full visibility into security implications, and bypassing review undermines segregation of duties and the change management process.

195
Multi-Selectmedium

An external auditor asks for proof that emergency firewall changes were reviewed and approved before implementation last quarter. Which two artifacts are the best evidence? Select two.

Select 2 answers
A.An approved change ticket that shows the reviewer, approver, and timestamps.
B.A screenshot of the firewall's current rule base after the change.
C.CAB or workflow approval records documenting the decision.
D.A technician's memory of getting permission over the phone.
E.The organization's general information security policy.
AnswersA, C

A change ticket with approval details is strong evidence because it shows the request was reviewed before implementation and by whom. It also creates an auditable record that can be tied to the actual change event.

Why this answer

An approved change ticket with reviewer, approver, and timestamps directly documents the required pre-approval workflow for emergency firewall changes. This artifact provides an auditable trail showing that the change was reviewed and approved before implementation, which is the exact evidence the auditor is requesting.

Exam trap

The trap here is confusing evidence of the change's outcome (screenshot of the rule base) with evidence of the change's approval process, or mistaking a high-level policy document for a specific, auditable record of a particular change event.

196
MCQeasy

A small internal reporting server has a low-severity vulnerability. Fixing it now would require several hours of downtime, while the business impact of exploitation is considered low. What is the BEST risk treatment for this situation?

A.Transfer the risk to a third party
B.Accept the risk after documenting the decision
C.Avoid the risk by shutting down the server permanently
D.Mitigate the risk by immediately replacing the server
AnswerB

When both likelihood and impact are low, and remediation would create more disruption than benefit, accepting the risk can be the most practical choice. The key is to document the rationale, obtain the appropriate approval, and revisit the decision later if the system or threat landscape changes.

Why this answer

The best risk treatment is to accept the risk because the vulnerability is low-severity, the business impact of exploitation is low, and the cost of remediation (several hours of downtime) exceeds the potential loss. Documenting the acceptance ensures auditability and informed management approval, which is a standard practice in risk management frameworks like NIST SP 800-37.

Exam trap

The trap here is that candidates may confuse 'accepting risk' with ignoring it, or they may overestimate the need to transfer or avoid risk, failing to recognize that documented acceptance is a valid and often optimal treatment for low-impact, high-remediation-cost scenarios.

How to eliminate wrong answers

Option A is wrong because transferring the risk to a third party (e.g., purchasing cyber insurance or outsourcing) is unnecessary and cost-ineffective for a low-severity, low-impact vulnerability; it would introduce additional expense and administrative overhead without proportional benefit. Option C is wrong because avoiding the risk by permanently shutting down the server is an extreme measure that would disrupt internal reporting functions entirely, causing greater business harm than the vulnerability itself, and is disproportionate to the low severity and low exploitation impact.

197
Multi-Selecteasy

A manager needs to send a spreadsheet containing employee names, salaries, and performance notes to an external auditor. Which two actions best support proper data handling? Select two.

Select 2 answers
A.Apply the correct classification label before sending
B.Upload the file to a personal cloud account
C.Remove the salary columns and send the rest by email
D.Use the organization's approved encrypted sharing method
E.Print the file and leave it on a shared desk
AnswersA, D

Classification labels help users apply the right handling requirements and sharing restrictions.

Why this answer

Option A is correct because applying the correct classification label (e.g., 'Confidential' or 'Internal Use Only') ensures that the data is properly identified and handled according to the organization's data classification policy. This is a foundational step in data handling, as it triggers appropriate security controls such as encryption, access restrictions, and handling procedures. Without a classification label, the sensitivity of the data may be overlooked, leading to potential mishandling.

Exam trap

CompTIA often tests the misconception that partial redaction (e.g., removing salary columns) is sufficient to protect sensitive data, when in fact any remaining PII or performance data still requires proper classification and secure transmission.

198
Multi-Selectmedium

Which four of the following are key components of a successful security awareness and training program within an organization? (Choose four.)

Select 4 answers
.Role-based training tailored to specific job functions
.Phishing simulations to reinforce practical skills
.Annual one-time training with no follow-up assessments
.Metrics to measure effectiveness, such as click rates on simulated phishing emails
.Executive-level sponsorship and support for the program
.Outsourcing all training content development to a single vendor without internal review

Why this answer

Role-based training is correct because it ensures that employees receive security education relevant to their specific job functions, such as data handling for finance or system access for IT, which increases the practical applicability and retention of security principles. Phishing simulations are correct as they provide hands-on reinforcement of skills, allowing employees to practice identifying and reporting malicious emails in a controlled environment, which directly reduces real-world risk. Metrics like click rates on simulated phishing emails are correct because they provide quantifiable data to measure program effectiveness, identify high-risk groups, and guide continuous improvement.

Executive-level sponsorship is correct because it provides the necessary authority, resources, and organizational commitment to prioritize security awareness, ensuring the program is taken seriously across all departments.

Exam trap

Cisco often tests the misconception that a one-time annual training is sufficient for compliance, but the SY0-701 exam emphasizes that effective security awareness requires continuous, role-specific training with measurable outcomes and leadership support.

199
MCQmedium

A security manager publishes a document that tells help desk staff exactly how to verify identity, reset an admin password, record the ticket number, and close out the request during a maintenance window. What type of governance artifact is this?

A.Policy
B.Standard
C.Procedure
D.Guideline
AnswerC

A procedure gives detailed instructions for performing a task consistently in the correct sequence.

Why this answer

Option C is correct because a procedure is a step-by-step, ordered list of tasks required to perform a specific operational activity. The document describes exactly how to verify identity, reset an admin password, record the ticket number, and close out the request, which matches the definition of a procedure in governance frameworks.

Exam trap

The trap here is confusing a procedure with a policy or standard, where candidates often pick 'policy' because they think any security document is a policy, but the detailed step-by-step nature uniquely identifies a procedure.

How to eliminate wrong answers

Option A is wrong because a policy is a high-level statement of management intent, not a detailed step-by-step instruction. Option B is wrong because a standard defines mandatory requirements or specifications (e.g., password complexity rules), not the exact sequence of actions. Option D is wrong because a guideline offers recommendations or best practices, not mandatory, prescriptive steps.

200
Multi-Selectmedium

A help desk technician receives a call from someone claiming to be a contractor whose MFA device was lost during travel. The caller knows the company org chart and asks for a new device enrollment. Which three responses are appropriate? Select three.

Select 3 answers
A.Refuse to bypass identity verification requirements.
B.Use a known callback number or approved ticketing process to confirm identity.
C.Report the interaction to the security team if the call seems suspicious.
D.Read the current MFA reset code over the phone to speed up recovery.
E.Enroll the new device immediately because the caller knows company names and roles.
AnswersA, B, C

Knowing internal names is not enough; identity checks must still follow the approved process.

Why this answer

Option A is correct because bypassing identity verification for MFA device enrollment would undermine the security that MFA provides. The caller's knowledge of the org chart does not constitute proof of identity; social engineering attacks often leverage such information. Refusing to bypass verification ensures that only authorized users can enroll new MFA tokens, maintaining the integrity of the authentication process.

Exam trap

The trap here is that candidates may assume knowledge of internal details (like the org chart) is sufficient proof of identity, but social engineering attacks frequently exploit such information to bypass security controls.

201
Multi-Selectmedium

A software supplier is adding a new subcontractor to process your company's customer data. The security team wants to understand the new exposure before allowing the change. Which three items should it request or review first? Select three.

Select 3 answers
A.A list of the subcontractor's locations and where the data will be processed.
B.The subcontractor's logo and marketing brochure.
C.A data-processing agreement that flows down security and notification obligations.
D.An independent security assessment, such as a SOC report or equivalent.
E.The supplier's quarterly sales forecast.
AnswersA, C, D

Knowing where data will be handled helps the organization evaluate jurisdictional, privacy, and regulatory implications. Location matters when customer data crosses borders or enters new legal environments.

Why this answer

Option A is correct because understanding where data will be processed and the subcontractor's physical locations is critical for assessing jurisdictional risks, data sovereignty requirements, and compliance with regulations like GDPR or CCPA. The security team needs this information to evaluate potential exposure to different legal frameworks and physical security controls before granting access to customer data.

Exam trap

The trap here is that candidates may mistakenly think marketing materials or logos are relevant for security assessments, when in fact only operational, legal, and technical documentation (like locations and DPAs) provide actionable risk information.

202
MCQmedium

A security manager is evaluating the effectiveness of a new security awareness training program that all employees completed last quarter. The company has been conducting monthly phishing simulation campaigns for the past year. Which of the following metrics would provide the strongest evidence that the training is achieving its intended goal of changing employee behavior?

A.95% of employees completed the training within the deadline.
B.The number of employees reporting phishing attempts to the SOC increased by 40%.
C.The percentage of employees who clicked on a simulated phishing email decreased from 18% to 6%.
D.The number of helpdesk tickets related to password resets decreased by 10%.
AnswerC

A significant drop in the click-through rate on simulated phishing emails directly demonstrates that employees are less susceptible to phishing attacks, which is the desired behavioral outcome of the training.

Why this answer

Option C directly measures the reduction in risky behavior (clicking phishing links) after training, which is the core goal of security awareness training. A drop from 18% to 6% demonstrates a measurable behavior change, not just knowledge acquisition. This aligns with the Kirkpatrick Model's 'Behavior' level of evaluation, which is the strongest indicator of training effectiveness.

Exam trap

The trap here is that candidates often choose Option B (increased reporting) because it sounds proactive, but the question specifically asks for evidence of 'changing employee behavior' away from clicking, not just improving reporting habits.

How to eliminate wrong answers

Option A is wrong because completion rate measures participation, not behavior change; an employee can complete training without retaining or applying the knowledge. Option B is wrong because increased reporting could indicate heightened awareness, but it does not directly measure whether employees are avoiding the dangerous behavior (clicking); it could also reflect a higher volume of phishing simulations or a reporting culture shift, not necessarily a reduction in successful attacks.

203
Multi-Selecteasy

A records manager is told that some HR emails may be needed for an active investigation, while unrelated messages are still due for deletion under the retention schedule. Which two actions should the manager take? Select two.

Select 2 answers
A.Place the affected emails on legal hold
B.Delete all related records immediately to reduce storage costs
C.Keep the records until the legal team releases the hold
D.Move them into a personal archive folder
E.Rewrite the retention schedule without approval
AnswersA, C

A legal hold prevents deletion or alteration of records that may be needed for an investigation.

Why this answer

A is correct because placing the affected emails on legal hold suspends the retention schedule for those specific records, ensuring they are preserved for the active investigation without altering the deletion policy for unrelated messages. This is a standard practice under eDiscovery and legal hold procedures, often implemented via Exchange Online or similar systems using litigation hold or in-place hold.

Exam trap

The trap here is that candidates may confuse 'legal hold' with simply archiving or delaying deletion, but only a formal hold ensures compliance with legal preservation requirements and prevents spoliation.

204
MCQmedium

Based on the exhibit, what should the organization do before approving this SaaS vendor to process employee HR records?

A.Approve the vendor now because admin MFA is enabled and the deadline is urgent.
B.Request a formal risk acceptance memo and sign the contract without additional review.
C.Require a security addendum and evidence review before onboarding, including notification timelines, deletion terms, subprocessors, and independent testing.
D.Move the HR data into the vendor environment first and complete the review after production cutover.
AnswerC

This is the best answer because the exhibit reveals several third-party risk gaps that matter for employee PII: no current independent assurance, vague breach notification, weak retention language, and no maintained subprocessor list. A contract addendum and evidence review provide enforceable expectations and reduce legal, privacy, and operational risk before data is shared.

Why this answer

Option C is correct because before processing sensitive employee HR records, the organization must ensure the SaaS vendor meets security and compliance requirements. This includes reviewing contractual terms like notification timelines, data deletion policies, subprocessor usage, and independent testing evidence (e.g., SOC 2 Type II or ISO 27001 certification). Without these, the organization cannot verify the vendor's security posture or contractual obligations, which is critical for protecting PII and meeting regulatory requirements like GDPR or HIPAA.

Exam trap

The trap here is that candidates may assume MFA or a risk acceptance memo alone is sufficient for compliance, but the SY0-701 exam emphasizes that contractual and evidence-based reviews are mandatory before onboarding vendors handling sensitive data.

How to eliminate wrong answers

Option A is wrong because admin MFA alone is insufficient; it does not address data protection, incident notification, deletion terms, or independent testing, and urgency does not justify bypassing due diligence. Option B is wrong because a risk acceptance memo without additional review ignores the need to verify security controls and contractual protections, effectively accepting unknown risks. Option D is wrong because moving HR data into the vendor environment before completing the review exposes sensitive data to unverified risks, violating the principle of 'trust but verify' and potentially leading to compliance violations.

205
MCQeasy

A help desk technician receives a ticket asking for a password reset on a manager's account. The requester says the manager is traveling and cannot be reached. What is the best action before making any change?

A.Reset the password immediately to avoid delaying the manager's work.
B.Verify the request through an approved identity-check process before taking action.
C.Tell the requester to ask a coworker to share the manager's existing password.
D.Ignore the ticket until the manager returns from travel.
AnswerB

The best action is to verify the requester and the request using the organization's approved process before changing access. This helps prevent social engineering and unauthorized account changes. Account resets are sensitive because they can give an attacker control if the help desk relies only on a convincing story or urgent pressure.

Why this answer

Option B is correct because the principle of least privilege and proper identity verification are critical before performing any privileged action like a password reset. Without verifying the requester's identity through an approved process (e.g., out-of-band verification, knowledge-based authentication, or manager callback), the technician risks unauthorized access, which could lead to a security breach. This aligns with the CompTIA SY0-701 objective on implementing identity and access management controls.

Exam trap

The trap here is that candidates may assume urgency (Option A) is acceptable, but CompTIA emphasizes that security controls must never be bypassed for convenience, and password sharing (Option C) is always a violation of security best practices.

How to eliminate wrong answers

Option A is wrong because resetting the password immediately without verification violates security policy and could enable an impersonation attack or social engineering, potentially compromising the manager's account. Option C is wrong because sharing an existing password violates the principle of non-repudiation and password confidentiality, and it is never an acceptable practice in any secure environment.

206
MCQeasy

An employee receives an email that says, 'This is the CEO. Buy gift cards now and reply with the codes before the meeting starts.' What should the employee do?

A.Reply with the codes because the request appears urgent
B.Verify the request through an approved channel and report the message
C.Forward the email to coworkers so they can watch for similar messages
D.Delete the email and ignore it without telling anyone
AnswerB

Verifying through a trusted channel and reporting the email protects the organization from a likely fraud attempt.

Why this answer

Option B is correct because the email exhibits classic social engineering indicators—spoofed authority, urgency, and a request for non-standard financial transactions (gift cards). The employee must verify the request through an approved communication channel (e.g., a phone call to the CEO's known number) and report the message to the security team for incident response. This aligns with security policy for phishing and business email compromise (BEC) prevention, as per NIST SP 800-61 and organizational security awareness training.

Exam trap

The trap here is that candidates may mistake the urgency and authority in the email as legitimate, choosing Option A, but CompTIA tests the principle that any request for sensitive actions (gift cards, wire transfers, credential changes) must be verified through a separate, trusted channel regardless of apparent sender identity.

How to eliminate wrong answers

Option A is wrong because replying with gift card codes without verification directly enables a BEC attack, violating the principle of least trust and bypassing standard financial controls. Option C is wrong because forwarding the email to coworkers could propagate the phishing link or attachment, increasing the attack surface and potentially bypassing email security filters. Option D is wrong because deleting the email without reporting it prevents the security team from analyzing the threat, updating detection rules, and protecting other users from the same attack.

207
MCQeasy

Before contracting with a cloud-based payroll provider, the security team requests a security questionnaire, proof of controls, and an independent audit report. What activity is this?

A.Business continuity testing, because the team is checking recovery procedures.
B.Third-party due diligence, because the team is evaluating vendor risk before onboarding.
C.Security awareness training, because the vendor is being taught safe behavior.
D.Data classification, because the team is labeling the payroll data type.
AnswerB

Third-party due diligence is the process of reviewing a vendor’s security posture, controls, and supporting evidence before trusting them with business data or services. The questionnaire and audit report are classic inputs for that review.

Why this answer

The security team's request for a security questionnaire, proof of controls, and an independent audit report before contracting with a cloud-based payroll provider is a classic example of third-party due diligence. This process evaluates the vendor's security posture, compliance, and risk level before onboarding, ensuring that sensitive payroll data is protected. It is a proactive risk management activity, not a reactive test or training exercise.

Exam trap

The trap here is that candidates confuse third-party due diligence with business continuity testing, because both involve reviewing documentation, but due diligence is pre-contractual risk evaluation, not post-incident recovery verification.

How to eliminate wrong answers

Option A is wrong because business continuity testing focuses on verifying recovery procedures and system resilience, not on evaluating a vendor's security controls before contracting. Option C is wrong because security awareness training is an internal program to educate employees on safe behavior, not a vendor assessment activity. Option D is wrong because data classification involves labeling data by sensitivity level, not requesting audit reports or control evidence from a third party.

208
MCQmedium

A desktop engineering team asks for the document that specifies the exact minimum encryption setting, screen-lock timer, and password length for company laptops. Which type of document should they follow?

A.Policy, because it states the organization's general intent and high-level direction.
B.Standard, because it defines mandatory uniform requirements for a specific control baseline.
C.Procedure, because it gives the organization-wide security purpose statement.
D.Guideline, because it provides optional suggestions that every laptop must obey.
AnswerB

A standard is the correct document when the organization needs a consistent, mandatory technical baseline such as encryption strength, lock timing, or password length. Standards translate policy into measurable requirements and are suitable for system configuration because they reduce ambiguity and support enforcement across similar assets.

Why this answer

A standard defines mandatory, uniform technical requirements for a specific control baseline, such as exact encryption settings (e.g., AES-256), screen-lock timer (e.g., 15 minutes), and password length (e.g., 14 characters). Unlike a policy, which states high-level intent, a standard provides the precise, enforceable configuration that the desktop engineering team must implement on company laptops.

Exam trap

The trap here is that candidates confuse 'policy' (high-level intent) with 'standard' (specific mandatory baseline), leading them to choose A when the question explicitly asks for the document that specifies exact minimum encryption, timer, and password length values.

How to eliminate wrong answers

Option A is wrong because a policy states the organization's general intent and high-level direction (e.g., 'all laptops must be secured'), but does not specify exact technical values like encryption algorithm, timer duration, or password length. Option C is wrong because a procedure describes step-by-step instructions for performing a task (e.g., how to configure BitLocker), not the mandatory baseline requirements themselves.

209
MCQmedium

HR stores scanned government IDs collected during onboarding. The retention policy says the files may be kept for 90 days after employment verification, then destroyed. What should security require?

A.Keep the files indefinitely in case a future audit asks for them
B.Move the files to a shared folder so more HR staff can access them
C.Store the files in an encrypted repository and securely dispose of them when retention expires
D.Print the scanned IDs and place them in a locked cabinet instead of keeping digital copies
AnswerC

This is the best answer because it matches the retention schedule and protects sensitive personal data. Encryption reduces exposure while the files are needed, and secure disposal after the retention period supports privacy, legal compliance, and data minimization. The process should also be auditable so the organization can prove it is following its handling requirements.

Why this answer

Option C is correct because it aligns with the principle of data minimization and the retention policy: storing scanned government IDs in an encrypted repository ensures confidentiality and integrity, while secure disposal after the 90-day retention period meets compliance requirements (e.g., GDPR, HIPAA) and reduces risk of data breaches. Security must enforce both protection during storage and timely destruction to prevent unauthorized access or legal liability.

Exam trap

The trap here is that candidates may choose indefinite retention (Option A) thinking it helps with audits, but security requires compliance with the stated retention policy, not hoarding data.

How to eliminate wrong answers

Option A is wrong because keeping files indefinitely violates the retention policy and increases exposure to data breaches, legal non-compliance, and storage costs without a security justification. Option B is wrong because moving files to a shared folder broadens access without need, increasing the attack surface and risk of unauthorized disclosure, while ignoring encryption and retention controls. Option D is wrong because printing scanned IDs creates physical copies that are harder to track, secure, and destroy reliably, and it introduces new risks like loss, theft, or improper disposal, while digital encryption and secure deletion are more auditable and compliant.

210
Matchinghard

Match each excerpt from a small enterprise security program to the correct governance artifact.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Standard

Procedure

Guideline

Exception

Policy

Why these pairings

Policy defines mandatory rules; Procedure gives step-by-step instructions; Standard specifies technical requirements; Guideline offers best practices.

211
MCQmedium

Based on the exhibit, which item is the strongest evidence that quarterly privileged access reviews occurred?

A.SIEM export of administrator logins.
B.Signed access review spreadsheet with reviewer, date, and exceptions.
C.Help desk ticket for a password reset.
D.Screenshot of the access review policy.
AnswerB

This is the strongest evidence because it directly records the review activity, who performed it, when it occurred, and what exceptions were found.

Why this answer

A signed access review spreadsheet with reviewer, date, and exceptions provides direct, non-repudiable evidence that a formal review of privileged access was completed. Unlike logs or policies, it explicitly documents the reviewer's identity, the date of review, and any exceptions, satisfying audit requirements for quarterly privileged access reviews.

Exam trap

The trap here is that candidates mistake evidence of activity (like login logs) or policy existence for evidence of a completed review process, overlooking the need for documented attestation with reviewer identity and date.

How to eliminate wrong answers

Option A is wrong because a SIEM export of administrator logins only shows that logins occurred, not that a formal review of those accounts' access rights was performed; it lacks reviewer attestation and exception documentation. Option C is wrong because a help desk ticket for a password reset is an operational event unrelated to the periodic review of privileged access entitlements. Option D is wrong because a screenshot of the access review policy only proves the policy exists, not that it was actually followed or that a review occurred.

← PreviousPage 3 of 3 · 211 questions total

Ready to test yourself?

Try a timed practice session using only Security Program Management and Oversight questions.