CCNA Security Program Management Questions

75 of 211 questions · Page 1/3 · Security Program Management topic · Answers revealed

1
MCQmedium

A manufacturer identifies a rare but very costly ransomware risk. Executives decide not to eliminate the activity, but to purchase cyber insurance and formally acknowledge the remaining exposure. Which risk treatment is being used?

A.Avoidance
B.Transfer
C.Mitigation
D.Acceptance
AnswerB

Transfer shifts some financial impact to another party, such as an insurer, while the organization keeps operating.

Why this answer

The correct answer is B (Transfer) because purchasing cyber insurance shifts the financial risk of the ransomware incident to the insurer. The executives formally acknowledge the remaining exposure, which confirms they are not simply accepting the risk but are actively transferring the monetary impact through a contractual agreement.

Exam trap

The trap here is that candidates confuse 'acceptance' with 'acknowledgment' — the phrase 'formally acknowledge the remaining exposure' is a red herring; true acceptance requires no further action, but purchasing insurance proves the risk is being transferred, not accepted.

How to eliminate wrong answers

Option A (Avoidance) is wrong because avoidance would require discontinuing the activity that introduces the ransomware risk, such as shutting down the affected systems or processes. Option C (Mitigation) is wrong because mitigation involves implementing technical controls (e.g., endpoint detection, backups, patching) to reduce the likelihood or impact of ransomware, not purchasing insurance. Option D (Acceptance) is wrong because acceptance means the organization consciously retains the risk without transferring or mitigating it; purchasing insurance demonstrates a transfer, not passive acceptance.

2
MCQmedium

After completing a vulnerability scan, a security analyst discovers that a legacy customer-facing application running on an unsupported operating system contains a critical remote code execution vulnerability. The application is essential to daily operations and cannot be patched or upgraded in the near term. Management has approved the purchase of a hardware-based network firewall that will be placed in front of the application to restrict inbound traffic to only authorized source IP addresses and port numbers. Which risk management strategy does this action primarily represent?

A.Risk acceptance
B.Risk mitigation
C.Risk avoidance
D.Risk transference
AnswerB

Correct. By deploying a firewall to restrict access, the organization is reducing the likelihood that the vulnerability can be exploited. This is a risk mitigation strategy using a compensating control.

Why this answer

The security team is implementing a hardware-based network firewall to restrict inbound traffic to only authorized source IP addresses and port numbers. This directly reduces the likelihood of exploitation by limiting the attack surface, which is the essence of risk mitigation — applying controls to reduce the risk to an acceptable level. Patching or upgrading is not feasible, so compensating controls like network segmentation and access control lists (ACLs) are used to mitigate the vulnerability.

Exam trap

The trap here is that candidates confuse 'risk mitigation' with 'risk avoidance' because they think blocking traffic is 'avoiding' the vulnerability, but avoidance means eliminating the risk entirely (e.g., decommissioning the app), whereas mitigation reduces the likelihood or impact while the risk still exists.

How to eliminate wrong answers

Option A is wrong because risk acceptance would mean formally acknowledging the risk and taking no action to reduce it, which contradicts the purchase and deployment of a firewall. Option C is wrong because risk avoidance would require removing the application or discontinuing its use entirely, not adding a protective control. Option D is wrong because risk transference involves shifting the financial impact of a risk to a third party (e.g., cyber insurance or outsourcing), not deploying a technical control like a firewall.

3
Multi-Selectmedium

Which four of the following are essential elements of an effective business continuity plan (BCP) that a security manager should oversee? (Choose four.)

Select 4 answers
.Identification of critical business functions and their dependencies
.Defined recovery time objectives (RTOs) and recovery point objectives (RPOs)
.A single, centralized backup location to simplify management
.Regular testing and exercises to validate plan effectiveness
.Documented communication and escalation procedures during an incident
.Automatic failover to a hot site without any human notification

Why this answer

Identification of critical business functions and their dependencies is correct because a BCP must prioritize which systems and processes are essential for survival, ensuring that recovery efforts focus on the most vital operations first. Without this mapping, the plan lacks direction and may waste resources on non-critical assets during a disaster.

Exam trap

The trap here is that candidates confuse a BCP with a disaster recovery plan (DRP) and assume that automatic failover without notification is a best practice, when in fact BCPs require human-in-the-loop communication to coordinate response and avoid cascading failures.

4
MCQmedium

An IT manager wants a document that defines the mandatory minimum requirements for all company laptops, including full-disk encryption, password length, and screen-lock timing. The help desk also needs a separate document that shows exactly how to enroll a laptop in management software. Which document type should contain the mandatory laptop requirements?

A.Policy, because it gives broad direction without technical detail.
B.Standard, because it defines the required technical settings that must be followed.
C.Procedure, because it gives step-by-step instructions for completing a task.
D.Guideline, because it offers flexible recommendations for administrators.
AnswerB

A standard is the correct document type for mandatory, measurable technical requirements. In this case, the organization needs exact minimum settings for encryption, password length, and screen-lock timing, which are all enforceable specifications. The procedure for enrolling devices would be a separate document that explains how to carry out the requirement, but the baseline technical requirements belong in the standard.

Why this answer

Option B is correct because a standard defines mandatory, specific technical requirements that must be uniformly applied, such as full-disk encryption (e.g., AES-256), minimum password length (e.g., 14 characters), and screen-lock timeout (e.g., 5 minutes). Unlike a policy, which provides high-level direction, a standard enforces precise configuration baselines that all laptops must meet, ensuring compliance and security consistency.

Exam trap

The trap here is confusing a standard with a policy, where candidates mistakenly think a policy can contain technical specifics, but CompTIA tests that a policy is always high-level and a standard provides the mandatory technical details.

How to eliminate wrong answers

Option A is wrong because a policy provides broad, high-level direction without specifying technical details like encryption algorithms or password lengths, so it cannot define mandatory minimum requirements. Option C is wrong because a procedure gives step-by-step instructions for completing a task (e.g., enrolling a laptop in management software), not the mandatory technical settings themselves. Option D is wrong because a guideline offers flexible recommendations, not mandatory requirements, and administrators are not required to follow them.

5
MCQeasy

The executive team wants to know which payment services are most critical and how long each can be offline before the business is seriously harmed. Which activity should security support?

A.A tabletop exercise, because leaders are practicing response discussions.
B.A business impact analysis, because it identifies critical functions and outage impact.
C.Incident containment, because the goal is to stop an active breach.
D.Vulnerability scanning, because it finds weaknesses in systems.
AnswerB

A business impact analysis helps determine which services matter most, what impact downtime causes, and how long outages can last before causing serious business harm. It is the right activity when leaders need prioritization and recovery expectations.

Why this answer

A business impact analysis (BIA) is the correct activity because it systematically identifies critical business functions—such as payment processing—and quantifies the maximum tolerable downtime (MTD) and recovery time objectives (RTO). This directly answers the executive team's question about which payment services are most critical and how long each can be offline before causing serious harm.

Exam trap

The trap here is that candidates confuse a tabletop exercise (a reactive drill) with a business impact analysis (a proactive assessment), leading them to choose Option A because it involves leadership discussion, while missing that the BIA is the only activity that formally identifies critical functions and quantifies outage impact.

How to eliminate wrong answers

Option A is wrong because a tabletop exercise is a discussion-based simulation used to test response plans and roles, not a formal process to identify critical functions or quantify outage impact. Option C is wrong because incident containment is a reactive step taken during an active security breach, not a proactive analysis to determine criticality and outage tolerance. Option D is wrong because vulnerability scanning identifies technical weaknesses in systems (e.g., missing patches, misconfigurations), but does not assess business process criticality or the financial/operational impact of downtime.

6
MCQmedium

During onboarding, a manager wants a document that explains how to request access to a shared drive, who approves it, and what the help desk must do after approval. Which document type is MOST appropriate?

A.Guideline, because it describes optional best practices for access requests.
B.Procedure, because it provides the ordered steps for requesting and fulfilling access.
C.Policy, because it names the general security principle without implementation detail.
D.Standard, because it should define every case-specific approval path in the organization.
AnswerB

A procedure is the best document for describing the sequence of actions, approvals, and responsibilities involved in a recurring task. In this case, it would tell users how to submit the request, who reviews it, and what the help desk does after approval. Procedures improve consistency and reduce errors in operational workflows.

Why this answer

A procedure is the correct document type because it specifies the exact ordered steps for requesting access to a shared drive, the approval authority, and the help desk's post-approval actions. Unlike a policy, which states high-level security principles, a procedure provides the operational workflow needed for onboarding tasks.

Exam trap

The trap here is confusing a procedure with a policy or standard, where candidates pick 'policy' because it sounds authoritative, but fail to recognize that procedures are the only document type that provides ordered steps for a specific workflow.

How to eliminate wrong answers

Option A is wrong because a guideline describes optional best practices or recommendations, not mandatory steps for access requests. Option C is wrong because a policy defines general security principles (e.g., 'access must be authorized') without implementation details like who approves or what the help desk does. Option D is wrong because a standard sets mandatory, uniform requirements (e.g., encryption strength), not case-specific approval paths or step-by-step instructions.

7
MCQmedium

A company is evaluating a new cloud-based customer relationship management (CRM) provider. The provider’s documentation includes a SOC 2 Type II report, but the company’s compliance team specifically requires evidence that data in transit is encrypted using TLS 1.2 or higher, and data at rest is encrypted with AES-256. Which of the following actions best demonstrates that the company has performed proper due diligence in vendor risk management?

A.Request the provider to sign a contractual service-level agreement (SLA) that guarantees encryption compliance.
B.Accept the SOC 2 Type II report as sufficient and proceed without further review.
C.Review the detailed control descriptions and auditor test results within the SOC 2 Type II report that address encryption of data in transit and at rest.
D.Conduct an independent penetration test on the provider’s infrastructure before signing the contract.
AnswerC

A SOC 2 Type II report includes a detailed description of controls, the control objectives, and the results of the auditor’s testing over a period of time. Reviewing these specific sections allows the company to verify that encryption controls are designed and operating effectively, which satisfies due diligence requirements for third-party risk management.

Why this answer

Option C is correct because a SOC 2 Type II report includes detailed control descriptions and independent auditor test results that specifically verify whether encryption controls (TLS 1.2+ for data in transit and AES-256 for data at rest) are designed and operating effectively over a period of time. Reviewing these granular details allows the company to confirm compliance with its specific encryption requirements, which is a core component of due diligence in vendor risk management.

Exam trap

The trap here is that candidates assume a SOC 2 Type II report is a blanket certification of all security controls, when in fact it only attests to the controls that were specifically selected and tested, so failing to review the detailed control descriptions can lead to accepting a report that does not cover the required encryption standards.

How to eliminate wrong answers

Option A is wrong because a contractual SLA only promises future compliance without providing any evidence that the encryption controls are currently in place or have been independently verified; it shifts the burden to legal recourse rather than validating technical controls. Option B is wrong because simply accepting the SOC 2 Type II report without reviewing the specific control descriptions and test results fails to confirm that the report actually covers the required encryption standards (TLS 1.2+ and AES-256), as the report may address different controls or scopes.

8
Multi-Selecteasy

A manager asks how the security team decides which issue should be fixed first. Which two factors are MOST important to evaluate for each risk?

Select 2 answers
A.Asset age and user satisfaction
B.Likelihood and impact
C.Vendor popularity and implementation speed
D.Encryption algorithm and screen resolution
AnswersA, B

These can matter operationally, but they are not the primary inputs to risk priority decisions.

Why this answer

In risk management, the priority for remediation is determined by evaluating the likelihood of a threat exploiting a vulnerability and the impact of that exploitation on the organization. Likelihood and impact are the two core components of risk calculation (Risk = Likelihood × Impact), making them the most important factors for deciding which issue to fix first. This aligns with the NIST SP 800-30 risk assessment methodology and is a fundamental concept in security program management.

Exam trap

CompTIA often tests the misconception that factors like asset age, vendor popularity, or user satisfaction are relevant to risk prioritization, when in fact only likelihood and impact (or their product) determine which risk to address first.

9
Matchingmedium

Match each awareness-program metric to the interpretation the security team should use. 1. 8% of users clicked the simulated phishing link. 2. 34% of users reported the simulation using the report-phish button. 3. The median time from message delivery to first user report was 12 minutes. 4. 96% of staff completed the annual awareness module.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Click rate

Report rate

Time to report

Training completion rate

Why these pairings

Each metric guides interpretation: click rate indicates susceptibility, report rate shows security culture, reaction time measures responsiveness, and completion rate reflects training adoption.

10
MCQmedium

A Linux operations team is building a new production gold image for database servers. Security requires every build to disable password-based SSH, enable audit logging, use the company NTP servers, and remove the desktop package set. The admins need a document that defines these exact required settings and allows exceptions only through formal approval. Which artifact should be used?

A.Policy
B.Baseline
C.Guideline
D.Procedure
AnswerB

A baseline defines the approved, specific secure configuration that systems should meet. It fits exact required settings.

Why this answer

A baseline defines the minimum security configuration that must be applied to all systems, such as disabling password-based SSH, enabling audit logging, using specific NTP servers, and removing unnecessary packages. It is the correct artifact because it specifies required settings and allows exceptions only through formal approval, which aligns with the scenario's need for a mandatory configuration standard. Policies are high-level statements of intent, guidelines are recommendations, and procedures are step-by-step instructions, none of which enforce mandatory settings with exception control.

Exam trap

The trap here is confusing a policy (high-level intent) with a baseline (specific mandatory settings), leading candidates to choose 'Policy' because they think it governs all security, but baselines are the actual technical enforcement documents that require formal exceptions.

How to eliminate wrong answers

Option A is wrong because a policy is a high-level statement of management intent (e.g., 'All systems must be secure') and does not define specific technical settings like disabling password-based SSH or removing desktop packages. Option C is wrong because a guideline is a recommendation or best practice that is not mandatory and does not enforce required settings or require formal approval for exceptions. Option D is wrong because a procedure is a detailed step-by-step process for performing a task (e.g., how to install an OS), not a document that defines required configuration settings with exception control.

11
MCQmedium

A business unit is worried about the financial impact of a rare but severe data center outage. After reviewing the risk register, leadership decides to purchase cyber insurance and document the remaining exposure rather than redesign the entire platform. Which risk treatment is this?

A.Risk transfer
B.Risk avoidance
C.Risk mitigation
D.Risk acceptance
AnswerA

Risk transfer shifts some financial impact to a third party, such as through insurance or a contractual liability arrangement.

Why this answer

The correct answer is A (Risk transfer) because purchasing cyber insurance transfers the financial risk of a data center outage to an insurance provider. The business unit is not avoiding the risk by redesigning the platform, nor are they mitigating it through technical controls; they are simply documenting the residual exposure after transferring the monetary impact. This aligns with the risk treatment strategy of shifting the burden of loss to a third party.

Exam trap

The trap here is that candidates confuse risk transfer (shifting financial liability) with risk mitigation (reducing probability/impact via technical controls), especially when the scenario mentions 'documenting the remaining exposure'—which is a hallmark of risk acceptance, not mitigation.

How to eliminate wrong answers

Option B (Risk avoidance) is wrong because the business unit is not eliminating the risk by ceasing operations or redesigning the platform; they are accepting the outage's possibility and insuring against it. Option C (Risk mitigation) is wrong because mitigation involves implementing controls (e.g., redundancy, failover clusters, or backup power) to reduce the likelihood or impact of the outage, not purchasing insurance to cover financial losses.

12
MCQhard

Based on the exhibit, which risk should be prioritized first under the company's likelihood-impact scoring model?

A.R-101, because manual review means the risk is already partially controlled.
B.R-102, because a cheaper remediation always has priority over a higher total score.
C.R-103, because critical impact always outweighs likelihood in the matrix.
D.R-104, because it has the highest likelihood-impact score in the register.
AnswerD

R-104 scores 16, which is higher than the other listed risks under the stated 1-to-5 model. Since the organization can fund only one risk this quarter, the highest scored item should be prioritized first. The current backup power helps resilience, but it does not reduce the fact that this is the largest remaining risk in the matrix.

Why this answer

Option D is correct because R-104 has the highest likelihood-impact score (e.g., 5×5=25) in the risk register, and under a standard likelihood-impact scoring model, the risk with the highest product (or sum) of likelihood and impact is prioritized first for remediation. This aligns with the CompTIA SY0-701 objective of using quantitative risk analysis to rank risks by their overall severity.

Exam trap

CompTIA often tests the misconception that a single factor (like critical impact or low cost) overrides the composite risk score, but the correct prioritization always follows the calculated likelihood-impact product or sum as shown in the register.

How to eliminate wrong answers

Option A is wrong because manual review does not automatically reduce the risk score; it is a control that may lower likelihood or impact, but the exhibit shows R-101 has a lower total score than R-104, so it should not be prioritized first. Option B is wrong because cheaper remediation does not inherently take priority over a higher total score; risk prioritization is based on the likelihood-impact score, not cost, unless a cost-benefit analysis explicitly overrides. Option C is wrong because critical impact alone does not outweigh likelihood in the matrix; the scoring model multiplies or adds both factors, so a risk with lower likelihood but critical impact may have a lower total score than one with high likelihood and high impact.

13
MCQhard

Based on the exhibit, which document type should the organization update if it wants the listed endpoint settings to be mandatory baseline requirements?

A.Policy, because it defines the organization's broad security intent and direction.
B.Standard, because it defines mandatory minimum settings that all systems must meet.
C.Procedure, because it provides the exact steps administrators follow to configure the setting.
D.Guideline, because it is the least restrictive document for endpoint protection.
AnswerB

Standards are the right place for mandatory, measurable requirements like encryption, lock timers, and password length. The exhibit already shows those exact settings in the standard excerpt. Policy states the broad intent, procedures describe how to implement it, and guidelines remain advisory rather than compulsory.

Why this answer

A standard is the correct document type because it defines mandatory, minimum-security configuration requirements that all systems must meet, such as specific endpoint settings. Unlike a policy, which states broad intent, a standard provides the enforceable baseline that ensures consistent security posture across the organization.

Exam trap

The trap here is confusing a policy's broad intent with a standard's enforceable baseline, leading candidates to select 'Policy' because they think it is the highest-level document, when in fact standards are the correct document type for mandatory technical requirements.

How to eliminate wrong answers

Option A is wrong because a policy defines the organization's broad security intent and direction, not the specific mandatory baseline settings for endpoints. Option C is wrong because a procedure provides the exact step-by-step instructions for administrators to configure settings, but it does not define the mandatory baseline requirements themselves. Option D is wrong because a guideline is advisory and the least restrictive document, offering recommendations rather than mandatory minimum requirements.

14
MCQmedium

After a phishing simulation, many users still almost submitted credentials to a fake Microsoft login page. Security wants to reduce repeat mistakes quickly without interrupting daily work. Which approach is best?

A.Send one enterprise-wide warning email listing every phishing indicator the users should memorize.
B.Require all employees to retake the full annual security course immediately.
C.Use short, targeted awareness messages with screenshots of the actual lure and an easy reporting path.
D.Remove email access for any user who clicked the simulation link.
AnswerC

This is the best balance because it addresses the specific mistake with focused coaching and minimal operational disruption.

Why this answer

Option C is correct because it uses just-in-time, context-specific training that directly addresses the observed behavior without disrupting workflow. By showing users the exact lure they encountered and providing a simple reporting path, the organization reinforces recognition of the specific phishing technique and encourages immediate reporting, which is more effective than generic warnings or lengthy retraining for reducing repeat mistakes quickly.

Exam trap

The trap here is that candidates may choose Option A (broad warning) because it seems quick and comprehensive, but they overlook that targeted, behavior-specific messaging is far more effective for changing user behavior than generic information overload.

How to eliminate wrong answers

Option A is wrong because a single enterprise-wide warning email listing every phishing indicator is too generic and overwhelming; users are unlikely to memorize a long list, and the lack of context-specific examples reduces retention and behavioral change. Option B is wrong because requiring all employees to retake the full annual security course immediately is disruptive to daily work, time-consuming, and not targeted to the specific phishing lure that was used, making it inefficient for quick remediation. Option D is wrong because removing email access for users who clicked the simulation link is punitive and counterproductive; it does not educate users, may create resentment, and removes the opportunity for them to practice safe reporting behaviors, while also potentially hindering their daily work.

15
MCQeasy

A security manager wants evidence that annual security awareness training was completed by employees. Which artifact is the best proof?

A.A training completion report exported from the learning system
B.A copy of the company logo used on the training slides
C.A list of office supplies purchased last quarter
D.A screenshot of the company's public homepage
AnswerA

A completion report directly shows who finished the training, when they completed it, and whether any users are still outstanding.

Why this answer

A training completion report exported from the learning system is the best proof because it provides a verifiable, timestamped record of each employee's completion status, including user IDs, course names, completion dates, and scores. This artifact directly demonstrates that the training was actually completed, not just assigned or attended, and can be audited against the organization's training policy.

Exam trap

The trap here is that candidates might think a visual artifact like a logo or homepage screenshot proves training occurred, but CompTIA tests the understanding that only a system-generated, auditable report with user-specific completion data constitutes valid evidence.

How to eliminate wrong answers

Option B is wrong because a copy of the company logo used on training slides is merely a branding element and provides no evidence of employee participation or completion. Option C is wrong because a list of office supplies purchased last quarter is unrelated to security awareness training and cannot demonstrate any training activity. Option D is wrong because a screenshot of the company's public homepage shows only the external-facing website and contains no data about internal training records or employee completion status.

16
MCQmedium

Leadership is deciding between two security controls for a customer portal outage risk. Finance wants to compare the options in dollars, using expected loss, not just a high/medium/low rating. Which approach should the analyst use?

A.Quantitative risk analysis, because it expresses likelihood and impact in monetary terms.
B.Qualitative risk analysis, because it uses categories like critical, medium, and low.
C.Business impact analysis, because it identifies which business processes are important.
D.Risk avoidance, because eliminating the activity removes the threat completely.
AnswerA

Quantitative risk analysis is the right method when decision-makers want financial comparisons. It uses numerical estimates such as annual loss expectancy, cost of control, and probable impact in dollars. That allows leadership to compare mitigation options against the expected reduction in loss and make a budget-based decision. In this situation, the business specifically wants a dollar-based analysis rather than a subjective ranking.

Why this answer

Quantitative risk analysis (A) is correct because it assigns monetary values to both the likelihood and impact of a risk, enabling a direct dollar-based comparison of expected loss. The Finance team's requirement for a dollar comparison rules out qualitative ratings, making quantitative analysis the only approach that meets their needs.

Exam trap

The trap here is that candidates often confuse qualitative risk analysis with quantitative, thinking that any risk assessment that uses categories is sufficient, but the question explicitly demands monetary comparison, which only quantitative analysis provides.

How to eliminate wrong answers

Option B is wrong because qualitative risk analysis uses categories like high/medium/low, not monetary values, so it cannot provide the dollar-based comparison Finance requested. Option C is wrong because a business impact analysis (BIA) identifies critical processes and recovery priorities, but it does not calculate expected loss in monetary terms for comparing security controls. Option D is wrong because risk avoidance eliminates the activity entirely, which is a risk treatment strategy, not an analysis method for comparing control costs in dollars.

17
MCQmedium

A support team wants to export customer tickets into a test analytics environment so developers can search real examples while minimizing privacy exposure. The exported data includes names, email addresses, and account IDs that are not needed for the test. What is the best first step?

A.Export the full dataset and restrict access with a shared password
B.Remove or tokenize unneeded personal identifiers before export
C.Keep the data unchanged because the test environment is internal
D.Store the export indefinitely because development data is exempt from retention rules
AnswerB

Removing or tokenizing unnecessary personal data supports privacy-by-design and data minimization before the information leaves the production environment.

Why this answer

Option B is correct because data minimization is a core privacy principle: before exporting data to a test environment, any personally identifiable information (PII) not required for the analytics task should be removed or tokenized. This reduces the attack surface and ensures compliance with privacy regulations (e.g., GDPR, CCPA) without sacrificing the utility of the real customer ticket examples.

Exam trap

The trap here is that candidates assume internal environments are automatically secure, leading them to choose Option C, but the SY0-701 exam emphasizes that data protection controls must be applied consistently regardless of environment boundaries.

How to eliminate wrong answers

Option A is wrong because restricting access with a shared password does not remove the unneeded personal identifiers; it only adds a weak, shared credential that can be easily compromised, leaving the full PII exposed in the test environment. Option C is wrong because keeping the data unchanged assumes an internal test environment is inherently safe, which ignores the risk of insider threats, misconfigurations, or data leaks; privacy protections must be applied regardless of environment classification.

18
Drag & Dropmedium

Drag and drop the steps to perform a factory reset on a managed switch into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Factory reset clears all configuration; the exact method may vary by vendor, but typically involves holding a button during power-on.

19
Multi-Selectmedium

An organization is implementing a third-party vendor risk management program. Which three of the following should be included as key activities to maintain oversight of vendor security? (Choose three.)

Select 3 answers
.Performing due diligence assessments before onboarding new vendors
.Requiring all vendors to use the same password manager as the organization
.Including security requirements in contracts and service-level agreements
.Conducting periodic security reviews or audits of critical vendors
.Providing vendor staff with direct access to internal source code repositories
.Automatically renewing vendor contracts unless a security incident occurs

Why this answer

Performing due diligence assessments before onboarding new vendors is correct because it allows the organization to evaluate a vendor's security posture, compliance, and risk level before any contractual relationship begins. This proactive step helps identify potential vulnerabilities or gaps that could expose the organization to third-party risks, aligning with the NIST SP 800-161 supply chain risk management framework.

Exam trap

The trap here is that candidates may mistakenly think requiring vendors to use the same password manager is a valid oversight activity, but it is an operational control that violates vendor autonomy and does not fit the definition of key vendor risk management program activities.

20
MCQmedium

A business owner asks the security team to compare the cost of two controls for a legacy application in dollar terms. The team estimates the annual chance of a breach, the potential loss per event, and the expected yearly loss after each control is applied. Which risk analysis approach is being used?

A.Qualitative risk analysis
B.Quantitative risk analysis
C.Business impact analysis
D.Risk acceptance
AnswerB

Quantitative analysis uses numeric values such as probability, impact, and annualized loss to compare controls financially.

Why this answer

The question describes a risk analysis that uses dollar values for the annual chance of a breach, potential loss per event, and expected yearly loss after controls are applied. This is the hallmark of quantitative risk analysis, which assigns monetary or numerical values to risk components (e.g., ALE = SLE × ARO) to compare control costs in objective financial terms. The scenario explicitly asks for a cost comparison in dollar terms, which only a quantitative approach can provide.

Exam trap

Cisco often tests the distinction between quantitative and qualitative risk analysis by embedding monetary terms in the scenario, leading candidates to mistakenly choose qualitative analysis when they see subjective-sounding phrases like 'annual chance' without recognizing that dollar values are the key indicator of a quantitative approach.

How to eliminate wrong answers

Option A is wrong because qualitative risk analysis uses subjective ratings (e.g., high/medium/low) rather than specific dollar amounts to assess risk, so it cannot produce the precise cost comparison described. Option C is wrong because business impact analysis (BIA) focuses on identifying critical business functions and their recovery priorities, not on comparing the cost of controls in dollar terms. Option D is wrong because risk acceptance is a risk treatment strategy where the organization acknowledges the risk without implementing additional controls, not a method for analyzing or comparing control costs.

21
Matchingmedium

Match each audit request to the best evidence artifact. 1. Auditors want proof that managers reviewed privileged access last quarter. 2. Auditors want evidence that an emergency firewall change was approved before implementation. 3. Auditors want to verify that annual security training was completed by staff. 4. Auditors want to confirm that records were deleted after the retention period expired.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Access review attestation report

Approved change ticket

LMS completion export

Retention deletion log

Why these pairings

Each audit request requires specific evidence: access reviews show manager sign-offs, change requests prove pre-approval, training records confirm completion, and deletion logs demonstrate data disposal per policy.

22
MCQmedium

A marketing analyst asks for a spreadsheet containing customer names, email addresses, purchase history, and government ID numbers so the team can build a campaign list. What is the BEST security response?

A.Approve the request because the data is needed for any marketing activity.
B.Provide only the minimum fields required and remove the government ID numbers.
C.Send the full file, but ask the analyst not to store it permanently.
D.Classify the file as public so it can be shared more easily with the marketing team.
AnswerB

This follows data minimization and handling requirements by sharing only what is necessary for the business purpose. Government ID numbers are highly sensitive and are not needed for a typical marketing campaign. Limiting the dataset reduces privacy exposure, lowers compliance risk, and helps ensure the data is used appropriately.

Why this answer

The best security response is to apply the principle of least privilege and data minimization. Government ID numbers are sensitive personally identifiable information (PII) that are not necessary for building a marketing campaign list; providing only the minimum required fields (e.g., names and email addresses) reduces the risk of exposure and complies with data protection regulations like GDPR or CCPA.

Exam trap

The trap here is that candidates may think 'asking not to store it permanently' is a sufficient control, but the SY0-701 exam emphasizes that administrative controls without technical enforcement (like DLP policies or data classification labels) are ineffective against data leakage.

How to eliminate wrong answers

Option A is wrong because approving the request without any data reduction violates the principle of least privilege and exposes unnecessary sensitive PII, which could lead to compliance violations and data breaches. Option C is wrong because sending the full file with only a verbal request not to store it permanently provides no technical enforcement; data can be easily copied, stored, or leaked, and this approach ignores the need for access controls and data classification. Option D is wrong because classifying the file as public would allow unrestricted access to sensitive PII, directly contradicting security policies and data protection requirements.

23
Multi-Selectmedium

An HR analyst must share a spreadsheet with an external auditor. The spreadsheet includes employee names, Social Security numbers, bank account numbers, and salary data, but the auditor only needs employee names and total payroll. Which three actions best protect the data? Select three.

Select 3 answers
A.Remove fields the auditor does not need before sharing the file.
B.Send the file using an encrypted transfer method.
C.Share the file only with the named auditor account or approved firm contact.
D.Leave the full spreadsheet intact because the auditor requested a copy.
E.Post the spreadsheet in a shared public portal for easier access.
AnswersA, B, C

Data minimization reduces exposure by sharing only the information required for the audit task.

Why this answer

Option A is correct because removing unnecessary fields (e.g., Social Security numbers, bank account numbers) before sharing the spreadsheet minimizes the exposure of sensitive personally identifiable information (PII) and financial data. This practice, known as data minimization, aligns with the principle of least privilege and reduces the risk of unauthorized access or data breach. By stripping out extraneous columns, the HR analyst ensures the auditor receives only the required data (employee names and total payroll), thereby protecting the organization from compliance violations under regulations like GDPR or PCI DSS.

Exam trap

The trap here is that candidates may think leaving the full spreadsheet intact is acceptable because the auditor 'requested a copy,' but CompTIA tests the principle of least privilege and data minimization, meaning you must always remove unnecessary sensitive data before sharing with external parties.

24
MCQmedium

A help desk manager wants sample customer tickets copied into a test environment so developers can reproduce support issues. The tickets include names, phone numbers, and account details. Which action best reduces privacy exposure while still supporting testing?

A.Export the full tickets because the developers need realistic records.
B.Mask or tokenize the personal data and restrict access to approved testers only.
C.Copy the tickets to a shared cloud drive and protect it with a simple password.
D.Remove the account numbers only and leave the rest of the ticket untouched.
AnswerB

Masking or tokenizing personal data follows privacy-by-design principles by reducing exposure while preserving enough structure for testing. Limiting access further reduces the chance of improper handling. This approach allows developers to reproduce issues without using unnecessary real customer information, which supports data minimization and secure sharing requirements.

Why this answer

Option B is correct because masking or tokenizing personal data (e.g., replacing names with pseudonyms, scrambling phone numbers) ensures that developers can work with realistic data structures without exposing personally identifiable information (PII). Restricting access to approved testers further enforces the principle of least privilege, which is a core security control for test environments. This approach balances the need for functional testing with compliance requirements like GDPR or HIPAA.

Exam trap

The trap here is that candidates may choose Option A, thinking that 'realistic records' are essential for testing, without recognizing that realistic data can be achieved through masking rather than exposing raw PII.

How to eliminate wrong answers

Option A is wrong because exporting full tickets with unredacted PII directly violates data minimization and exposes sensitive data unnecessarily, increasing the risk of a breach even in a test environment. Option C is wrong because copying tickets to a shared cloud drive with only a simple password lacks encryption, access controls, and audit logging, which are essential for protecting PII; a simple password is easily compromised and does not meet security best practices for handling sensitive data.

25
MCQeasy

A department identifies a low-likelihood software risk that would be expensive to fix right now. Leadership decides the business can live with the exposure for now, but wants it documented and reviewed later. What risk treatment is this?

A.Mitigate the risk by applying a technical control immediately
B.Accept the risk with documented approval and periodic review
C.Transfer the risk to an insurer or third party
D.Avoid the risk by stopping the business activity entirely
AnswerB

Acceptance is appropriate when leadership decides the current risk level is tolerable and the cost or disruption of fixing it is not justified right away.

Why this answer

The scenario describes a low-likelihood, high-cost software risk that leadership chooses to tolerate rather than fix immediately. This is the definition of risk acceptance, which requires documented approval and periodic review to ensure the risk remains acceptable over time. The correct risk treatment is to formally accept the exposure with a record of the decision and a schedule for reassessment.

Exam trap

The trap here is that candidates often confuse risk acceptance with risk mitigation, thinking that documenting a risk means a control is applied, but acceptance explicitly means no control is implemented and the exposure is tolerated with formal sign-off.

How to eliminate wrong answers

Option A is wrong because mitigation would require applying a technical control immediately, which contradicts the scenario's premise that the fix is too expensive and the business can live with the exposure. Option C is wrong because transferring the risk would involve shifting the financial impact to an insurer or third party via a contract or insurance policy, not simply documenting and reviewing the risk internally. Option D is wrong because avoidance means stopping the business activity entirely, which is not what leadership wants; they want to continue the activity while accepting the residual risk.

26
MCQeasy

Based on the exhibit, which governance artifact is the security team reviewing?

A.Policy, because it describes the organization's overall intent and direction.
B.Standard, because it sets mandatory technical requirements for systems.
C.Baseline, because it defines the approved minimum configuration for a system type.
D.Procedure, because it gives step-by-step instructions for completing a task.
AnswerC

A baseline is the correct term when a document defines the minimum approved configuration for a class of systems. The exhibit shows a named configuration for all production Linux servers, includes specific required settings, and is approved for consistent use. That matches the purpose of a baseline much better than a policy, guideline, or procedure.

Why this answer

The exhibit shows a list of approved operating systems, software versions, and patches for a specific system type (e.g., Windows 10 22H2 with specific security updates). This is a baseline, which defines the minimum acceptable configuration for a system type. Option C is correct because a baseline establishes a known good state that systems must meet, not just intent (policy), mandatory technical requirements (standard), or step-by-step instructions (procedure).

Exam trap

The trap here is that candidates confuse a baseline with a standard, but a standard is broader (e.g., 'use HTTPS') while a baseline is specific (e.g., 'TLS 1.2 with these cipher suites'), so the detailed version list in the exhibit points to a baseline, not a standard.

How to eliminate wrong answers

Option A is wrong because a policy describes high-level intent and direction (e.g., 'All systems must be secured'), not the specific approved configuration list shown. Option B is wrong because a standard sets mandatory technical requirements (e.g., 'All systems must use AES-256 encryption'), but the exhibit lists exact versions and patches, which is a baseline, not a broad requirement. Option D is wrong because a procedure provides step-by-step instructions (e.g., 'How to apply the baseline'), whereas the exhibit itself is the configuration list, not the steps to implement it.

27
MCQeasy

A supplier tells your company it wants to use a new subcontractor to process customer data. What is the BEST contract control to reduce this risk?

A.Require the vendor to notify the company before adding subcontractors
B.Allow subcontractors without review if the vendor remains responsible
C.Only require a verbal promise that the subcontractor is secure
D.Remove all contract language related to third parties
AnswerA

Notification requirements help the company know when the supplier changes its processing model, especially when customer data may move to a new organization. This gives security, legal, and privacy teams a chance to review the new arrangement, confirm acceptable terms, and decide whether additional controls or approval are needed before the change takes effect.

Why this answer

Requiring the vendor to notify the company before adding subcontractors is the best contract control because it ensures the company retains visibility and approval authority over any third party that will process customer data. This aligns with the principle of due diligence and third-party risk management, as the company can assess the subcontractor's security posture before data is shared. Without such a clause, the vendor could unilaterally introduce a subcontractor with inadequate security controls, increasing the risk of a data breach or compliance violation.

Exam trap

The trap here is that candidates may assume 'vendor remains responsible' (Option B) is sufficient, but the exam tests the understanding that contractual responsibility does not eliminate the need for proactive risk assessment and notification controls to prevent unauthorized data exposure.

How to eliminate wrong answers

Option B is wrong because allowing subcontractors without review, even if the vendor remains responsible, removes the company's ability to vet the subcontractor's security practices, which could lead to a breach that the vendor may not be able to remediate effectively. Option C is wrong because a verbal promise is not enforceable and provides no documented evidence of security compliance, making it impossible to audit or hold the vendor accountable. Option D is wrong because removing all contract language related to third parties eliminates any contractual safeguards, leaving the company with no legal recourse or control over how customer data is handled by the vendor or its subcontractors.

28
MCQmedium

A procurement team is evaluating a payroll SaaS vendor. They want independent evidence that the vendor's controls were designed and operating effectively over the last six months, not just at a single point in time. Which report should they request?

A.SOC 1 Type I report
B.SOC 2 Type II report
C.Non-disclosure agreement
D.Network penetration test letter
AnswerB

A Type II report covers a period of time and evaluates whether controls operated effectively during that period.

Why this answer

A SOC 2 Type II report provides independent assurance that a vendor's controls related to security, availability, processing integrity, confidentiality, or privacy were designed and operating effectively over a period of time (typically 6–12 months). This matches the procurement team's requirement for evidence of sustained control effectiveness, not just a point-in-time snapshot.

Exam trap

The trap here is that candidates often confuse Type I (point-in-time design) with Type II (operating effectiveness over time), or mistakenly think a SOC 1 report covers security controls when it is actually focused on financial reporting controls.

How to eliminate wrong answers

Option A is wrong because a SOC 1 Type I report evaluates the design of controls at a single point in time, not their operating effectiveness over a period, and it focuses on controls relevant to financial reporting rather than the broader security and privacy controls needed for a payroll SaaS vendor. Option C is wrong because a non-disclosure agreement is a legal contract to protect confidential information, not an audit report that provides evidence of control design and operating effectiveness.

29
MCQhard

Based on the exhibit, which system should be restored first after a total site outage?

A.Payroll, because it has the shortest maximum tolerable downtime and the strongest compliance impact.
B.Customer portal, because it produces the largest daily revenue loss and has the shortest RPO.
C.Email, because restoring communication always takes precedence over all other services.
D.Dev test lab, because lower business impact means it is easiest to restore first.
AnswerA

Payroll must be restored first because its maximum tolerable downtime is only eight hours, which is tighter than every other system listed. The exhibit also notes regulatory penalties if a payroll cycle is missed, making this system both time-sensitive and business-critical. In a recovery sequence, the system with the most restrictive business requirement generally receives priority.

Why this answer

Payroll should be restored first because it has the shortest maximum tolerable downtime (MTD) and the strongest compliance impact. In disaster recovery, systems with the lowest MTD must be prioritized to avoid exceeding the recovery time objective (RTO), and compliance-driven systems like payroll often carry legal or regulatory penalties for extended outages.

Exam trap

The trap here is that candidates often prioritize systems based solely on revenue loss or a general assumption (like communication first), ignoring the critical role of MTD and compliance impact in determining restoration order.

How to eliminate wrong answers

Option B is wrong because while the customer portal produces the largest daily revenue loss, its RPO (recovery point objective) is not the primary factor for restoration order—MTD and business impact criticality are. Option C is wrong because restoring communication (email) does not always take precedence; prioritization is based on MTD, compliance, and revenue impact, not a blanket rule. Option D is wrong because the dev test lab has lower business impact, meaning it should be restored last, not first, as it is not critical to core operations.

30
MCQmedium

Leadership wants to compare two controls for protecting a customer portal. Option A costs $40,000 and reduces annual loss expectancy from $120,000 to $30,000. Option B costs $15,000 and reduces annual loss expectancy to $70,000. Which analysis method best supports this decision?

A.Qualitative risk analysis
B.Quantitative risk analysis
C.Business impact analysis
D.Risk acceptance
AnswerB

Quantitative analysis uses numeric estimates such as annual loss expectancy and control cost to compare options financially.

Why this answer

Quantitative risk analysis uses monetary values and numerical data to calculate risk, making it the best method to compare the cost-benefit of Option A (ALE reduction from $120,000 to $30,000 with a $40,000 cost) versus Option B (ALE reduction to $70,000 with a $15,000 cost). By computing the annualized loss expectancy (ALE) and comparing the cost of each control against the reduction in expected loss, leadership can determine which option provides a better return on investment. This approach directly supports the decision because it provides objective, dollar-based metrics for comparison.

Exam trap

The trap here is that candidates may choose qualitative risk analysis because it is simpler and more common, but the presence of specific monetary values in the question explicitly requires quantitative analysis to make a data-driven comparison.

How to eliminate wrong answers

Option A is wrong because qualitative risk analysis uses subjective ratings (e.g., high, medium, low) rather than monetary values, so it cannot precisely compare the cost-effectiveness of two controls with specific dollar amounts. Option C is wrong because business impact analysis (BIA) focuses on identifying critical business functions and their recovery priorities, not on comparing the cost-benefit of different security controls. Option D is wrong because risk acceptance is a risk response strategy where the organization acknowledges the risk and chooses not to implement a control, which does not involve comparing multiple control options.

31
MCQmedium

After three months of phishing awareness training, the security team wants a metric that best shows whether employees are becoming harder to trick. Which metric is MOST useful?

A.The total number of phishing simulation emails sent to employees.
B.The percentage of users who report suspicious messages before clicking links.
C.The number of new usernames created in the email system.
D.The average screen resolution used by employees during the campaign.
AnswerB

Reporting rate is a strong indicator of awareness and response behavior because it measures whether employees recognize and escalate suspicious emails instead of interacting with them. A higher reporting rate generally shows improved vigilance and faster detection, which is more valuable than simply counting how many simulated messages were delivered.

Why this answer

Option B is correct because the percentage of users who report suspicious messages before clicking links directly measures the effectiveness of phishing awareness training in changing user behavior. A higher reporting rate indicates that employees are recognizing phishing indicators and using the reporting mechanism (e.g., an integrated phishing report button or email forwarding to a security mailbox) instead of falling for the trick. This metric focuses on the desired outcome—reducing successful phishing—rather than activity volume.

Exam trap

CompTIA often tests the distinction between activity metrics (e.g., number of emails sent) and outcome metrics (e.g., reporting rate), and the trap here is assuming that more training or more simulations automatically means better security, when the real measure is behavioral change.

How to eliminate wrong answers

Option A is wrong because the total number of phishing simulation emails sent is a measure of campaign scale, not employee susceptibility; sending more simulations does not indicate whether users are harder to trick. Option C is wrong because the number of new usernames created in the email system is unrelated to phishing awareness; it reflects account provisioning or turnover, not security behavior. Option D is wrong because average screen resolution has no bearing on phishing detection; it is a display setting with no connection to email security or user vigilance.

32
MCQmedium

An external auditor asks for proof that firewall rule changes were reviewed and approved before being implemented during the last quarter. Which evidence is MOST appropriate to provide?

A.A screenshot of the firewall management homepage showing that the system is online.
B.Change tickets showing requester, reviewer approval, implementation date, and rollback plan.
C.An email from the network team stating they remember reviewing the changes.
D.A list of the firewall vendor's product features from the company website.
AnswerB

Change tickets are strong audit evidence because they show who requested the change, who approved it, when it was implemented, and how the organization planned to reverse it if needed. That level of documentation demonstrates governance, traceability, and control over configuration changes, which is exactly what an auditor is trying to verify.

Why this answer

Change tickets provide a formal, auditable record of the entire change management process, including requester identification, reviewer approval, implementation date, and rollback plan. This directly satisfies the auditor's requirement for proof that firewall rule changes were reviewed and approved before implementation, aligning with the principle of separation of duties and change control.

Exam trap

The trap here is that candidates may choose Option C, mistakenly believing that a verbal or informal email confirmation is sufficient evidence, when auditors require documented, formal approval records with a clear audit trail.

How to eliminate wrong answers

Option A is wrong because a screenshot of the firewall management homepage showing the system is online only proves the firewall is operational, not that specific rule changes were reviewed and approved. Option C is wrong because an email from the network team stating they remember reviewing the changes is anecdotal and lacks the formal, timestamped, and auditable evidence required for compliance. Option D is wrong because a list of the firewall vendor's product features from the company website is irrelevant to the change management process and provides no evidence of review or approval.

33
MCQeasy

A project team needs to use a temporary file-sharing service for two weeks because the approved platform is under maintenance. The security manager wants the exception to be reviewed, time-limited, and documented with the business reason. Which governance document should be created?

A.A guideline, because it provides optional best practices for users to follow.
B.An exception request, because it records a deviation from the normal security requirement.
C.A standard, because it defines the mandatory company-wide rule for file sharing.
D.A procedure, because it gives step-by-step instructions for employees to follow.
AnswerB

An exception request documents a specific deviation from policy or standard, including the business justification, approval path, and expiration date. That is exactly what is needed when a team must temporarily use an alternative service. It keeps the deviation visible, reviewed, and accountable instead of silently bypassing security controls.

Why this answer

Option B is correct because an exception request is the formal governance document used to record, review, and time-limit a deviation from the organization's security baseline. In this scenario, the temporary use of an unapproved file-sharing service for two weeks requires documented authorization, including the business reason, to ensure the risk is accepted and tracked until the approved platform returns.

Exam trap

The trap here is that candidates confuse an exception request with a standard or procedure, thinking any documented change to security controls requires a new policy document, rather than recognizing that an exception is a temporary, authorized waiver of an existing rule.

How to eliminate wrong answers

Option A is wrong because a guideline offers optional best practices, not a mechanism to formally authorize a temporary deviation from a mandatory security requirement. Option C is wrong because a standard defines a mandatory company-wide rule; creating a new standard would permanently change the policy rather than document a time-limited exception. Option D is wrong because a procedure provides step-by-step instructions for routine tasks, not a record of a specific, temporary deviation from approved tools.

34
MCQmedium

A company is evaluating a new payroll SaaS provider that will store employee tax and bank details. Before signing the contract, which action BEST supports vendor due diligence?

A.Ask the vendor for a marketing brochure describing platform features and uptime claims.
B.Review a current independent security attestation and verify contractual security obligations.
C.Accept the vendor’s assurance that its customers have never experienced incidents.
D.Wait until after go-live and then review the security posture during the first annual audit.
AnswerB

Independent assurance reports, such as a recent SOC 2 Type II, help show whether the vendor’s controls were operating over time, and contract terms can require breach notification, data handling, and security responsibilities. Together, these steps give the organization evidence-based due diligence before sensitive payroll data is entrusted to the provider.

Why this answer

Option B is correct because vendor due diligence for a SaaS provider handling sensitive employee data (tax and bank details) requires verifying independent security attestations (e.g., SOC 2 Type II, ISO 27001 certification) and ensuring contractual security obligations (e.g., data encryption, breach notification, right to audit) are explicitly defined. This provides objective, audited evidence of the vendor's security posture rather than relying on marketing claims or unverified assurances.

Exam trap

The trap here is that candidates may choose Option A because marketing brochures appear to provide relevant information, but they fail to recognize that due diligence requires objective, third-party verified evidence rather than vendor-provided promotional materials.

How to eliminate wrong answers

Option A is wrong because a marketing brochure is a promotional document that may contain exaggerated uptime claims and lacks independent verification of security controls; it does not provide audited evidence of data protection practices. Option C is wrong because accepting a vendor's assurance that its customers have never experienced incidents is an unverifiable, self-serving statement that ignores the possibility of undisclosed breaches or the lack of incident detection capabilities; it does not constitute due diligence.

35
Multi-Selecteasy

A developer finds a critical bug in a customer portal on Friday afternoon. The fix must be released quickly, but the team needs a way to reverse the change if testing reveals a problem and wants the release to follow the normal approval process. Which two practices should be used? Select two.

Select 2 answers
A.Deploy the fix directly to production without approval
B.Create a documented rollback plan
C.Skip testing to meet the deadline
D.Follow the normal change approval and testing process
E.Rename the release package to reduce risk
AnswersB, D

A rollback plan allows the team to restore the previous stable version if the hotfix causes trouble.

Why this answer

Option B is correct because a documented rollback plan ensures that if the emergency fix introduces new issues during testing, the team can quickly and safely revert to the previous stable state. This aligns with the principle of change management, which requires a recovery procedure for any emergency change to minimize downtime and risk.

Exam trap

The trap here is that candidates may assume speed is the only priority in an emergency fix, overlooking the requirement for a controlled reversal mechanism and the need to follow the normal approval process even under time pressure.

36
MCQeasy

Paper onboarding forms have reached the end of their retention period, and no legal hold applies. What should happen next?

A.Store them indefinitely in case the company needs them later.
B.Destroy them using an approved secure disposal method.
C.Scan them to a personal cloud account so they are not lost.
D.Mail copies to every manager for review before disposal.
AnswerB

This is correct because once retention requirements are satisfied and no legal hold exists, the records should be securely destroyed. Secure disposal reduces the chance of unauthorized disclosure and supports compliance with the retention schedule. For paper records, approved shredding or other secure destruction methods are appropriate.

Why this answer

Once paper onboarding forms have reached the end of their retention period and no legal hold applies, the organization must destroy them using an approved secure disposal method (e.g., cross-cut shredding, pulping, or incineration) to prevent unauthorized access to personally identifiable information (PII) and comply with data protection regulations such as GDPR or HIPAA. Retaining data beyond its required lifecycle violates the data minimization principle and increases breach risk.

Exam trap

The trap here is that candidates may think indefinite storage (Option A) is safer or that scanning to a personal cloud (Option C) preserves data, but the exam tests that data must be destroyed when retention expires and no legal hold exists, not retained or migrated.

How to eliminate wrong answers

Option A is wrong because storing forms indefinitely violates data retention policies and regulations like GDPR's storage limitation principle, exposing the organization to unnecessary legal and security risks. Option C is wrong because scanning forms to a personal cloud account bypasses corporate data governance controls, creates an unauthorized copy of sensitive data, and likely violates data classification and access control policies. Option D is wrong because mailing copies to every manager before disposal unnecessarily proliferates sensitive data, increases the attack surface, and contradicts the principle of least privilege—only authorized personnel should handle disposal, not all managers.

37
Multi-Selecteasy

A manager asks how to decide whether a new security issue is worth spending money on. Which two factors should be reviewed first? Select two.

Select 2 answers
A.Likelihood that the issue will be exploited
B.Business impact if the issue is successful
C.The color used on the vulnerability report
D.The number of users in the IT department
E.The age of the server name in inventory
AnswersA, B

Likelihood estimates how probable the event is, which helps determine whether the organization is facing a realistic threat.

Why this answer

Option A is correct because the likelihood of exploitation is a fundamental factor in risk assessment. Without understanding how probable it is that a threat actor will exploit a vulnerability, an organization cannot prioritize remediation efforts effectively. This is a core component of risk calculation (Risk = Likelihood × Impact).

Exam trap

The trap here is that candidates may confuse severity indicators (like color-coded CVSS scores) with the primary decision factors, or they may incorrectly assume that administrative metrics (like user count or asset age) are relevant to risk-based spending decisions.

38
MCQeasy

Based on the exhibit, what should management implement next?

A.Role-based security awareness training with recurring phishing simulations and reporting practice.
B.Disable all email attachments for every user in the company.
C.Replace all passwords with longer usernames.
D.Move all users to a single shared mailbox for easier monitoring.
AnswerA

This is the best choice because the exhibit shows both low reporting and ongoing click rates across several groups. Role-based training helps target the people most affected, and repeated simulations measure whether behavior improves over time. Training should reinforce how to spot suspicious messages and how to report them correctly, which directly supports the management goal.

Why this answer

The exhibit shows a user who clicked a phishing link and entered credentials, indicating a need for improved security awareness. Role-based training with phishing simulations directly addresses this human risk by teaching users to recognize and report such attacks, which is the most effective next step. This aligns with the Security Program Management domain's focus on continuous improvement through user education and testing.

Exam trap

CompTIA often tests the misconception that technical controls alone (like disabling attachments or changing passwords) can solve human-centric security issues, when in fact user training and awareness are the primary mitigations for phishing risks.

How to eliminate wrong answers

Option B is wrong because disabling all email attachments is an extreme, impractical measure that would severely disrupt business operations and is not a standard security control; instead, organizations use attachment filtering and sandboxing. Option C is wrong because replacing passwords with longer usernames does not improve authentication security—usernames are not secrets, and this would not prevent phishing or credential theft. Option D is wrong because moving all users to a single shared mailbox eliminates accountability, violates the principle of least privilege, and makes monitoring and auditing impossible, increasing security risk rather than reducing it.

39
Matchingmedium

Match each vendor-risk concern to the contractual control that best addresses it. 1. The company wants the right to review the vendor's controls and supporting records after the contract is signed. 2. The company wants to know when the vendor will use subcontractors that may touch its data. 3. The company wants written notice within 24 hours if the vendor suffers an incident affecting company data. 4. The company wants assurance that the vendor's controls are independently assessed each year.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Right-to-audit clause

Subprocessor disclosure requirement

Breach-notification clause

SOC 2 Type II report

Why these pairings

Right to audit allows reviewing controls; subcontractor clause requires notification; incident clause mandates timely breach notification; independent assessment ensures annual audits; DPA covers data protection; SLA defines service levels.

40
MCQeasy

A small company has two security issues and can fix only one this week. Which should be prioritized first? One issue is an internal lab server with a medium-severity flaw. The other is an internet-facing login portal using default administrator credentials.

A.Fix the internal lab server first because every vulnerability should be treated equally.
B.Fix the internet-facing login portal first because default administrator credentials create a much higher risk.
C.Wait until the monthly maintenance window so both issues can be fixed at the same time.
D.Ignore both issues until users report symptoms, then respond if something happens.
AnswerB

This is the best choice because a public-facing system with default credentials is far more likely to be attacked and can lead to immediate compromise. Risk prioritization considers both likelihood and impact, not just severity labels. Exposed administrative access can quickly become a business-wide incident, so it should be addressed first.

Why this answer

The internet-facing login portal using default administrator credentials represents an immediate, high-impact risk because it allows unauthorized remote access with administrative privileges. Default credentials are well-known and actively targeted by automated scanners and attackers, making exploitation trivial. In contrast, the internal lab server with a medium-severity flaw is behind network segmentation and requires additional access, so its risk is lower and can be deferred.

Exam trap

Cisco often tests the principle of prioritizing vulnerabilities based on risk (likelihood and impact) rather than treating all vulnerabilities equally, and the trap here is assuming that severity alone (medium vs. high) determines priority without considering exposure and exploitability.

How to eliminate wrong answers

Option A is wrong because it incorrectly assumes all vulnerabilities should be treated equally, ignoring the critical factor of exploitability and exposure; a medium-severity flaw on an internal server is far less urgent than default admin credentials on an internet-facing portal. Option C is wrong because delaying both fixes until a monthly maintenance window leaves a critical authentication bypass vulnerability exposed for an extended period, which is unacceptable when immediate remediation is possible.

41
MCQmedium

An HR manager wants to share employee data with a benefits analytics vendor. The dataset includes names, employee IDs, home addresses, and medical leave codes. Security wants to reduce privacy exposure while still allowing the vendor to complete the analysis. What is the best first step?

A.Send the full file as-is if the vendor agrees not to disclose it
B.Provide only the minimum necessary fields and replace direct identifiers with project IDs
C.Keep the names but mark the spreadsheet confidential before sending it
D.Upload the file to a public cloud folder and restrict the link to the vendor
AnswerB

Minimizing fields and pseudonymizing direct identifiers reduces privacy exposure while still supporting the business purpose.

Why this answer

Option B is correct because it implements data minimization, a core privacy principle, by providing only the minimum necessary fields and replacing direct identifiers (names, employee IDs) with project-specific pseudonyms. This reduces exposure of personally identifiable information (PII) while preserving the vendor's ability to perform analytics on the medical leave codes and other non-identifying data. It aligns with the CompTIA SY0-701 objective of applying privacy-enhancing techniques like anonymization and data masking.

Exam trap

The trap here is that candidates often assume a legal agreement (Option A) or confidentiality marking (Option C) is sufficient for data protection, but CompTIA emphasizes that technical controls like data minimization and pseudonymization are the first and most effective steps to reduce privacy exposure.

How to eliminate wrong answers

Option A is wrong because sending the full file as-is, even with a non-disclosure agreement, still exposes all PII (names, addresses, medical codes) to the vendor, violating the principle of least privilege and increasing breach risk. Option C is wrong because marking a spreadsheet as confidential does not technically protect the data; it relies on trust rather than technical controls like access restrictions or data masking, and the file remains fully readable. Option D is wrong because uploading to a public cloud folder with a restricted link still exposes the full dataset to anyone who obtains the link, and cloud storage does not inherently apply data minimization or pseudonymization.

42
Matchingmedium

Match each procurement need to the vendor due diligence artifact or control that best fits. 1. Procurement wants independent evidence that a SaaS provider's controls operated effectively during the last year. 2. The team wants to know what files, libraries, and modules were included in a supplier's software build. 3. The business needs a signed agreement that defines how customer data is handled and what the vendor must do if an incident occurs. 4. The procurement team wants answers about MFA, logging, and incident response before onboarding a cloud supplier.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

SOC 2 Type II report

Software bill of materials (SBOM)

Data processing agreement (DPA)

Security questionnaire

Why these pairings

Each artifact or control directly addresses the procurement need: SOC 2 Type II provides independent audit evidence; SBOM lists software components; DPA is the legal agreement for data handling; security questionnaires gather specific security practices; pen test reports validate controls; BCP ensures continuity.

43
MCQmedium

A data analyst needs a copy of a customer file for product testing. The file includes names, email addresses, purchase history, and government ID numbers, but the test team only needs the names and purchase history. What is the BEST handling action?

A.Provide the full file because the test team is internal and already trusted.
B.Remove or mask the government ID numbers before sharing the minimum necessary fields.
C.Encrypt the file and send it by email to the entire test group.
D.Keep the file unchanged and rely on the team not to open the sensitive columns.
AnswerB

This is the best action because it follows data minimization and privacy principles. The test team does not need government ID numbers, so those fields should be removed or masked before the data is shared. Limiting the dataset to the minimum necessary information reduces privacy risk, lowers the chance of unauthorized disclosure, and aligns with common handling requirements for sensitive customer data.

Why this answer

Option B is correct because it applies the principle of least privilege and data minimization. The test team only needs names and purchase history, so removing or masking the government ID numbers before sharing the minimum necessary fields protects sensitive personally identifiable information (PII) and complies with data protection regulations like GDPR or CCPA. This action reduces the risk of unauthorized exposure of high-risk data while still enabling the test team to perform their work.

Exam trap

The trap here is that candidates may assume internal teams are automatically trusted and fail to apply data minimization, overlooking that even trusted users should only receive the minimum data necessary for their role.

How to eliminate wrong answers

Option A is wrong because internal trust does not justify exposing sensitive government ID numbers to a team that does not need them; this violates the principle of least privilege and could lead to a data breach. Option C is wrong because encrypting the file does not address the core issue of sharing unnecessary sensitive data; the government ID numbers would still be accessible to the entire test group once decrypted, and emailing the file to the entire group increases the risk of interception or accidental forwarding. Option D is wrong because relying on the team not to open sensitive columns is a weak security control; it depends on human behavior and does not prevent accidental or malicious access to the government ID numbers, which should be removed or masked as a technical control.

44
MCQmedium

Based on the exhibit, which awareness action should the security manager prioritize next?

A.Send the same annual awareness slide deck to everyone again without changing the content.
B.Launch role-based phishing training and reporting reinforcement for the highest-risk groups.
C.Block all external email so users cannot click suspicious messages.
D.Take no action because IT already reports suspicious messages well.
AnswerB

The results show that executives and customer support need the most help, especially because reporting is near zero for executives. Targeted training and practice campaigns are more effective than one-size-fits-all messaging because they address the actual behavior patterns shown in the exhibit.

Why this answer

The exhibit shows that the highest-risk groups (e.g., finance, executives) have the highest phishing click rates. Option B is correct because role-based phishing training targets these specific users with simulated phishing campaigns and reporting reinforcement, which directly reduces the likelihood of successful social engineering attacks. This aligns with the principle of prioritizing remediation based on risk assessment data rather than blanket training.

Exam trap

The trap here is that candidates may choose Option A (annual slide deck) because they assume any awareness training is sufficient, but the exam emphasizes that targeted, risk-based training is more effective than generic, one-size-fits-all approaches.

How to eliminate wrong answers

Option A is wrong because sending the same annual awareness slide deck without changes fails to address the specific high-risk groups identified in the exhibit, and it does not provide the hands-on, simulated phishing experience needed to change user behavior. Option C is wrong because blocking all external email is an overly restrictive technical control that would break legitimate business communication, and it does not address the root cause of user susceptibility to phishing. Option D is wrong because taking no action ignores the clear risk indicated by the high click rates in certain groups, and relying solely on IT reporting does not reduce the probability of a successful attack from users who click malicious links.

45
MCQmedium

A network engineer needs to change an ACL on a production firewall so a new SaaS integration works. The business cannot tolerate an extended outage, and the change must be reversible if testing fails. Which practice best fits?

A.Make the change directly during business hours without documentation
B.Follow formal change management with approval, testing, and rollback planning
C.Disable logging temporarily so the firewall change applies faster
D.Ask the vendor to modify the firewall remotely without internal review
AnswerB

Change management provides traceability, validation, and a prepared rollback path for production changes.

Why this answer

Formal change management ensures the ACL modification is documented, tested in a staging environment, and includes a rollback plan (e.g., reverting to a saved configuration or applying a 'no' command for the specific ACL entry). This minimizes downtime by allowing controlled implementation and immediate reversal if the SaaS integration fails, aligning with the business's zero-tolerance for extended outages.

Exam trap

The trap here is that candidates may think making changes quickly (Option A) or disabling logging (Option C) is acceptable for a 'simple' ACL change, but the SY0-701 exam emphasizes that any production change must follow formal change management to ensure reversibility and minimize risk.

How to eliminate wrong answers

Option A is wrong because making changes directly during business hours without documentation violates change management principles, risks unplanned outages, and provides no rollback path, which is unacceptable for a production firewall. Option C is wrong because disabling logging does not speed up ACL application—firewall ACLs are processed in hardware or software regardless of logging state; it only hides audit trails, making troubleshooting and rollback harder. Option D is wrong because asking the vendor to modify the firewall remotely without internal review bypasses security controls, violates the principle of least privilege, and could introduce unauthorized changes or misconfigurations that are not reversible by the network engineer.

46
MCQeasy

Which document should define mandatory settings such as full-disk encryption, a 10-minute screen-lock timeout, and removal of local administrator rights on company laptops?

A.Policy, because it explains the general direction but not the exact settings.
B.Standard, because it defines specific required configurations that must be followed.
C.Procedure, because it lists the steps an end user should take every day.
D.Guideline, because it offers flexible recommendations rather than mandatory rules.
AnswerB

This is correct because a standard turns policy into measurable, mandatory requirements. Exact settings such as encryption, screen-lock timing, and administrative restrictions belong in a standard since they must be applied consistently across similar systems. Standards help administrators implement security in a uniform, auditable way.

Why this answer

Option B is correct because a standard defines mandatory, specific technical configurations that must be uniformly applied across all company laptops. The question lists concrete settings (full-disk encryption, 10-minute screen-lock timeout, removal of local admin rights) that are not open to interpretation, which aligns precisely with the role of a security standard in enforcing baseline compliance.

Exam trap

The trap here is that candidates confuse 'policy' (high-level direction) with 'standard' (specific mandatory configuration), leading them to pick A when the question explicitly lists concrete, enforceable settings rather than general principles.

How to eliminate wrong answers

Option A is wrong because a policy states high-level intentions and management direction (e.g., 'laptops must be secured'), but does not include the exact technical settings like '10-minute screen-lock timeout' or 'full-disk encryption'. Option C is wrong because a procedure describes step-by-step actions an end user or administrator must perform (e.g., 'how to enable BitLocker'), not the mandatory configuration values themselves. Option D is wrong because a guideline offers flexible, non-mandatory recommendations (e.g., 'consider using full-disk encryption'), whereas the question explicitly requires mandatory settings that must be followed.

47
Multi-Selecteasy

Before approving a new payroll SaaS provider, the security team wants independent evidence that the vendor's controls operated effectively during the last year and wants the contract to clearly define security responsibilities. Which two items should they request or review? Select two.

Select 2 answers
A.A SOC 2 Type II report
B.A sales presentation from the vendor account team
C.The vendor's public blog posts
D.Contract clauses covering security responsibilities and incident notification
E.A screenshot of the login page
AnswersA, D

A SOC 2 Type II report provides independent evidence that controls operated effectively over a period of time.

Why this answer

A SOC 2 Type II report provides independent, audited evidence that a vendor's controls (e.g., security, availability, confidentiality) were operating effectively over a specified period (typically 6–12 months). This directly meets the requirement for independent evidence of control effectiveness over the last year, unlike a point-in-time assessment.

Exam trap

The trap here is that candidates often confuse a SOC 2 Type I report (point-in-time design review) with a Type II report (operational effectiveness over time), or they mistakenly believe that marketing materials or user interface screenshots can substitute for independent audit evidence.

48
MCQmedium

Several employees nearly entered credentials into a fake mailbox login page. The security team wants to reduce repeat mistakes quickly without overwhelming the whole company. What is the best communication approach?

A.Send a short targeted notice to the affected users with examples, warning signs, and reporting steps
B.Wait until the annual security training cycle to address the issue
C.Disable all external email until the next awareness campaign is completed
D.Send a company-wide message naming the affected employees to discourage mistakes
AnswerA

Targeted, timely communication is the best way to improve behavior quickly. A concise alert with screenshots or warning signs helps users recognize the specific threat they encountered, and clear reporting steps make it easier to respond correctly next time. This approach is practical, low disruption, and focused on the people most likely to benefit from immediate coaching.

Why this answer

A short targeted notice to the affected users is the best approach because it directly addresses the immediate threat without overwhelming the entire company. This method allows the security team to quickly reinforce specific warning signs (e.g., mismatched URLs, lack of HTTPS/TLS certificates) and reporting procedures, reducing the likelihood of repeat mistakes while maintaining operational efficiency.

Exam trap

The trap here is that candidates may choose a company-wide message (Option D) thinking it will deter others, but the SY0-701 exam emphasizes privacy and targeted remediation over public shaming or broad disruption.

How to eliminate wrong answers

Option B is wrong because waiting until the annual security training cycle would leave the vulnerability unaddressed for too long, allowing the same phishing attack to succeed repeatedly. Option C is wrong because disabling all external email is an overly drastic measure that would disrupt business operations and is not a targeted communication strategy. Option D is wrong because sending a company-wide message naming the affected employees would violate privacy and potentially cause embarrassment or retaliation, which is counterproductive to security culture and could discourage future reporting.

49
MCQmedium

A help desk team needs sample customer tickets in a lower environment for testing. The records contain names, phone numbers, and case details. Which approach best reduces privacy risk while still allowing useful testing?

A.Copy the production database exactly into the test system
B.Mask or tokenize the personal data before loading it into test
C.Email the records to developers so they can import them manually
D.Store the records in an unencrypted spreadsheet on a shared drive
AnswerB

Masking or tokenizing preserves usefulness for testing while reducing exposure of real personal information.

Why this answer

Option B is correct because data masking or tokenization replaces sensitive personal information (names, phone numbers) with realistic but fictitious values, preserving the dataset's utility for testing while minimizing exposure of real PII. This approach aligns with privacy best practices and regulatory requirements like GDPR or HIPAA, as the test environment never contains actual customer data.

Exam trap

The trap here is that candidates may choose Option A (exact copy) thinking it is the most efficient for testing, overlooking that privacy risk in a lower environment is a critical security concern that must be mitigated even at the cost of convenience.

How to eliminate wrong answers

Option A is wrong because copying the production database exactly into the test system exposes real PII (names, phone numbers, case details) in a lower environment that may lack production-level access controls, increasing the risk of data breach or non-compliance. Option C is wrong because emailing records containing PII to developers violates data protection principles (e.g., transmitting sensitive data over unencrypted channels) and introduces unnecessary distribution of personal data. Option D is wrong because storing records in an unencrypted spreadsheet on a shared drive provides no access control or encryption, leaving PII vulnerable to unauthorized access, theft, or accidental exposure.

50
Multi-Selecteasy

After a phishing simulation, many users still nearly entered credentials. Leadership wants to reduce repeat mistakes without causing long training sessions. Which two actions are the best balance of security and usability? Select two.

Select 2 answers
A.Send a short targeted refresher focused on the exact mistake
B.Add an easy reporting button inside the email client
C.Require every employee to attend a full-day annual course this week
D.Publicly post the names of employees who clicked the simulation
E.Disable all email attachments for every user
AnswersA, B

A brief, focused reminder addresses the observed behavior without taking people away from their normal work for long periods.

Why this answer

Option A is correct because a short, targeted refresher directly addresses the specific mistake (e.g., entering credentials on a phishing page) without overwhelming users. This approach leverages microlearning principles, which improve retention and reduce cognitive load compared to lengthy training. It balances security by reinforcing the exact behavior to avoid, while maintaining usability by minimizing time away from work.

Exam trap

The trap here is that candidates may choose C (full-day course) thinking it is thorough, but CompTIA emphasizes that security awareness must be continuous, short, and relevant, not a one-time marathon that sacrifices usability for perceived completeness.

51
MCQmedium

A developer finds a production bug on Friday afternoon. The fix has already passed staging, but the business wants the release to be reversible if the hotfix causes trouble. Which change-management practice best satisfies both speed and control?

A.Bypass change control so the patch reaches production immediately
B.Wait for the next normal change window next week
C.Use an emergency change with a documented rollback plan and approval
D.Freeze all production changes until the next monthly review meeting
AnswerC

An emergency change supports urgent deployment while preserving control through approval, testing evidence, and rollback steps.

Why this answer

Option C is correct because an emergency change with a documented rollback plan and approval provides the fastest path to production while maintaining control. This practice aligns with ITIL's emergency change advisory board (ECAB) process, which allows expedited approval for critical fixes while requiring a tested rollback procedure to ensure reversibility. The business's requirement for speed is met by bypassing the normal change window, and control is preserved through mandatory documentation and approval.

Exam trap

The trap here is that candidates may assume 'speed' means 'no process at all' (Option A), but CompTIA tests the understanding that emergency change procedures are designed to balance speed with control, not eliminate it.

How to eliminate wrong answers

Option A is wrong because bypassing change control entirely violates security governance and could lead to unauthorized changes, configuration drift, and audit failures; it sacrifices all control for speed. Option B is wrong because waiting for the next normal change window (e.g., a weekly maintenance window) fails to meet the business's need for speed, as the bug is in production and causing issues now. Option D is wrong because freezing all production changes until the next monthly review meeting is overly restrictive, preventing even this critical hotfix from being deployed, and does not address the need for a reversible release.

52
Multi-Selecteasy

During business impact analysis interviews, the team needs two inputs that help determine which business services must recover first after an outage. Which two inputs are the most useful? Select two.

Select 2 answers
A.Recovery Time Objective (RTO)
B.Annualized Loss Expectancy (ALE)
C.Mean Time Between Failures (MTBF)
D.Recovery Point Objective (RPO)
E.Control self-assessment score
AnswersA, D

RTO identifies how quickly a service must be restored to avoid unacceptable business disruption.

Why this answer

Recovery Time Objective (RTO) defines the maximum acceptable downtime for a business service, directly indicating the urgency of recovery. Recovery Point Objective (RPO) defines the maximum acceptable data loss, which influences the recovery strategy and priority. Together, they provide the two critical inputs needed to sequence recovery efforts after an outage.

Exam trap

CompTIA often tests the confusion between RTO/RPO as recovery metrics versus ALE/MTBF as risk or reliability metrics, leading candidates to select ALE because it involves financial loss, when the question specifically asks for inputs to determine recovery priority.

53
MCQmedium

Based on the exhibit, what should the security team recommend for the finance workstation pilot?

A.Approve the pilot because the workstations are limited to read-only data and the application is signed.
B.Require the vendor to provide the missing supply-chain documentation or an approved compensating-control plan before approval.
C.Disable segmentation so the pilot can access more systems if troubleshooting is needed.
D.Let the finance director sign an informal email and skip the security review.
AnswerB

The exhibit shows a supply-chain transparency gap, so the organization should not approve based only on convenience. Requiring the missing documentation or a documented compensating-control plan supports informed risk management and reduces the chance of approving software that cannot be adequately assessed.

Why this answer

Option B is correct because the exhibit indicates missing supply-chain documentation for the finance workstation pilot. Without this documentation, the security team cannot verify the integrity and provenance of the hardware and software, which is critical for a pilot involving sensitive financial data. Requiring the vendor to provide the missing documentation or an approved compensating-control plan ensures compliance with supply-chain risk management policies before approval.

Exam trap

The trap here is that candidates may focus on the application being signed or read-only data access (Option A) as sufficient security, overlooking that supply-chain documentation is a foundational requirement for verifying the trustworthiness of the entire workstation, not just the application.

How to eliminate wrong answers

Option A is wrong because read-only data access and signed applications do not eliminate supply-chain risks; missing documentation means the hardware/software origin and integrity are unverified, which could introduce backdoors or tampered components. Option C is wrong because disabling segmentation would violate the principle of least privilege and expose the pilot to unnecessary lateral movement risks, increasing the attack surface for potential threats. Option D is wrong because bypassing the security review via an informal email undermines the entire security program and violates policy, leaving the organization exposed to unvetted risks.

54
MCQmedium

A security manager at a financial services company is proposing a new policy that would require annual background checks for all employees with access to sensitive customer payment data. The proposed policy, if implemented, would increase the organization's operational costs by approximately $200,000 per year. The manager needs to obtain formal approval to implement this policy. Which of the following groups is MOST likely to have the authority to approve this policy and allocate the necessary budget?

A.Board of directors
B.Chief Information Security Officer (CISO)
C.IT steering committee
D.Security operations team
AnswerA

The board of directors has the fiduciary responsibility and ultimate authority to approve significant policy changes that require a substantial budget allocation, such as a $200,000 annual expense for background checks. This is correct because the policy crosses functional areas (security, HR, finance) and requires formal governance approval.

Why this answer

The board of directors holds the ultimate fiduciary responsibility and authority over significant financial commitments and strategic policy changes. A $200,000 annual cost increase requires approval at the highest governance level, as it impacts the organization's budget and risk posture. The board is the only group with the formal power to allocate such a substantial operational expense and approve a new policy affecting all employees with access to sensitive payment data.

Exam trap

The trap here is that candidates often confuse operational authority (CISO) with financial governance authority (board), assuming the CISO can approve any security-related budget without recognizing that large, recurring costs require board-level approval.

How to eliminate wrong answers

Option B is wrong because the CISO typically manages cybersecurity strategy and operations but does not have the authority to approve a $200,000 budget increase or a company-wide policy change; that requires executive or board-level sign-off. Option C is wrong because the IT steering committee focuses on prioritizing IT projects and resource allocation within existing budgets, not on approving new policies with significant financial implications outside their scope. Option D is wrong because the security operations team handles day-to-day incident response and monitoring, not financial approvals or policy ratification at the organizational level.

55
MCQmedium

Based on the exhibit, which document type should define the exact encryption algorithm and minimum key length for all company laptops?

A.Policy
B.Standard
C.Procedure
D.Guideline
AnswerB

A standard is the correct document for mandatory technical requirements, such as approved algorithms and minimum key lengths, because it sets measurable baselines.

Why this answer

A Standard defines mandatory, specific technical requirements such as the exact encryption algorithm (e.g., AES-256) and minimum key length (e.g., 256 bits) that must be enforced on all company laptops. Policies are high-level statements of intent, while Standards provide the measurable, enforceable criteria to implement that intent. In this context, the encryption algorithm and key length are precise technical specifications, not general guidance or step-by-step instructions.

Exam trap

The trap here is that candidates confuse Policy (the 'what') with Standard (the 'how specific'), thinking a high-level statement is sufficient to define exact technical parameters, when in fact Standards are the only document type that mandates precise, measurable technical specifications.

How to eliminate wrong answers

Option A is wrong because a Policy is a broad, high-level statement of management intent (e.g., 'All laptops must be encrypted') and does not specify exact algorithms or key lengths. Option C is wrong because a Procedure is a detailed step-by-step sequence of actions to perform a task (e.g., 'How to enable BitLocker on a laptop'), not a document that defines technical parameters like encryption algorithms. Option D is wrong because a Guideline offers non-mandatory recommendations or best practices (e.g., 'Consider using AES-256'), whereas the question requires a document that defines exact, enforceable requirements.

56
MCQmedium

A project team identifies a new risk with a high likelihood of minor data exposure during a pilot rollout. The impact is low, but the issue would become harder to address after production launch. The business owner wants the project to proceed. What should the risk owner do NEXT?

A.Ignore the issue because the impact is low.
B.Document the risk, assign an owner, and escalate for acceptance or treatment before launch.
C.Wait until after production launch to see whether the issue actually occurs.
D.Transfer the risk by moving the pilot to a different business unit.
AnswerB

This is the best next step because the risk is both identified and still manageable during the pilot. Recording it in the risk register, assigning accountability, and escalating it for acceptance or treatment ensures management makes an informed decision. Since the issue will be harder to fix after production launch, early action is important. This is classic risk governance: identify, document, assign, and decide before exposure expands.

Why this answer

Option B is correct because the risk owner must follow the formal risk management process: document the risk, assign an owner, and escalate it to the business owner for a decision on acceptance or treatment before the pilot launch. Even though the impact is low, the high likelihood and the fact that the issue becomes harder to address post-production mean the risk cannot be ignored or deferred; it requires a documented acceptance or a mitigation plan before proceeding.

Exam trap

The trap here is that candidates assume low impact means the risk can be ignored or deferred, but the high likelihood and the worsening condition post-launch force a formal risk response before proceeding, not after.

How to eliminate wrong answers

Option A is wrong because ignoring a risk with high likelihood, even if impact is low, violates the principle of due care and could lead to cumulative data exposure or compliance issues; risk acceptance must be a conscious, documented decision by the business owner, not a unilateral dismissal. Option C is wrong because waiting until after production launch to see if the issue occurs is reactive and contradicts the proactive risk management approach required by frameworks like NIST SP 800-37, especially when the issue becomes harder to address later. Option D is wrong because transferring the risk by moving the pilot to a different business unit does not eliminate the underlying vulnerability; it merely shifts the exposure to another group without proper risk treatment or acceptance, and the original risk owner remains accountable.

57
MCQmedium

An HR analyst needs to send a payroll reconciliation file to an external auditor. The file contains employee names, SSNs, bank account numbers, and salary details, but the auditor only needs employee IDs, payment totals, and a control total. What should the analyst do first?

A.Encrypt the full spreadsheet and send it without changing the contents.
B.Redact or remove unnecessary sensitive fields before sharing the minimum required data.
C.Compress the file into a password-protected archive and email the password separately.
D.Copy the file to a personal cloud storage account to make sharing easier.
AnswerB

This is the best privacy practice because it follows data minimization and limits exposure to only what is needed.

Why this answer

Option B is correct because the principle of data minimization requires that only the necessary data (employee IDs, payment totals, control total) be shared with the external auditor. Redacting or removing unnecessary sensitive fields (SSNs, bank account numbers, salary details) reduces the risk of exposure and complies with privacy regulations. This step should occur before any encryption or transmission to ensure the auditor never receives data they do not need.

Exam trap

The trap here is that candidates may focus on securing the file (encryption, password protection) rather than on the fundamental security principle of data minimization, leading them to choose options that protect the data in transit but still expose unnecessary sensitive information to the recipient.

How to eliminate wrong answers

Option A is wrong because encrypting the full spreadsheet still exposes all sensitive fields to the auditor, violating the principle of least privilege and potentially breaching data protection policies. Option C is wrong because password-protecting the archive does not remove the unnecessary sensitive data; the auditor would still receive SSNs and bank details, and the password must be transmitted separately, creating additional risk. Option D is wrong because copying the file to a personal cloud storage account bypasses organizational security controls, introduces shadow IT, and does not address the need to limit data shared with the auditor.

58
MCQmedium

An HR analyst must send a compensation spreadsheet to an external auditor. The auditor only needs employee names, departments, and salary totals; Social Security numbers and bank account fields are not required. What should the analyst do before sharing the file?

A.Encrypt the spreadsheet and send the full file as-is to preserve all records.
B.Remove or redact the fields the auditor does not need, then share only the minimum necessary data.
C.Store the file in a shared cloud folder and grant the auditor read-only access.
D.Convert the file to PDF so the sensitive information is harder to edit.
AnswerB

Data minimization is the best practice here. The analyst should provide only the information required for the audit and redact SSNs and bank details that are not needed. This reduces the amount of sensitive data exposed to an external party and lowers the impact of any accidental disclosure. It is the most privacy-conscious and operationally sound choice.

Why this answer

Option B is correct because the principle of data minimization requires sharing only the information necessary for the task. By removing or redacting the Social Security numbers and bank account fields, the analyst reduces the risk of exposing sensitive personally identifiable information (PII) to the external auditor, aligning with least privilege and need-to-know principles.

Exam trap

The trap here is that candidates may focus on security controls like encryption or access restrictions (options A, C, D) without recognizing that the core issue is data minimization—removing unnecessary sensitive data before sharing, not just protecting the file in transit or at rest.

How to eliminate wrong answers

Option A is wrong because encrypting the full file does not address the unnecessary exposure of sensitive fields; the auditor would still receive Social Security numbers and bank account data, violating data minimization. Option C is wrong because storing the file in a shared cloud folder with read-only access still exposes the full dataset, including unnecessary sensitive fields, to the auditor. Option D is wrong because converting to PDF only restricts editing, but the sensitive fields remain visible in the document, failing to remove or redact them.

59
MCQmedium

Procurement is reviewing a new payroll SaaS provider. The business wants independent evidence that the vendor's controls were designed and operating effectively over the last six months. Which document should the security team request?

A.A SOC 2 Type II report from an independent auditor.
B.A software patch list showing recent updates installed on the vendor's servers.
C.A penetration test screenshot showing one web application vulnerability was fixed.
D.An internal email from the vendor's security manager stating that controls are mature.
AnswerA

A SOC 2 Type II report is designed to show both the design and operating effectiveness of controls over a period of time. That makes it especially useful for assessing an ongoing SaaS provider relationship. It gives procurement and security an independent assurance artifact that can support vendor due diligence and third-party risk review.

Why this answer

A SOC 2 Type II report provides independent assurance that a service organization's controls are not only designed appropriately (Type I) but also operating effectively over a specified period, typically six to twelve months. This aligns directly with the procurement team's requirement for evidence of control effectiveness over the last six months, making it the correct choice for evaluating a SaaS vendor's security posture.

Exam trap

The trap here is that candidates may confuse a SOC 2 Type I (design only) with Type II (design and operating effectiveness over time), or mistakenly think a patch list or pentest result provides equivalent assurance for ongoing control effectiveness.

How to eliminate wrong answers

Option B is wrong because a software patch list shows only that updates were applied, not that the vendor's overall controls (e.g., access management, data encryption, incident response) were designed and operating effectively over time. Option C is wrong because a penetration test screenshot showing one vulnerability fixed is a point-in-time snapshot, not a comprehensive, independent assessment of control effectiveness over a six-month period. Option D is wrong because an internal email from the vendor's security manager is self-attestation and lacks the independence and rigor of an external audit; it provides no verifiable evidence of control operation.

60
Matchingmedium

Match each governance need to the document type that best fits. 1. All employees must follow rules for acceptable use of company systems. 2. Every company laptop must use full-disk encryption and a 14-character screen-lock PIN. 3. The service desk follows these exact steps to verify a caller before resetting MFA. 4. Admins are encouraged to place non-production test data in approved folders when practical.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Policy

Standard

Procedure

Guideline

Why these pairings

AUP is a policy for acceptable use; standards are mandatory requirements; procedures are step-by-step instructions; guidelines are recommendations; policy is a high-level directive; baseline defines minimum configurations.

61
Multi-Selectmedium

An organization is developing a business continuity and disaster recovery (BC/DR) plan. Which three of the following are essential elements that should be included to ensure proper management and oversight? (Choose three.)

Select 3 answers
.A list of prioritized critical business functions and their recovery time objectives (RTOs)
.Detailed diagrams of the network topology with IP addresses and firewall rules
.Defined roles and responsibilities for the BC/DR team during an incident
.Procedures for regular testing, such as tabletop exercises or full-scale drills
.A single backup copy stored on the primary server to minimize restoration time
.An inventory of all employee personal devices used for remote work

Why this answer

A list of prioritized critical business functions with their RTOs is essential because it directly drives recovery strategy and resource allocation. Without this, the BC/DR plan lacks measurable recovery targets and cannot ensure that the most vital operations are restored first, which is a core requirement of NIST SP 800-34 and ISO 22301.

Exam trap

Cisco often tests the distinction between operational documentation (like network diagrams) and essential BC/DR governance elements (like RTOs, roles, and testing), tricking candidates into selecting detailed technical artifacts that are not core to plan oversight.

62
MCQmedium

A records manager is preparing to delete old HR emails next week under the retention schedule. Legal notifies the team that those messages may be needed for an active investigation. What should the records manager do first?

A.Delete the emails on schedule and archive only the subject lines.
B.Place the emails on legal hold and suspend normal deletion for those records.
C.Move the emails to a shared folder so legal can review them later.
D.Compress the emails into an encrypted file and continue with deletion.
AnswerB

A legal hold is the correct action when records might be needed for an investigation, audit, or litigation. It overrides the normal retention schedule and requires the organization to preserve relevant data until legal or compliance staff releases the hold. This protects evidence integrity and avoids accidental destruction of records that could be important to the case.

Why this answer

When legal notifies that emails may be needed for an active investigation, the records manager must immediately suspend normal deletion and place a legal hold on those records. This preserves the data in its original state, preventing spoliation and ensuring compliance with e-discovery obligations. Deleting or moving the emails could destroy metadata or chain of custody, violating legal hold requirements.

Exam trap

The trap here is that candidates think moving emails to a shared folder is a safe preservation step, but it actually breaks the formal legal hold process and can compromise metadata and chain of custody, which is why the correct first action is to suspend deletion via a legal hold.

How to eliminate wrong answers

Option A is wrong because deleting the emails and archiving only subject lines destroys the body content and metadata (e.g., headers, timestamps, attachments) that are critical for legal discovery; this would likely constitute spoliation. Option C is wrong because moving the emails to a shared folder alters their original location and may break retention policies or audit trails, and it does not formally suspend the retention schedule—legal hold requires a documented, tamper-proof preservation process, not just relocation.

63
Multi-Selectmedium

A business unit wants to keep using a customer portal even though a low-likelihood, high-impact dependency risk was identified. Leadership does not want to stop the service, but it does want to lower exposure and formally document the remaining risk. Which two actions best fit that approach? Select two.

Select 2 answers
A.Implement compensating controls to reduce the chance or impact of the event.
B.Immediately shut down the portal until the dependency risk is completely eliminated.
C.Formally accept the remaining residual risk at the appropriate management level.
D.Ignore the finding until the next annual audit cycle.
E.Transfer the issue to the help desk by opening a routine support ticket.
AnswersA, C

This is the most direct way to reduce exposure while keeping the service running. Compensating controls, such as extra monitoring, rate limiting, or alternate processing steps, lower either likelihood or impact without requiring the business to stop operations. That matches the stated goal of continuing service while reducing risk.

Why this answer

Option A is correct because implementing compensating controls is a standard risk mitigation strategy that reduces the likelihood or impact of a dependency risk without stopping the service. For a customer portal, this could include adding web application firewall (WAF) rules, rate limiting, or failover mechanisms to lower exposure while keeping the portal operational.

Exam trap

The trap here is confusing risk acceptance with ignoring the risk or deferring it operationally, leading candidates to pick options like D or E instead of recognizing that formal acceptance requires documented management approval and that compensating controls are a valid mitigation strategy.

64
MCQmedium

After implementing MFA and stronger monitoring, a department still has a small chance of account misuse that could affect a low-value internal tool. The business owner reviews the remaining exposure and agrees it is within tolerance. What should happen next?

A.Escalate the issue to legal because all residual risk must be eliminated.
B.Document the residual risk and obtain formal acceptance from the risk owner.
C.Remove MFA because the remaining risk is already low.
D.Treat the issue as resolved because monitoring alone eliminates all risk.
AnswerB

When controls have reduced the likelihood and impact but some exposure remains, the remaining risk should be documented and formally accepted by the appropriate risk owner. This creates accountability, supports governance, and shows that the organization knowingly approved the remaining exposure after considering business value, cost, and tolerance.

Why this answer

Option B is correct because after implementing MFA and stronger monitoring, the remaining exposure is residual risk that must be formally documented and accepted by the risk owner (the business owner). This aligns with the risk management process in Security Program Management, where residual risk that falls within the organization's risk appetite is accepted rather than eliminated. The business owner's agreement indicates formal acceptance, which should be recorded for audit and compliance purposes.

Exam trap

The trap here is that candidates may think all risk must be eliminated or that monitoring alone suffices, but CompTIA tests the understanding that residual risk can be accepted when it falls within the organization's risk appetite, especially for low-value assets.

How to eliminate wrong answers

Option A is wrong because it states that all residual risk must be eliminated, which contradicts the principle of risk acceptance—organizations accept residual risk that is within tolerance, especially for low-value assets. Option C is wrong because removing MFA would increase the risk exposure, not reduce it, and the remaining risk is already deemed acceptable by the business owner. Option D is wrong because monitoring alone does not eliminate all risk; it only detects misuse, and residual risk remains even with monitoring in place.

65
MCQeasy

An employee notices that a contractor left a printed report containing customer data on a conference room table. What should the employee do first?

A.Take a photo of the report and post it in the team chat as a warning.
B.Secure the report and report the incident through the company's approved process.
C.Leave the report where it is so the contractor can collect it later.
D.Shred the report immediately without telling anyone.
AnswerB

The best first action is to protect the sensitive document from further exposure and then report it through the proper process. This limits privacy impact, preserves accountability, and allows the organization to handle the issue according to policy. It also teaches safe behavior without unnecessarily spreading the data.

Why this answer

Option B is correct because the immediate priority is to protect the sensitive customer data from further unauthorized access by securing the report, and then to follow the organization's incident response policy. This aligns with the principle of data breach containment and the requirement to report security incidents through official channels to ensure proper investigation and compliance with regulations like GDPR or HIPAA.

Exam trap

The trap here is that candidates may think immediate destruction (shredding) is the best way to protect data, but they overlook the legal and procedural requirement to preserve evidence and report the incident through official channels.

How to eliminate wrong answers

Option A is wrong because taking a photo and posting it in a team chat would further expose the sensitive customer data to unauthorized individuals, violating data privacy and potentially escalating the breach. Option C is wrong because leaving the report unattended continues to expose the data to anyone who enters the conference room, failing to contain the incident. Option D is wrong because shredding the report without reporting destroys potential evidence needed for an investigation into how the data was exposed and whether other data was compromised, violating incident response procedures.

66
MCQmedium

A vendor-supported legacy application can run only with a deprecated browser plug-in on two engineering workstations for 30 days while a replacement is tested. Management wants to allow the exception without weakening the security program. What is the best action?

A.Approve the exception informally by email and revisit it if problems appear.
B.Document a time-bound exception, record the risk, apply compensating controls, and schedule review before expiration.
C.Disable all monitoring on the workstations so the application will function normally.
D.Publish the exception as a permanent guideline so other teams can follow it.
AnswerB

This is the best governance practice because the exception is controlled, documented, time-limited, and formally reviewed.

Why this answer

Option B is correct because it follows the formal exception process required by a mature security program: documenting the exception with a specific time bound (30 days), recording the associated risk, applying compensating controls (such as network segmentation or host-based firewall rules to isolate the deprecated plug-in), and scheduling a review before expiration ensures the risk is managed and the exception does not become permanent. This aligns with the SY0-701 objective of implementing risk management processes, where time-bound exceptions with compensating controls are the standard way to handle legacy dependencies without weakening the overall security posture.

Exam trap

The trap here is that candidates often choose Option A (informal approval) because it seems quick and pragmatic, but the SY0-701 exam emphasizes that any exception must be formally documented, risk-assessed, and time-bound to maintain a defensible security program.

How to eliminate wrong answers

Option A is wrong because an informal email approval lacks documentation, risk recording, and compensating controls, which violates the security program's requirement to track and manage exceptions; it also creates an audit trail gap that could lead to uncontrolled risk. Option C is wrong because disabling all monitoring on the workstations removes visibility into security events, directly weakening the security program and violating the principle of defense in depth; the application only needs the deprecated plug-in, not the elimination of monitoring. Option D is wrong because publishing the exception as a permanent guideline would institutionalize a temporary risk, contradicting the 30-day replacement timeline and potentially encouraging other teams to adopt insecure practices without proper risk assessment.

67
MCQeasy

An operations manager states that the customer portal may be unavailable for no more than 15 minutes in a month before the issue must be escalated to executives. Which risk management concept does this statement describe?

A.Risk appetite, because it describes the organization’s overall willingness to take risk.
B.Risk tolerance, because it sets a specific measurable threshold for acceptable impact.
C.Risk transfer, because the business is moving the outage risk to another party.
D.Risk avoidance, because the organization is eliminating the portal risk completely.
AnswerB

Risk tolerance is the specific, measurable limit an organization is willing to accept for a particular risk or service. In this case, the 15-minute outage threshold is a clear boundary that triggers escalation, so it is a tolerance statement.

Why this answer

Option B is correct because risk tolerance defines the specific, measurable deviation from risk appetite that an organization is willing to accept. The operations manager's statement sets a precise threshold—15 minutes of unavailability per month—before escalation is required, which is a classic example of risk tolerance in IT service management.

Exam trap

CompTIA often tests the distinction between risk appetite (broad willingness) and risk tolerance (specific measurable threshold), causing candidates to confuse the two when a numeric value is given.

How to eliminate wrong answers

Option A is wrong because risk appetite is the broad, high-level willingness to accept risk (e.g., 'we accept some downtime'), not a specific numeric threshold like 15 minutes. Option C is wrong because risk transfer involves shifting risk to a third party (e.g., via insurance or outsourcing), not setting an internal escalation policy. Option D is wrong because risk avoidance means eliminating the risk entirely (e.g., taking the portal offline permanently), not defining a tolerance for acceptable downtime.

68
MCQeasy

A desktop engineering team needs the document that sets the mandatory minimum password length and screen-lock timeout for all company laptops. Which document type should they use?

A.Policy
B.Standard
C.Guideline
D.Procedure
AnswerB

A standard defines mandatory, specific requirements such as exact password length, timeout values, or encryption settings. In this case, the team needs a document that tells them the minimum baseline every laptop must meet. Standards are enforceable and precise, which makes them the right fit for organization-wide technical requirements.

Why this answer

A standard specifies mandatory technical requirements, such as minimum password length and screen-lock timeout, that must be implemented on all company laptops. Unlike a policy, which is high-level and states management intent, a standard provides the specific, enforceable configuration settings. This aligns with the desktop engineering team's need for a document that dictates exact technical parameters.

Exam trap

The trap here is confusing a policy (the 'what' and 'why') with a standard (the 'how much' or 'how many'), leading candidates to choose 'Policy' because they think it sets rules, but policies lack the specific, measurable technical thresholds that standards provide.

How to eliminate wrong answers

Option A is wrong because a policy is a high-level statement of management intent and goals, not a document that sets specific technical values like 'minimum password length of 8 characters' or 'screen-lock timeout of 15 minutes'. Option C is wrong because a guideline offers recommendations and best practices, not mandatory requirements; the team needs a document that enforces compliance, not just suggests. Option D is wrong because a procedure provides step-by-step instructions on how to perform a task (e.g., how to configure a password policy in Group Policy), not the actual mandatory values themselves.

69
Multi-Selectmedium

After several password-reset incidents, the security team wants one document that sets mandatory minimum controls for privileged accounts and another that tells the help desk the exact steps to verify identity and reset access. Which two document types should they use? Select two.

Select 2 answers
A.Policy, because it explains the organization's overall security intent in broad terms.
B.Standard, because it defines the mandatory minimum requirements that everyone must follow.
C.Procedure, because it gives the exact step-by-step actions for help desk staff.
D.Guideline, because it provides recommended practices that staff may ignore if needed.
E.Baseline, because it is mainly used as a casual reference document for analysts.
AnswersB, C

A standard is the right document for mandatory baseline requirements, such as minimum password length, MFA requirements, or privileged account rules. It converts policy intent into specific, measurable requirements that can be enforced consistently across the organization.

Why this answer

Option B is correct because a standard defines mandatory minimum requirements that must be followed, such as password length, complexity, and MFA enforcement for privileged accounts. This ensures consistent security controls across the organization without ambiguity, unlike a policy which is high-level intent.

Exam trap

The trap here is confusing a policy (high-level intent) with a standard (mandatory minimums), and a guideline (optional) with a procedure (step-by-step), leading candidates to pick A and D instead of B and C.

70
Multi-Selectmedium

After several near-miss phishing attempts, leadership wants to reduce mistakes quickly without disrupting daily work. Which three measures are the best balance of security and usability? Select three.

Select 3 answers
A.Run short role-based phishing training for higher-risk user groups.
B.Add a simple report-phishing button and encourage immediate reporting.
C.Require out-of-band verification for payment changes and wire requests.
D.Disable email for all staff until phishing activity stops.
E.Block all external senders permanently.
AnswersA, B, C

Focused training improves awareness where exposure is highest without overwhelming the entire workforce.

Why this answer

Option A is correct because targeted, role-based phishing training focuses on users who handle sensitive data or financial transactions, reducing the attack surface without overwhelming the entire workforce. This approach leverages the principle of least privilege in security awareness, ensuring that training is relevant and immediately applicable to the specific phishing tactics those roles face, thus minimizing disruption while improving detection rates.

Exam trap

CompTIA often tests the balance between security and usability, where candidates mistakenly choose overly restrictive options like disabling email or blocking all external senders, failing to recognize that such measures violate the core principle of maintaining business operations while improving security posture.

71
MCQeasy

An auditor asks for evidence that the new workstation hardening baseline is actually applied across all finance laptops. Which evidence is the best to provide?

A.A copy of the hardening policy that says all laptops must be secured.
B.A manager’s email confirming that the baseline was announced to the team.
C.Screenshots from one finance laptop showing the baseline settings.
D.An automated compliance report from the configuration management tool showing baseline status across all devices.
AnswerD

An automated compliance report is the strongest evidence because it is repeatable, covers the full population, and shows whether the baseline is actually enforced. Auditors generally prefer objective evidence that can be validated across multiple systems rather than isolated screenshots or statements.

Why this answer

Option D is correct because an automated compliance report from a configuration management tool (e.g., Microsoft Intune, SCCM, or Ansible) provides verifiable, centralized evidence that the hardening baseline is applied across all finance laptops. Unlike manual screenshots or policy documents, this report shows real-time or historical compliance status for every device, proving enforcement at scale.

Exam trap

The trap here is that candidates often choose Option C (screenshots) because it shows actual settings, but they overlook the requirement for evidence across all devices, not just one sample.

How to eliminate wrong answers

Option A is wrong because a copy of the hardening policy only states the requirement; it does not provide evidence that the baseline was actually applied to any device. Option B is wrong because a manager’s email confirming an announcement is hearsay and does not demonstrate technical enforcement or verification of settings. Option C is wrong because screenshots from a single laptop only prove compliance for that one device, not for the entire fleet of finance laptops, and can be easily staged or falsified.

72
Multi-Selecteasy

A records clerk finds paper forms containing customer identifiers. The retention period has expired, and no legal hold applies. Which two actions are appropriate next? Select two.

Select 2 answers
A.Verify that the retention schedule has been satisfied and no hold exists
B.Destroy the forms using the organization's approved disposal method
C.Keep the forms in a personal desk drawer until someone asks for them
D.Take the papers home for safe keeping before shredding later
E.Refile the forms in an archive cabinet because they are old records
AnswersA, B

Before destruction, the clerk should confirm that the records are truly eligible to be disposed of under the retention policy.

Why this answer

Option A is correct because before disposing of any records, the records clerk must confirm that the retention period has fully elapsed and that no legal hold (such as a litigation hold or regulatory hold) is active. This verification step ensures compliance with organizational data governance policies and avoids spoliation of evidence. Option B is correct because once verification is complete, the approved disposal method (e.g., cross-cut shredding, incineration, or secure shredding service) must be used to render the customer identifiers irrecoverable, aligning with data minimization and privacy requirements.

Exam trap

The trap here is that candidates may assume that simply because the retention period has expired, immediate destruction is always the correct next step, overlooking the critical verification step to ensure no legal hold is in place.

73
Multi-Selecteasy

A business unit keeps a low-priority legacy tool but adds extra monitoring and patching. The company also buys cyber insurance to reduce the financial effect of a loss. Which two risk treatment strategies are being used? Select two.

Select 2 answers
A.Acceptance
B.Mitigation
C.Avoidance
D.Transfer
E.Deterrent
AnswersB, D

Mitigation reduces risk by adding controls such as monitoring, patching, or other protective measures.

Why this answer

Adding extra monitoring and patching to a legacy tool is a classic example of risk mitigation, as it reduces the likelihood or impact of a security incident without removing the asset. Purchasing cyber insurance transfers the financial risk of a loss to a third party, which is a risk transference strategy. The question asks for two strategies, and mitigation is one of them; the other is transference, which is not listed as an option here, but the correct choices from the given set are mitigation and acceptance (since the business unit keeps the low-priority legacy tool, accepting the residual risk).

Exam trap

The trap here is that candidates confuse risk acceptance (keeping the asset without additional controls) with risk mitigation (adding controls), or they fail to recognize that cyber insurance is a transference strategy, not mitigation or acceptance.

74
MCQmedium

An engineering team requests a 30-day exception to use an unsupported browser plug-in on two workstations so a customer deliverable can be finished. Security agrees the business need is legitimate, but wants to reduce exposure. What must be included before the exception is approved?

A.A verbal approval from the engineering manager and no additional documentation.
B.A documented exception with an end date, compensating controls, and approval by the risk owner.
C.A standing waiver that remains in place until the project finishes, with no review date.
D.A guideline reminding the team to avoid risky behavior when practical.
AnswerB

A proper exception should be documented, time-limited, and tied to risk ownership so the organization knows who accepted the exposure and when it must be reviewed again. Compensating controls help reduce the danger while the exception is active. This keeps the exception controlled rather than allowing an open-ended deviation from security requirements.

Why this answer

A documented exception with a defined end date, compensating controls, and risk-owner approval is the correct approach. Security exceptions should be controlled, reviewable, and temporary whenever possible. That structure shows the business need was acknowledged while ensuring someone has formally accepted the residual risk and the organization can reassess the exception before it becomes indefinite.

Why others are wrong: A verbal approval is not enough for auditability or accountability. A standing waiver without a review date can quietly become permanent and increase exposure. A guideline does not authorize deviation from policy or provide the controls required for an exception process. The question is about formal exception handling, not informal advice.

75
Multi-Selectmedium

A security manager is designing a security program to align with business goals. Which three of the following are essential components of a security program that directly support governance and oversight? (Choose three.)

Select 3 answers
.Establishing a security steering committee with executive sponsorship
.Implementing a vulnerability scanning tool across all endpoints
.Developing and maintaining security policies, standards, and procedures
.Conducting periodic risk assessments to inform decision-making
.Deploying a next-generation firewall to segment the network
.Installing endpoint detection and response agents on all workstations

Why this answer

A security steering committee with executive sponsorship ensures that security initiatives have top-down support and alignment with business objectives, which is a core governance function. Developing and maintaining security policies, standards, and procedures provides the formal framework for enforcing security controls and ensuring compliance, directly supporting oversight. Conducting periodic risk assessments informs decision-making by identifying and prioritizing risks, which is essential for governance and resource allocation.

Exam trap

The trap here is confusing operational security tools (like vulnerability scanners and firewalls) with governance components, which are about oversight, policy, and strategic alignment rather than specific technical implementations.

Page 1 of 3 · 211 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Security Program Management questions.