SY0-701 · topic practice

Security Program Management and Oversight practice questions

Security Program Management & Oversight is the domain of the SY0-701 exam that covers how organizations build, maintain, and improve their security programs. Think of it as the 'management layer' of cybersecurity—not the technical tools like firewalls or antivirus, but the policies, procedures, governance, and risk management that ensure those tools are used effectively. In plain English, this domain teaches you how to run a security department like a business: setting goals, measuring performance, managing budgets, complying with laws, and continuously improving. It’s about the 'big picture' decisions that keep an organization safe from cyber threats. Why is this important for real-world IT/security/cloud work? Because technical skills alone won't get you far. A security engineer who can configure a SIEM but doesn't understand incident response plans or compliance requirements (like GDPR or HIPAA) is a liability. In the real world, you’ll need to justify security spending to executives, write policies that balance security with usability, and ensure your cloud infrastructure meets regulatory standards. For example, if you work at a healthcare company, you must know how to implement a security program that protects patient data under HIPAA. This domain gives you the vocabulary and frameworks to communicate with managers, auditors, and legal teams. On the SY0-701 exam, this domain (worth 20% of the score) tests your knowledge of: security governance principles (e.g., policies, standards, procedures), risk management processes (identifying, assessing, and mitigating risks), compliance with laws and regulations (e.g., GDPR, PCI DSS), business continuity and disaster recovery concepts, and security awareness training. You’ll also see questions on third-party risk management, data classification, and security metrics (KPIs). The exam won’t ask you to write a policy, but you must understand the purpose of each document and when to use it. For instance, you should know the difference between a policy (high-level intent) and a procedure (step-by-step instructions). To approach studying this domain, start by memorizing the key documents and their hierarchy: policies → standards → procedures → guidelines. Then, focus on risk management: the steps of risk assessment (identification, analysis, evaluation, treatment) and common risk treatment options (avoid, transfer, mitigate, accept). Use real-world examples: imagine a company storing customer credit card data—what PCI DSS requirements apply? How would you create a business continuity plan for a ransomware attack? Practice with sample questions that ask you to identify the correct policy or control for a given scenario. Since this domain is conceptual, create flashcards for terms like 'due care' vs. 'due diligence,' 'RPO' vs. 'RTO,' and 'quantitative' vs. 'qualitative' risk assessment. Finally, connect the dots: security program management ties together all other domains—it’s the 'why' behind the technical controls you learn elsewhere.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: Security Program Management and Oversight

What the exam tests

What to know about Security Program Management and Oversight

Security Program Management & Oversight covers the governance, risk management, compliance, and business continuity aspects of cybersecurity—how to plan, implement, and improve an organization's security program.

Security governance principles: policies, standards, procedures, and guidelines

Risk management process: identification, assessment, analysis, and treatment of risks

Compliance with laws and regulations: GDPR, HIPAA, PCI DSS, SOX, etc.

Business continuity and disaster recovery: BCP, DRP, RTO, RPO, and testing

Security awareness and training: phishing simulations, role-based training, and metrics

Third-party risk management: vendor assessments, SLAs, and due diligence

Why learners struggle

Why Security Program Management and Oversight questions are commonly missed

RAM questions are commonly missed because learners confuse physical form factors (DIMM vs SO-DIMM) and fail to distinguish between memory speed (MHz) and latency (CL).

  • ·DIMM vs SO-DIMM — desktop vs laptop form factor confusion
  • ·DDR3 vs DDR4 vs DDR5 — notch position and voltage differences
  • ·MHz vs CL — speed vs latency trade-offs in performance
  • ·Single-channel vs dual-channel — bandwidth impact misconception
  • ·ECC vs non-ECC — error correction support in servers vs desktops
  • ·32-bit vs 64-bit — maximum addressable RAM limit

Watch out for

Common Security Program Management and Oversight exam traps

  • Confusing policy vs. procedure: a policy is high-level intent, a procedure is step-by-step; exam may ask which document defines 'acceptable use' (policy) vs. 'how to reset a password' (procedure)
  • Mixing up risk treatment options: avoid (eliminate activity), transfer (buy insurance), mitigate (add controls), accept (acknowledge risk); candidates often pick 'mitigate' when 'avoid' is correct for a high-risk scenario
  • Forgetting that compliance is not the same as security: a company can be compliant with a regulation but still have poor security; exam may present a scenario where a compliant organization is breached and ask what's missing (e.g., risk assessment beyond compliance)
  • Misinterpreting RTO vs. RPO: RTO is time to restore service, RPO is acceptable data loss; exam might describe a backup strategy and ask which metric it satisfies

Practice set

Security Program Management and Oversight questions

20 questions · select your answer, then reveal the explanation

A company is evaluating a new cloud-based customer relationship management (CRM) provider. The provider’s documentation includes a SOC 2 Type II report, but the company’s compliance team specifically requires evidence that data in transit is encrypted using TLS 1.2 or higher, and data at rest is encrypted with AES-256. Which of the following actions best demonstrates that the company has performed proper due diligence in vendor risk management?

A security manager is evaluating the effectiveness of a new security awareness training program that all employees completed last quarter. The company has been conducting monthly phishing simulation campaigns for the past year. Which of the following metrics would provide the strongest evidence that the training is achieving its intended goal of changing employee behavior?

Question 3mediummultiple choice
Read the full NAT/PAT explanation →

After completing a vulnerability scan, a security analyst discovers that a legacy customer-facing application running on an unsupported operating system contains a critical remote code execution vulnerability. The application is essential to daily operations and cannot be patched or upgraded in the near term. Management has approved the purchase of a hardware-based network firewall that will be placed in front of the application to restrict inbound traffic to only authorized source IP addresses and port numbers. Which risk management strategy does this action primarily represent?

Question 4mediummultiple choice
Read the full NAT/PAT explanation →

A security manager is preparing a quarterly report for the board of directors on the effectiveness of the organization's security program. The manager has access to detailed technical data, including firewall log statistics, patch compliance percentages, and number of phishing simulation clicks. Which of the following would be the most appropriate way to present this information to the board?

Question 5mediummultiple choice
Read the full NAT/PAT explanation →

A security manager is leading a risk assessment for the organization. The team identifies a legacy application that contains a known critical vulnerability. The vendor has discontinued support and no patch is available. The manager calculates that the annualized loss expectancy (ALE) for exploiting this vulnerability is $50,000. Implementing a third-party web application firewall (WAF) as a compensating control would cost $80,000 per year. The organization's leadership decides that accepting the risk is the most cost-effective approach. Which of the following documents should the security manager update to formally record this risk acceptance decision and obtain the necessary sign-off?

A security manager at a financial services company is proposing a new policy that would require annual background checks for all employees with access to sensitive customer payment data. The proposed policy, if implemented, would increase the organization's operational costs by approximately $200,000 per year. The manager needs to obtain formal approval to implement this policy. Which of the following groups is MOST likely to have the authority to approve this policy and allocate the necessary budget?

A security manager at a healthcare organization is reviewing the results of a third-party vendor risk assessment for a cloud-based email service that will store protected health information (PHI). The assessment reveals that the vendor encrypts data at rest using AES-256 but does not support customer-managed encryption keys. The vendor's data center is located in a country that is not subject to HIPAA jurisdiction. The vendor's previous penetration test report is over 18 months old. Which of the following is the most appropriate risk management action for the security manager to take?

A security manager at a hospital is reviewing the annual vendor risk assessment for a cloud-based electronic health record (EHR) provider. The provider's SOC 2 Type II report, issued six months ago, identifies a significant deficiency in logical access controls: the provider failed to revoke access for former employees in a timely manner. The provider's management has asserted that this deficiency has been fully remediated, but the next SOC 2 audit is not scheduled for another eight months. The hospital's data protection policy requires that any vendor handling protected health information (PHI) must have a current SOC 2 Type II report with no unresolved significant deficiencies. Which of the following is the most appropriate next step for the security manager?

A security manager at a financial services company is evaluating the effectiveness of a newly deployed security awareness training program. The program included modules on recognizing phishing emails, password security, and tailgating. One month after the training, the manager wants to assess whether employees are applying the learned behaviors to reduce the risk of phishing attacks. Which of the following metrics would provide the most valid indication of the training's behavioral impact?

Question 10mediummultiple choice
Read the full NAT/PAT explanation →

A security manager at a healthcare organization is responsible for maintaining the information security policy. A project manager requests a policy exception to use a cloud-based analytics platform that stores patient data. The platform currently encrypts data at rest with AES-128 instead of the required AES-256. The security manager assesses the risk and determines that the likelihood of data exposure is low due to other compensating controls already in place, but the impact would be high. The residual risk is within the organization's risk appetite. Which of the following is the most appropriate action for the security manager to take?

An IT manager wants a document that defines the mandatory minimum requirements for all company laptops, including full-disk encryption, password length, and screen-lock timing. The help desk also needs a separate document that shows exactly how to enroll a laptop in management software. Which document type should contain the mandatory laptop requirements?

During onboarding, a manager wants a document that explains how to request access to a shared drive, who approves it, and what the help desk must do after approval. Which document type is MOST appropriate?

A manager asks how the security team decides which issue should be fixed first. Which two factors are MOST important to evaluate for each risk?

Match each awareness-program metric to the interpretation the security team should use. 1. 8% of users clicked the simulated phishing link. 2. 34% of users reported the simulation using the report-phish button. 3. The median time from message delivery to first user report was 12 minutes. 4. 96% of staff completed the annual awareness module.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Click rate

Report rate

Time to report

Training completion rate

Based on the exhibit, which risk should be prioritized first under the company's likelihood-impact scoring model?

Exhibit

Risk register:
- Scoring model: Likelihood and impact are each rated from 1 to 5; higher total score means higher priority
- R-101: Medium likelihood (3), High impact (4), current control: manual review
- R-102: High likelihood (5), Medium impact (3), current control: none
- R-103: Low likelihood (1), Critical impact (5), current control: compensating detective control
- R-104: High likelihood (4), High impact (4), current control: backup power only
- Business note: Only one risk can be funded this quarter.

Based on the exhibit, which document type should the organization update if it wants the listed endpoint settings to be mandatory baseline requirements?

Exhibit

Security document hierarchy:
- Corporate policy: "Endpoints must be protected against unauthorized access."
- Standard excerpt: "All managed laptops shall use full-disk encryption, auto-lock after 10 minutes of inactivity, and a 14-character password minimum."
- Procedure excerpt: "Step 1: Open Settings. Step 2: Enable BitLocker. Step 3: Confirm policy sync."
- Guideline excerpt: "Users should avoid storing sensitive files locally when possible."

A security manager wants evidence that annual security awareness training was completed by employees. Which artifact is the best proof?

Match each audit request to the best evidence artifact. 1. Auditors want proof that managers reviewed privileged access last quarter. 2. Auditors want evidence that an emergency firewall change was approved before implementation. 3. Auditors want to verify that annual security training was completed by staff. 4. Auditors want to confirm that records were deleted after the retention period expired.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Access review attestation report

Approved change ticket

LMS completion export

Retention deletion log

A marketing analyst asks for a spreadsheet containing customer names, email addresses, purchase history, and government ID numbers so the team can build a campaign list. What is the BEST security response?

A department identifies a low-likelihood software risk that would be expensive to fix right now. Leadership decides the business can live with the exposure for now, but wants it documented and reviewed later. What risk treatment is this?

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Security Program Management and Oversight sessions

Start a Security Program Management and Oversight only practice session

Every question in these sessions is drawn from the Security Program Management and Oversight domain — nothing else.

Related practice questions

Related SY0-701 topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the SY0-701 exam test about Security Program Management and Oversight?
Security Program Management & Oversight covers the governance, risk management, compliance, and business continuity aspects of cybersecurity—how to plan, implement, and improve an organization's security program.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Security Program Management and Oversight questions in a focused session?
Yes — the session launcher on this page draws every question from the Security Program Management and Oversight domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other SY0-701 topics?
Use the topic links above to move to related areas, or go back to the SY0-701 question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the SY0-701 exam covers. They are not copied from any real exam or dump site.