CISSP · topic practice

Security Operations practice questions

Use this page to practise Security Operations questions for this certification. Focus on how the exam tests security operations in scenario format — understanding the why behind each answer builds more durable knowledge than memorising options.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: Security Operations

What the exam tests

What to know about Security Operations

Security Operations questions on this certification test your ability to deploy and manage security operations concepts in scenario-based situations.

Core Security Operations concepts and how they apply in real-world cloud scenarios.

How to deploy security operations correctly and verify the outcome.

Troubleshooting security operations issues by interpreting error output and system state.

Cloud best practices and Security Operations design trade-offs tested by this certification.

Watch out for

Common Security Operations exam traps

  • Selecting the most expensive service when a simpler managed option meets the requirement.
  • Forgetting that cloud resources must be explicitly secured — defaults are rarely secure.
  • Choosing a global service fix when the issue is region-specific.
  • Overlooking cost implications of cross-region data transfer in architecture questions.

Practice set

Security Operations questions

20 questions · select your answer, then reveal the explanation

A security analyst notices repeated failed login attempts from an internal IP address on the domain controller. After enabling account lockout, the lockouts continue but the source IP changes. What is the best next step?

Question 2hardmultiple choice
Read the full NAT/PAT explanation →

A SOC analyst receives an alert for a suspicious outbound connection from a server in the DMZ to an external IP on port 443. The server is a web application server that should only communicate internally. The analyst checks the process and finds it is 'svchost.exe' running from a non-standard path. What is the most appropriate immediate action?

During a security audit, an organization discovers that several employees are sharing a single generic account to access a critical database. Which principle of security operations is being violated?

A security engineer is designing a new SIEM correlation rule to detect potential data exfiltration. The rule should trigger when a single internal host sends more than 10 MB of data to an external IP address within a 5-minute window, but only if the external IP is not on a whitelist of known business partners. Which approach best minimizes false positives while ensuring effective detection?

A company's security policy requires that all removable media be encrypted. An employee plugs in a USB drive and is prompted to format it before use. After formatting, the drive is not encrypted. What is the most likely reason?

An organization is implementing a new backup strategy for its critical servers. The backup must support rapid restoration of individual files and allow for a recovery point objective (RPO) of no more than 15 minutes. Which backup method should be used for daily operations?

Question 7mediummultiple choice
Read the full NAT/PAT explanation →

During a vulnerability scan, a security analyst discovers that a web server is running an outdated version of Apache with known remote code execution vulnerabilities. The server is in production and cannot be patched immediately due to dependency conflicts. What is the best compensating control to reduce risk while a permanent fix is developed?

Which TWO of the following are essential components of a successful security awareness program?

Which THREE of the following are best practices for securing a data center's physical access?

Which TWO of the following are valid reasons for conducting a business impact analysis (BIA)?

A network administrator finds the above log entry. The source IP 192.168.1.10 is a user workstation. What does this log entry indicate?

Exhibit

Refer to the exhibit.

Exhibit: syslog entry from a firewall
<134>2024-03-15T14:23:45Z FW-01 %ASA-4-106023: Deny tcp src inside:192.168.1.10/3345 dst outside:203.0.113.5/80 by access-group "OUTSIDE_IN" [0x0, 0x0]

An AWS security engineer is reviewing the above S3 bucket policy. What is the net effect of this policy on requests to read objects in the 'confidential' folder?

Exhibit

Refer to the exhibit.

Exhibit: snippet from a security policy in JSON format
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::example-bucket/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": "10.0.0.0/8"
        }
      }
    },
    {
      "Effect": "Deny",
      "Action": "s3:*",
      "Resource": "arn:aws:s3:::example-bucket/confidential/*",
      "Condition": {
        "NotIpAddress": {
          "aws:SourceIp": "10.100.0.0/16"
        }
      }
    }
  ]
}
Question 13mediummultiple choice
Read the full NAT/PAT explanation →

You are a security analyst at a financial institution. The company has a hybrid infrastructure with on-premises servers and AWS cloud. The on-premises network uses a SIEM that aggregates logs from all sources. Recently, the SIEM has been generating a high volume of alerts for failed SSH login attempts from an internal IP (10.10.50.100) to multiple Linux servers. The IP belongs to a jump box used by system administrators. Upon investigation, you find that the jump box is running a hardened OS, and only authorized admins can access it via SSH key authentication. However, the failed login attempts show usernames like 'root', 'admin', 'test', which are not valid accounts on the target servers. The attempts occur every 5 seconds around the clock. There are no successful logins from that IP. The jump box has the latest patches and antivirus. What should you do FIRST?

Drag and drop the steps for implementing mandatory access control (MAC) in a secure system in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Match each business continuity term to its definition.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Maximum acceptable downtime after a disaster

Maximum acceptable data loss measured in time

Average time between system failures

Average time to repair a failed system

Service level agreement defining performance metrics

An organization is implementing a bring-your-own-device (BYOD) policy. Which security control should be enforced to ensure that only compliant devices can access corporate resources?

During a security incident, the incident response team identifies that an attacker exfiltrated data via a compromised service account. Which of the following is the BEST immediate step to contain the incident?

A security analyst observes repeated failed logon attempts from a single IP address against a domain controller. The account lockout policy is set to 5 attempts within 30 minutes. However, after the account is locked, the attack switches to a different username. Which type of attack is most likely occurring?

An organization needs to ensure that backup tapes containing sensitive data are protected during transportation between sites. What is the most effective control?

A company is designing a recovery site for its critical database. The recovery time objective (RTO) is 2 hours, and the recovery point objective (RPO) is 15 minutes. Which of the following replication strategies is BEST suited?

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Security Operations sessions

Start a Security Operations only practice session

Every question in these sessions is drawn from the Security Operations domain — nothing else.

Related practice questions

Related CISSP topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the CISSP exam test about Security Operations?
Security Operations questions on this certification test your ability to deploy and manage security operations concepts in scenario-based situations.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Security Operations questions in a focused session?
Yes — the session launcher on this page draws every question from the Security Operations domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other CISSP topics?
Use the topic links above to move to related areas, or go back to the CISSP question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the CISSP exam covers. They are not copied from any real exam or dump site.