CCNA Security Operations and Administration Questions

74 questions · Security Operations and Administration · All types, answers revealed

1
MCQmedium

An organization's backup policy states: 'Maintain three copies of data on two different media types, with one copy stored offsite.' This is known as:

A.Incremental backup strategy
B.Grandfather-father-son rotation
C.3-2-1 rule
D.Disaster recovery plan
AnswerC

Correct. This matches the description.

Why this answer

The 3-2-1 rule is a foundational data backup strategy that mandates maintaining three total copies of data, stored on two different types of media (e.g., disk and tape), with one copy located offsite to protect against site-level disasters. This directly matches the policy described, making option C correct.

Exam trap

The trap here is that candidates confuse the 3-2-1 rule with backup rotation schemes like GFS or incremental strategies, because all involve 'backup' and 'copies,' but only the 3-2-1 rule explicitly defines the count, media diversity, and offsite requirement.

How to eliminate wrong answers

Option A is wrong because an incremental backup strategy refers to a backup method that only copies data changed since the last full or incremental backup, not a rule about the number of copies, media diversity, or offsite storage. Option B is wrong because the grandfather-father-son (GFS) rotation is a tape rotation scheme that manages backup retention cycles (daily, weekly, monthly), not a specification for three copies on two media types with one offsite. Option D is wrong because a disaster recovery plan (DRP) is a comprehensive document outlining procedures for recovering IT infrastructure after a disaster, not a specific backup copy and media rule.

2
Multi-Selecteasy

Which TWO of the following are examples of physical security controls? (Select TWO)

Select 2 answers
A.Firewall
B.CCTV
C.Intrusion detection system (IDS)
D.Biometric reader
E.Encryption
AnswersB, D

CCTV cameras are physical security controls for surveillance.

Why this answer

CCTV (Closed-Circuit Television) is a physical security control because it involves cameras and recording equipment that monitor and deter physical access to facilities. It is a detective and deterrent control that operates in the physical domain, not the logical or network domain.

Exam trap

The trap here is that candidates confuse 'security control' with 'security technology' and fail to distinguish between physical (tangible) and logical (digital) controls, leading them to select IDS or firewall as physical controls.

3
MCQhard

A company has a backup policy that performs a full backup every Sunday and incremental backups on other days. On Wednesday, a server fails. How many backup sets are needed to restore the server to its state on Tuesday night?

A.One
B.Two
C.Four
D.Three
AnswerD

You need Sunday's full backup, Monday's incremental, and Tuesday's incremental to restore to Tuesday night.

Why this answer

To restore the server to its state on Tuesday night, you need the full backup from Sunday and the incremental backups from Monday and Tuesday. Incremental backups only capture changes since the last backup (full or incremental), so you must restore them in sequence: full backup first, then Monday's incremental, then Tuesday's incremental. This requires three backup sets total, making option D correct.

Exam trap

The trap here is confusing incremental backups with differential backups; candidates often think two sets are enough (full + latest incremental) or mistakenly count the days incorrectly, leading them to choose option B or C instead of recognizing the sequential dependency of incremental chains.

How to eliminate wrong answers

Option A is wrong because a single backup set cannot restore the state after multiple days of changes; only the full backup alone would restore Sunday's state, not Tuesday's. Option B is wrong because two backup sets would only cover the full backup and one incremental, missing the changes from the other day (e.g., full + Monday would miss Tuesday's changes). Option C is wrong because four backup sets would be needed only if the policy used differential backups (which accumulate all changes since the last full backup) or if there were additional days; with incremental backups, the number of sets equals the number of days since the last full backup plus one (the full), which is three for Tuesday.

4
MCQeasy

Which backup type copies all data that has changed since the last full backup, regardless of subsequent backups?

A.Incremental backup
B.Snapshot backup
C.Differential backup
D.Full backup
AnswerC

Copies changes since the last full backup.

Why this answer

A differential backup copies all data that has changed since the last full backup, regardless of any intermediate backups. This means each differential backup grows in size as it accumulates all changes made since the last full backup, making it distinct from incremental backups which only capture changes since the last backup of any type.

Exam trap

Cisco often tests the distinction that differential backups grow over time because they accumulate all changes since the last full backup, while incremental backups are smaller but require a chain of backups for restoration.

How to eliminate wrong answers

Option A is wrong because an incremental backup copies only data that has changed since the last backup (whether full or incremental), not since the last full backup. Option B is wrong because a snapshot backup captures the state of a system at a point in time using copy-on-write technology, not by tracking changes since a full backup. Option D is wrong because a full backup copies all selected data regardless of change status, not just data that has changed since a previous backup.

5
MCQmedium

A security analyst notices multiple failed login attempts on a critical server followed by a successful login from an unusual IP address. Which metric would BEST capture this event?

A.Patch compliance
B.Training completion
C.Mean time to detect (MTTD)
D.Incident count
AnswerD

The failed and successful login attempts from an unusual IP indicate a potential security incident.

Why this answer

The incident count metric directly captures the occurrence of a security event—multiple failed logins followed by a successful login from an unusual IP—as a discrete security incident. This metric is used to track the number of such events over time, enabling trend analysis and resource allocation for incident response. It is the most appropriate measure for logging and reporting this specific sequence of authentication anomalies.

Exam trap

The trap here is that candidates confuse 'incident count' with 'mean time to detect' (MTTD), thinking MTTD captures the event itself, when in fact MTTD is a performance metric for detection speed, not a count of occurrences.

How to eliminate wrong answers

Option A is wrong because patch compliance measures the percentage of systems with up-to-date security patches, which does not capture real-time authentication events like failed or successful logins. Option B is wrong because training completion tracks whether users have finished security awareness courses, not the detection or occurrence of login anomalies. Option C is wrong because mean time to detect (MTTD) measures the average time between an incident's start and its discovery, not the event itself; it would be used after the incident is identified, not to capture the initial occurrence.

6
MCQmedium

A security administrator is evaluating backup strategies for a critical database with a recovery time objective (RTO) of 4 hours and a recovery point objective (RPO) of 1 hour. Which backup approach best meets these requirements?

A.Weekly full backups and daily differential backups
B.Weekly full backups and hourly incremental backups
C.Monthly full backups and weekly incremental backups
D.Daily full backups with no incremental backups
AnswerB

Hourly incremental backups meet the 1-hour RPO, and the weekly full backup ensures a baseline for recovery within the 4-hour RTO.

Why this answer

Option B is correct because hourly incremental backups ensure that data loss is limited to at most one hour (meeting the 1-hour RPO), while the weekly full backup combined with the incremental chain allows restoration within the 4-hour RTO, assuming the restore process is optimized. Incremental backups capture only changes since the last backup, reducing storage and backup time, which is critical for meeting tight RPOs.

Exam trap

The trap here is that candidates often confuse differential backups (which capture all changes since the last full backup) with incremental backups (which capture changes since the last backup of any type), leading them to choose daily differentials without realizing the RPO would be 24 hours, not 1 hour.

How to eliminate wrong answers

Option A is wrong because daily differential backups grow in size each day and, combined with a weekly full, the restore time can exceed 4 hours if the last differential is large, and the RPO is up to 24 hours (not 1 hour). Option C is wrong because monthly full backups with weekly incremental backups result in an RPO of up to 7 days, far exceeding the 1-hour requirement, and restore time would be excessive due to the long incremental chain. Option D is wrong because daily full backups provide an RPO of up to 24 hours, which violates the 1-hour RPO, and the backup window and storage overhead are impractical for a critical database.

7
MCQmedium

An employee is leaving the company. As part of the offboarding process, which action should be taken regarding the hardware assigned to the employee?

A.Keep the hardware in storage indefinitely
B.Sanitise the hard drive and then dispose or reassign
C.Recycle the hardware without any data removal
D.Reassign the hardware to a new employee without wiping
AnswerB

Sanitisation ensures data is irretrievably removed before reuse or disposal.

Why this answer

Media handling policies require that portable media be sanitised before disposal to prevent data leakage. Hard drives should be wiped or destroyed.

8
MCQmedium

An organization wants to ensure that sensitive data on laptops is protected in case of loss or theft. Which control is MOST effective?

A.Full disk encryption
B.Strong password policy
C.Asset tracking software
D.Remote wiping capability
AnswerA

Encryption renders data inaccessible without the key, protecting against physical theft.

Why this answer

Full disk encryption (FDE) is the most effective control because it renders data unreadable at rest on the entire drive, including the operating system, swap files, and temporary files. Without the decryption key (e.g., a pre-boot PIN or TPM-bound key), an attacker cannot access any data even if the laptop is physically removed. This directly addresses the threat of data exposure from loss or theft, unlike controls that only limit access or track the device.

Exam trap

The trap here is that candidates often choose remote wiping (D) because it seems proactive, but they overlook the critical requirement that the device must be online and powered on to execute the wipe, whereas full disk encryption protects data even if the device is never turned on again.

How to eliminate wrong answers

Option B (Strong password policy) is wrong because it only protects against unauthorized login attempts; if the attacker bypasses the OS (e.g., by booting from a live USB or removing the hard drive), the data is fully accessible without decryption. Option C (Asset tracking software) is wrong because it only helps locate or recover the laptop after loss, but does not prevent data exposure if the device is stolen and the hard drive is removed or imaged. Option D (Remote wiping capability) is wrong because it relies on the laptop being powered on and connected to a network to receive the wipe command; if the thief immediately disconnects the device or removes the drive, the data remains intact and accessible.

9
MCQhard

During a physical security audit, it is discovered that employees often prop open the mantrap door to allow easier access. What is the BEST control to address this?

A.Implement a clean desk policy
B.Add a time-delay alarm that triggers if the door is open too long
C.Install a CCTV camera to monitor the mantrap
D.Use biometric readers on both doors
AnswerB

Correct. This discourages propping and alerts security.

Why this answer

A time-delay alarm is the best control because it directly addresses the root cause—employees propping the door open—by alerting security or triggering a response if the door remains open beyond a preset interval (e.g., 10–30 seconds). This maintains the integrity of the mantrap, which is designed to prevent tailgating and unauthorized access by ensuring only one person enters at a time. Unlike passive measures, the alarm provides immediate feedback and deterrence against the unsafe behavior.

Exam trap

Cisco often tests the distinction between detective controls (CCTV) and preventive/deterrent controls (alarms), leading candidates to choose CCTV because it seems like a comprehensive solution, but it fails to actively stop the unsafe behavior in real time.

How to eliminate wrong answers

Option A is wrong because a clean desk policy addresses information security (e.g., preventing sensitive documents from being left out), not physical access control or the mantrap door being propped open. Option C is wrong because installing a CCTV camera only provides passive monitoring and retrospective evidence; it does not actively prevent or deter employees from propping the door open in real time. Option D is wrong because biometric readers on both doors enhance authentication but do not solve the behavioral issue of holding the door open; the mantrap's function still fails if a door is physically propped.

10
MCQhard

A change request to update a critical database server has been approved by the Change Advisory Board (CAB). During testing, a major compatibility issue is discovered. What is the best course of action?

A.Report the issue to the CAB and request a revised change
B.Reject the change request and close it permanently
C.Implement the change but have a rollback plan ready
D.Proceed with the change and resolve the issue after implementation
AnswerA

Proper change management requires CAB approval for revised changes.

Why this answer

The change should be halted and the CAB reconvened to reassess the change given the new information.

11
MCQeasy

An organization's security policy prohibits employees from sharing passwords. What type of policy is this?

A.Data Handling Policy
B.Password Policy
C.Remote Access Policy
D.Acceptable Use Policy (AUP)
AnswerD

Correct. AUP defines acceptable and unacceptable use of organizational resources, including password sharing.

Why this answer

The Acceptable Use Policy (AUP) defines the rules and guidelines for using an organization's IT resources, including prohibited behaviors like password sharing. This policy sets the overall acceptable behavior framework, whereas a Password Policy specifically governs password creation, complexity, and rotation rules, not the act of sharing. Therefore, a prohibition on sharing passwords falls under the AUP because it addresses user conduct rather than technical password parameters.

Exam trap

Cisco often tests the distinction between a Password Policy (technical rules for password creation) and an Acceptable Use Policy (behavioral rules for password usage), leading candidates to mistakenly choose Password Policy when the question focuses on prohibited conduct rather than technical specifications.

How to eliminate wrong answers

Option A is wrong because a Data Handling Policy governs how data is classified, stored, transmitted, and disposed of, not user authentication behaviors like password sharing. Option B is wrong because a Password Policy specifies technical requirements such as minimum length, complexity, and expiration intervals (e.g., NIST SP 800-63B guidelines), but does not typically address the behavioral prohibition of sharing passwords. Option C is wrong because a Remote Access Policy controls the methods and conditions for connecting to the network from external locations (e.g., VPN protocols, multi-factor authentication), not the internal conduct of password sharing.

12
MCQhard

A vulnerability scan identifies a critical vulnerability on a web server with a CVSS score of 9.8. The server hosts a public-facing application. However, the patch would require a reboot that would cause downtime during business hours. What should the security administrator do FIRST?

A.Assess the risk and implement compensating controls if possible
B.Schedule the patch for the next maintenance window without further analysis
C.Apply the patch immediately during business hours
D.Document the exception and ignore the vulnerability
AnswerA

Perform risk assessment to determine if the vulnerability can be mitigated via other controls (e.g., WAF) or if downtime is necessary.

Why this answer

The first step is to assess the risk and prioritise based on exploitability and asset criticality. A CVSS 9.8 vulnerability is critical, so immediate action is needed, but the administrator should evaluate compensating controls before applying the patch.

13
MCQmedium

During a security audit, it is found that several employees have written their passwords on sticky notes attached to their monitors. Which policy is being violated?

A.Social Media Policy
B.Clean Desk Policy
C.Data Handling Policy
D.Password Policy
AnswerB

Requires clearing desks of sensitive items.

Why this answer

A clean desk policy requires that sensitive information, including passwords, be secured and not left visible.

14
MCQmedium

A change request to update a firewall rule has been submitted. After impact assessment, the change is approved by the Change Advisory Board (CAB). What is the NEXT step in the change management process?

A.Perform post-implementation review
B.Develop a rollback plan
C.Implement the change in production
D.Test the change in a staging environment
AnswerD

Testing in a non-production environment helps identify issues before deployment.

Why this answer

After CAB approval, the next step is to test the change in a staging environment that mirrors production. This validates the firewall rule change does not introduce security gaps or performance issues before deployment. Testing in staging ensures the rule syntax, order, and interaction with existing rules are correct, preventing unintended access or denial of service.

Exam trap

The trap here is that candidates confuse the order of steps, thinking CAB approval immediately leads to production implementation, but the correct sequence requires testing in a staging environment first to validate the change.

How to eliminate wrong answers

Option A is wrong because a post-implementation review occurs after the change is deployed, not before implementation. Option B is wrong because developing a rollback plan is part of the planning phase, typically done before CAB approval, not after. Option C is wrong because implementing directly in production without prior testing in a staging environment violates change management best practices and could cause network outages or security breaches.

15
MCQeasy

A company wants to ensure that employees understand the proper use of corporate email and internet. Which policy should they implement?

A.Data Handling Policy
B.Remote Access Policy
C.Acceptable Use Policy
D.Password Policy
AnswerC

Defines acceptable use of IT resources.

Why this answer

An Acceptable Use Policy (AUP) defines the rules and guidelines for using corporate IT resources, including email and internet. It specifies permitted and prohibited activities, such as personal browsing, sending sensitive data, or accessing inappropriate content, ensuring employees understand their responsibilities. This policy directly addresses the company's goal of educating employees on proper usage, unlike other policies that focus on data classification, remote connectivity, or authentication.

Exam trap

Cisco often tests the distinction between policies that are broad (like AUP) versus those that are narrowly focused on specific technical controls (like password or remote access), leading candidates to confuse a general usage guideline with a security control policy.

How to eliminate wrong answers

Option A is wrong because a Data Handling Policy governs how data is classified, stored, transmitted, and disposed of, not the general use of email and internet by employees. Option B is wrong because a Remote Access Policy specifies requirements for connecting to the corporate network from external locations (e.g., VPN protocols, multi-factor authentication), not day-to-day email and internet usage. Option D is wrong because a Password Policy defines password complexity, rotation, and management rules, not acceptable behaviors for email and internet use.

16
MCQeasy

What is the primary purpose of a baseline configuration in configuration management?

A.To provide a consistent, secure starting point for systems
B.To store configuration items in the CMDB
C.To detect malware infections
D.To track software licenses
AnswerA

Correct. Baselines ensure systems are hardened and consistent.

Why this answer

A baseline configuration in configuration management defines a known, secure, and consistent state for a system at a specific point in time. This baseline serves as the foundation for all subsequent changes, ensuring that systems are deployed with hardened settings and that any deviations can be detected and remediated. It directly supports security operations by enforcing minimum security standards and simplifying compliance auditing.

Exam trap

Cisco often tests the distinction between a baseline configuration (the desired secure state) and the CMDB (the database that stores configuration items), so candidates mistakenly select the CMDB option because they confuse the repository with the purpose of the baseline itself.

How to eliminate wrong answers

Option B is wrong because storing configuration items in the CMDB is a function of the Configuration Management Database, not the purpose of a baseline configuration; a baseline is a snapshot of configuration items, not the storage repository itself. Option C is wrong because detecting malware infections is the role of antivirus or endpoint detection and response (EDR) tools, not a baseline configuration; while a baseline can help identify unauthorized changes that may indicate malware, its primary purpose is not detection. Option D is wrong because tracking software licenses is a function of license management or asset management tools, not the primary purpose of a baseline configuration; baselines focus on system settings and security posture, not license compliance.

17
MCQmedium

A company uses a backup strategy that backs up all data every Sunday and backs up only data that has changed since the last full backup on other days. This is an example of which backup type?

A.Full backup
B.Differential backup
C.Copy backup
D.Incremental backup
AnswerB

Differential backs up changes since the last full backup.

Why this answer

The described strategy backs up all data on Sunday (a full backup) and then on other days backs up only data that has changed since the last full backup. This is the defining characteristic of a differential backup: it always references the most recent full backup, not the previous day's backup. Unlike incremental backups, differential backups do not reset the archive bit after each run, so each differential backup grows in size until the next full backup.

Exam trap

The trap here is confusing 'changed since the last full backup' (differential) with 'changed since the last backup' (incremental), causing candidates to mistakenly select incremental backup when the key phrase 'since the last full backup' clearly indicates differential.

How to eliminate wrong answers

Option A is wrong because a full backup backs up all data every time, not just on Sundays with changes-only on other days. Option C is wrong because a copy backup backs up selected files without clearing the archive bit, but it does not follow a schedule of full-then-changes-only; it is a one-off copy. Option D is wrong because an incremental backup backs up only data changed since the last backup (full or incremental), not since the last full backup; it resets the archive bit after each run, resulting in smaller daily backups that require all previous incrementals to restore.

18
Multi-Selectmedium

A security administrator is selecting security metrics for the organization. Which TWO metrics are most useful for measuring the effectiveness of patching? (Select TWO)

Select 2 answers
A.Help desk ticket volume
B.Number of security incidents
C.Average time to patch critical vulnerabilities
D.Number of users trained
E.Patch compliance rate
AnswersC, E

Measures speed of remediation.

Why this answer

Average time to patch critical vulnerabilities (Mean Time to Patch, MTTP) directly measures the speed of remediation, which is a key indicator of patching effectiveness. Patch compliance rate quantifies the percentage of systems that have the required patches installed, reflecting coverage and adherence to policy. Both metrics provide actionable data on the patching process's efficiency and completeness.

Exam trap

The trap here is that candidates often confuse 'number of security incidents' (a reactive, outcome-based metric) with a proactive patching metric, or they mistakenly think 'help desk ticket volume' reflects patching problems rather than user support load.

19
MCQeasy

Which of the following is the correct order of steps in the change management process?

A.Change request, impact assessment, CAB approval, testing, implementation, post-implementation review
B.Change request, CAB approval, impact assessment, testing, implementation, post-implementation review
C.Impact assessment, change request, CAB approval, testing, implementation, post-implementation review
D.Change request, testing, impact assessment, CAB approval, implementation, post-implementation review
AnswerA

This sequence follows the typical change management workflow.

Why this answer

The standard change management process begins with submitting a change request, followed by impact assessment, CAB approval, testing, implementation, and finally post-implementation review.

20
MCQhard

During a post-implementation review of a change, it is discovered that the change introduced a configuration deviation from the baseline. The deviation was not detected during testing. What is the BEST way to prevent this in the future?

A.Increase the number of testers
B.Require CAB approval for all future changes
C.Implement automated configuration scanning in the staging environment
D.Use a different change management process
AnswerC

Automated scanning can detect deviations from the baseline before implementation.

Why this answer

Configuration management includes automated scanning (e.g., SCAP) to detect deviations. Implementing such scans in the staging environment would catch deviations before production.

21
MCQmedium

A company is implementing a new access control system for its data center. Which physical security control is best for preventing tailgating?

A.Mantrap
B.Biometric reader
C.Security guard
D.CCTV cameras
AnswerA

Two-door system prevents tailgating.

Why this answer

A mantrap is specifically designed to prevent tailgating by using a small vestibule with two interlocking doors. Only one door can open at a time, and the system typically requires authentication (e.g., badge or biometric) to proceed, ensuring that only one authorized person enters per cycle. This physical barrier directly blocks unauthorized individuals from following an authorized user through a single entry point.

Exam trap

Cisco often tests the distinction between preventive and detective controls; the trap here is that candidates confuse surveillance (CCTV) or authentication (biometrics) with active physical prevention, leading them to overlook the mantrap as the only option that mechanically blocks tailgating.

How to eliminate wrong answers

Option B is wrong because a biometric reader authenticates identity but does not physically prevent multiple people from entering together; tailgating can still occur if an authorized user opens the door and an unauthorized person follows. Option C is wrong because while a security guard can deter tailgating, they are not a mechanical or automated control and can be distracted, overwhelmed, or bypassed, making them less reliable than a mantrap. Option D is wrong because CCTV cameras only provide surveillance and recording of tailgating incidents after they occur; they do not actively prevent the act of tailgating in real time.

22
MCQmedium

A security administrator is reviewing log files and notices that a user logged in at 3:00 AM from an IP address in a foreign country. The user's manager confirms the user is not authorized for remote access. Which type of policy has likely been violated?

A.Remote access policy
B.Data handling policy
C.Password policy
D.Acceptable use policy (AUP)
AnswerA

The policy governs remote connections; unauthorized remote access is a direct violation.

Why this answer

The scenario describes a user logging in from an unauthorized location (foreign country) at an unusual time (3:00 AM) without remote access authorization. This directly violates the remote access policy, which defines who can connect remotely, from where, and under what conditions. The policy typically specifies allowed authentication methods (e.g., VPN with multi-factor authentication), permitted IP ranges, and time-of-day restrictions to prevent unauthorized external connections.

Exam trap

Cisco often tests the distinction between an Acceptable Use Policy (AUP) and a Remote Access Policy, where candidates mistakenly choose AUP because it sounds broad, but the specific violation here is about unauthorized remote connectivity, not general misuse of resources.

How to eliminate wrong answers

Option B (Data handling policy) is wrong because it governs how data is classified, stored, transmitted, and disposed of, not the conditions under which remote logins occur. Option C (Password policy) is wrong because it specifies password complexity, expiration, and reuse rules, not the authorization for remote access or geographic restrictions. Option D (Acceptable use policy) is wrong because it defines permissible activities on company resources (e.g., browsing, email usage), not the specific rules for remote connectivity or location-based access control.

23
MCQmedium

A security metric tracking the percentage of systems with critical patches applied within 48 hours is an example of which type of metric?

A.Service level agreement (SLA)
B.Key performance indicator (KPI)
C.Control objective
D.Key risk indicator (KRI)
AnswerB

KPIs track the effectiveness of processes like patch management.

Why this answer

A key performance indicator (KPI) measures the performance of a process or activity. Patch compliance rates are common KPIs for patch management, indicating how well the organization is meeting patching objectives.

24
MCQmedium

An organization's security policy requires that all portable media containing sensitive data be encrypted. Which type of control does this requirement represent?

A.Detective control
B.Administrative control
C.Technical control
D.Physical control
AnswerB

Policies are administrative controls that guide behavior and define requirements.

Why this answer

This requirement is an administrative control because it is a policy mandate that defines rules and procedures for handling sensitive data. Administrative controls are management directives, such as security policies, standards, and guidelines, that govern behavior and processes. The encryption itself is a technical control, but the requirement to encrypt is a policy statement, which falls under administrative controls.

Exam trap

Cisco often tests the distinction between the policy (administrative control) and the technology that enforces it (technical control), leading candidates to mistakenly select 'Technical control' because they focus on the encryption mechanism rather than the requirement itself.

How to eliminate wrong answers

Option A is wrong because detective controls are designed to identify and alert on security incidents after they occur (e.g., audit logs, intrusion detection systems), not to mandate encryption. Option C is wrong because technical controls are the actual mechanisms (e.g., BitLocker, AES-256 encryption software) that enforce the policy, not the policy requirement itself. Option D is wrong because physical controls protect assets through tangible means (e.g., locks, guards, safes), not through policy directives about data encryption.

25
MCQeasy

Which physical security control is designed to prevent tailgating by allowing only one person to enter at a time?

A.CCTV camera
B.Security guard
C.Biometric reader
D.Mantrap
AnswerD

Correct. A mantrap is specifically designed to prevent tailgating.

Why this answer

A mantrap is a small room with two doors where the first door must close before the second opens, preventing tailgating.

26
MCQhard

An organization uses a mantrap at its main entrance. An employee badges in, enters the first door, but then the second door fails to open. What should the employee do?

A.Return through the first door
B.Use the intercom to contact security
C.Force the second door open
D.Wait for someone to open from the other side
AnswerB

Proper procedure to get assistance without compromising security.

Why this answer

The employee should not attempt to force the door; instead, they should use the intercom to contact security for assistance.

27
Multi-Selectmedium

Which TWO of the following are key components of a configuration management database (CMDB)? (Select TWO)

Select 2 answers
A.Password hashes
B.Change request approvals
C.Relationships between configuration items
D.Incident tickets
E.Hardware inventory details such as serial numbers
AnswersC, E

CMDB tracks dependencies and relationships between CIs.

Why this answer

A CMDB is a repository that stores information about configuration items (CIs) and their relationships. Option C is correct because relationships between CIs are fundamental to understanding how changes affect the IT infrastructure. Option E is correct because hardware inventory details like serial numbers are typical attributes stored for each CI, enabling asset tracking and impact analysis.

Exam trap

The trap here is confusing the CMDB with other ITIL processes or data stores, leading candidates to select change request approvals (a change management artifact) or incident tickets (an incident management artifact) as CMDB components, when they are separate records linked to CIs but not stored within the CMDB itself.

28
MCQeasy

A security administrator is implementing a policy that requires all employees to use a password manager and enable multi-factor authentication. This policy is BEST described as a:

A.Data handling policy
B.Password policy
C.Social media policy
D.Remote access policy
AnswerB

A password policy defines rules for password creation, management, and authentication, including multi-factor authentication.

Why this answer

The policy requires all employees to use a password manager and enable multi-factor authentication, which directly governs the creation, storage, and authentication strength of user credentials. This is the core function of a password policy, as defined in security frameworks like NIST SP 800-53 (IA-5) and ISO 27001 (A.9.2.1). It specifically addresses password complexity, rotation, and MFA enforcement, not data classification or access methods.

Exam trap

The trap here is that candidates confuse a password policy (which includes MFA as an authentication control) with a remote access policy, because MFA is often associated with VPN logins, but the question explicitly states it applies to all employees, not just remote workers.

How to eliminate wrong answers

Option A is wrong because a data handling policy governs how data is classified, stored, transmitted, and disposed of (e.g., encryption at rest, data retention schedules), not the authentication credentials used to access systems. Option C is wrong because a social media policy regulates employee behavior on public platforms (e.g., posting confidential information, representing the company), not internal authentication mechanisms. Option D is wrong because a remote access policy defines the methods and controls for connecting to the corporate network from external locations (e.g., VPN protocols, split tunneling), not the password and MFA requirements that apply to all access, including local.

29
Multi-Selecteasy

A security administrator is designing physical security for a high-security area. Which TWO controls are most effective for preventing unauthorized entry? (Select TWO)

Select 2 answers
A.Biometric reader
B.Visitor log
C.Clean desk policy
D.Mantrap
E.Screen locks
AnswersA, D

Unique identification prevents unauthorized access.

Why this answer

Biometric readers and mantraps provide strong authentication and access control.

30
Multi-Selectmedium

A company is implementing a change management process. Which THREE elements are essential for every change request? (Select THREE)

Select 3 answers
A.Description of the change
B.Impact assessment
C.Rollback plan
D.Employee performance review
E.Budget approval
AnswersA, B, C

Necessary to understand what is being changed.

Why this answer

A description of the change is essential because it provides a clear, documented account of what will be modified, including systems, configurations, or procedures affected. Without a precise description, the change cannot be properly reviewed, approved, or audited, violating the principle of change traceability.

Exam trap

The trap here is that candidates confuse 'essential change request elements' with general business processes like HR reviews or financial approvals, but the SSCP focuses strictly on technical and operational controls for security and stability.

31
MCQeasy

A security awareness training program is being developed. Which topic is most important to include to reduce the risk of credential theft?

A.Proper use of social media
B.Physical security procedures
C.Recognizing phishing attempts
D.Data backup procedures
AnswerC

Phishing is a common vector for credential theft.

Why this answer

Phishing is the primary vector for credential theft, as attackers use deceptive emails or messages to trick users into revealing usernames and passwords. Training users to recognize phishing attempts—such as spoofed sender addresses, suspicious URLs, and urgent language—directly mitigates this risk by preventing credential disclosure at the point of attack. Unlike other topics, phishing awareness specifically targets the social engineering techniques most commonly used to steal credentials.

Exam trap

The trap here is that candidates may choose physical security procedures (Option B) because they associate credential theft with stolen hardware, but the SSCP exam emphasizes that the most common and effective method of credential theft is phishing, not physical access.

How to eliminate wrong answers

Option A is wrong because proper use of social media, while important for privacy, does not directly address credential theft; attackers typically harvest credentials through phishing rather than social media posts. Option B is wrong because physical security procedures, such as locking doors or securing badges, protect against physical theft of devices or documents but do not prevent remote phishing attacks that steal credentials via email or web forms. Option D is wrong because data backup procedures focus on recovering from data loss due to ransomware or hardware failure, not on preventing the initial compromise of credentials through social engineering.

32
Multi-Selectmedium

An organization is implementing a software inventory management process. Which TWO of the following should be tracked for each software asset?

Select 2 answers
A.License type and number of licenses
B.Physical location of the installed software
C.Version and patch level
D.Serial number of the installation media
E.Name of the user who installed it
AnswersA, C

License tracking ensures compliance with vendor agreements.

Why this answer

License type and number of licenses are critical for ensuring compliance with software licensing agreements and avoiding legal or financial penalties. Tracking these allows the organization to verify that the number of installed copies does not exceed the purchased licenses, which is a core requirement of software asset management (SAM).

Exam trap

Cisco often tests the distinction between physical asset tracking (e.g., hardware serial numbers) and logical software inventory attributes, leading candidates to mistakenly select the serial number of installation media as a tracked item.

33
Multi-Selecthard

A security administrator is implementing physical security for a data center. Which THREE of the following controls should be included to provide layered security?

Select 3 answers
A.Mantrap at the main entrance
B.Screen locks on all workstations
C.CCTV monitoring of all entry points
D.Clean desk policy for employees
E.Biometric readers on server room doors
AnswersA, C, E

Mantraps prevent tailgating and control entry.

Why this answer

A mantrap is a physical security control that uses a small room with two interlocking doors to prevent tailgating and unauthorized entry. It ensures that only one authenticated person can pass through at a time, providing a critical layer of defense at the main entrance of a data center.

Exam trap

The trap here is that candidates confuse administrative or logical controls (like screen locks or clean desk policies) with physical security controls, which must be tangible barriers or detection systems that protect the facility's perimeter and access points.

34
MCQeasy

A security administrator is drafting an acceptable use policy (AUP). Which of the following should be included to address the use of personal devices for work purposes?

A.Procedures for data backup and recovery
B.Requirements for password complexity and multifactor authentication
C.Guidelines for responding to security incidents
D.A list of approved social media platforms
AnswerB

The AUP should define security requirements for personal devices, such as password complexity and MFA, to ensure they meet organizational security standards.

Why this answer

An acceptable use policy (AUP) for personal devices (BYOD) must include authentication requirements like password complexity and multifactor authentication to ensure that only authorized users can access corporate resources from potentially untrusted endpoints. This directly addresses the security risk of unauthorized access via personal devices, which is a primary concern in BYOD environments.

Exam trap

The trap here is that candidates confuse the AUP with broader security policies like incident response or data backup, but the AUP specifically governs user behavior and access controls, not operational procedures.

How to eliminate wrong answers

Option A is wrong because data backup and recovery procedures belong in a disaster recovery or data retention policy, not in an AUP focused on acceptable use of personal devices. Option C is wrong because incident response guidelines are part of an incident response plan (IRP), not an AUP, which defines user behavior rather than post-incident actions. Option D is wrong because listing approved social media platforms is a social media policy detail, not a core element of an AUP for personal device usage, which focuses on security controls like authentication and device management.

35
MCQhard

An organization wants to ensure that servers are configured securely before deployment. They plan to use a hardened operating system image and regularly scan for deviations using SCAP. Which concept does this represent?

A.Change management
B.Asset management
C.Configuration management
D.Patch management
AnswerC

Configuration management involves establishing and maintaining baseline configurations and detecting deviations.

Why this answer

C is correct because configuration management involves establishing and maintaining consistent baseline configurations for systems, such as using a hardened OS image, and then monitoring for deviations using tools like SCAP (Security Content Automation Protocol). SCAP enables automated vulnerability scanning and compliance checking against defined security baselines, ensuring servers remain in a known secure state before and after deployment.

Exam trap

The trap here is that candidates confuse configuration management with patch management, thinking that scanning for deviations always means checking for missing patches, when in fact SCAP scans assess a wide range of configuration settings (e.g., registry keys, file permissions, service states) beyond just patch levels.

How to eliminate wrong answers

Option A is wrong because change management focuses on controlling and documenting changes to systems after deployment, not on establishing a secure baseline image or scanning for deviations from that baseline. Option B is wrong because asset management deals with tracking and inventorying hardware and software assets throughout their lifecycle, not with enforcing secure configurations or scanning for compliance. Option D is wrong because patch management specifically addresses the application of software updates to fix vulnerabilities, whereas the scenario describes using a hardened image and SCAP scanning for configuration deviations, which is broader than patching.

36
Multi-Selecteasy

Which THREE of the following are examples of security awareness training topics?

Select 3 answers
A.How to apply patches to servers
B.Recognizing phishing emails
C.Configuring firewall rules
D.Physical security best practices (e.g., locking screens)
E.Social engineering tactics
AnswersB, D, E

Phishing recognition is a core awareness topic.

Why this answer

Option B is correct because recognizing phishing emails is a core security awareness training topic that teaches users to identify social engineering attempts, such as spoofed sender addresses, suspicious links, and urgent language. This training reduces the risk of credential theft and malware installation, which are common attack vectors in organizations.

Exam trap

The trap here is that candidates confuse technical administration tasks (patching, firewall configuration) with awareness-level training, which is designed for all employees and focuses on behavioral change rather than technical skills.

37
MCQhard

An organization wants to ensure that all new servers are deployed with a hardened baseline configuration. Which of the following is the most effective control to enforce this?

A.Requiring post-deployment security reviews for each server
B.Using a configuration management tool to deploy a hardened image automatically
C.Requiring administrators to manually apply CIS benchmarks after installation
D.Performing periodic vulnerability scans on all servers
AnswerB

Automated deployment ensures every server starts from a known hardened baseline.

Why this answer

Option B is correct because using a configuration management tool (e.g., Ansible, Puppet, Chef) to deploy a hardened image automatically ensures that every new server is built from a pre-defined, secure baseline without relying on manual steps. This enforces consistency and prevents configuration drift from the moment of deployment, which is the most effective control for ensuring compliance with hardening standards.

Exam trap

The trap here is that candidates often choose post-deployment reviews or vulnerability scans because they seem like thorough security measures, but the question specifically asks for the most effective control to *enforce* a hardened baseline, which requires a preventive, automated approach rather than a reactive or manual one.

How to eliminate wrong answers

Option A is wrong because post-deployment security reviews are reactive and do not prevent insecure configurations from being deployed; they only identify issues after the fact. Option C is wrong because requiring administrators to manually apply CIS benchmarks after installation introduces human error and inconsistency, and it does not guarantee that hardening is applied before the server is placed into production. Option D is wrong because periodic vulnerability scans detect existing weaknesses but do not enforce a hardened baseline at deployment time; they are a detective control, not a preventive one.

38
MCQhard

A company is implementing a new patch management process. After scanning for missing patches, the team must prioritize which patches to apply first. Which combination of factors is most critical for prioritization?

A.CVSS score and asset criticality
B.Number of systems affected and patch size
C.Age of the patch and vendor reputation
D.Cost of the patch and availability of workarounds
AnswerA

CVSS score indicates vulnerability severity, and asset criticality determines business impact. Together, they provide a risk-based priority.

Why this answer

Patch prioritization should consider both the severity of the vulnerability (CVSS score) and the criticality of the asset being patched. A high CVSS score on a critical asset poses the greatest risk.

39
MCQhard

During a change management process, the Change Advisory Board (CAB) approves a high-risk change. What is the NEXT step according to standard change management?

A.Implement the change immediately
B.Document the rollback plan
C.Perform a post-implementation review
D.Test the change in a staging environment
AnswerD

Correct. Testing is crucial before production deployment.

Why this answer

After CAB approval, the next step is to test the change in a staging environment to validate its functionality and identify potential issues before production deployment. This aligns with standard change management processes (e.g., ITIL) where testing follows approval to ensure the change does not disrupt operations. Immediate implementation without testing would bypass risk mitigation, making D the correct answer.

Exam trap

The trap here is confusing the order of steps: candidates often think approval directly leads to implementation, but standard change management mandates testing in a controlled environment first to prevent production incidents.

How to eliminate wrong answers

Option A is wrong because implementing immediately after approval skips mandatory testing, which is required to verify the change's impact and rollback procedures. Option B is wrong because documenting the rollback plan should occur during the planning phase, not after approval; the next step is testing, not documentation. Option C is wrong because a post-implementation review occurs after the change is deployed and tested in production, not immediately after approval.

40
MCQmedium

A security administrator needs to ensure that all servers are configured with a hardened baseline. Which tool is best suited to detect deviations from the baseline configuration?

A.Vulnerability scanner
B.Asset management database
C.SCAP scanner
D.SIEM
AnswerC

Designed to check compliance with security baselines.

Why this answer

SCAP (Security Content Automation Protocol) scanners are specifically designed to automate the verification of system configurations against a defined baseline, such as a hardened image or a security policy. They use standardized checklists (e.g., XCCDF, OVAL) to detect deviations, making them the ideal tool for this task. Unlike vulnerability scanners, SCAP scanners focus on configuration compliance rather than known vulnerabilities.

Exam trap

The trap here is that candidates confuse a vulnerability scanner (which finds weaknesses) with a configuration compliance scanner (which checks for policy drift), but the question specifically asks for detecting deviations from a baseline, not vulnerabilities.

How to eliminate wrong answers

Option A is wrong because a vulnerability scanner (e.g., Nessus, Qualys) primarily identifies known software vulnerabilities (CVEs) and missing patches, not configuration drift from a hardened baseline. Option B is wrong because an asset management database (e.g., CMDB) stores inventory and configuration items but does not actively scan or detect real-time deviations from a baseline. Option D is wrong because a SIEM (Security Information and Event Management) aggregates and correlates logs for incident detection, but it does not perform proactive configuration compliance checks against a baseline.

41
MCQeasy

Which of the following backup methods copies all data that has changed since the last full backup, regardless of any intermediate backups?

A.Differential backup
B.Full backup
C.Incremental backup
D.Snapshot backup
AnswerA

A differential backup copies all changes since the last full backup.

Why this answer

A differential backup copies all data that has changed since the last full backup, regardless of any intermediate backups. This means each differential backup grows in size as it accumulates all changes made since the last full backup, making it distinct from incremental backups which only capture changes since the last backup of any type.

Exam trap

The trap here is that candidates often confuse differential and incremental backups, mistakenly thinking differential only captures changes since the last backup of any type, when it actually captures all changes since the last full backup.

How to eliminate wrong answers

Option B is wrong because a full backup copies all data, not just changed data since the last full backup. Option C is wrong because an incremental backup copies only data that has changed since the last backup (whether full or incremental), not since the last full backup. Option D is wrong because a snapshot backup captures the state of a system at a point in time, often using copy-on-write technology, and is not a traditional backup method that tracks changes since a full backup.

42
MCQhard

A company's backup strategy uses a full backup on Sundays and differential backups on other days. On Thursday, the storage system fails. How many backups are required to restore the data?

A.One (the full backup only)
B.Five (the full backup and all differentials from Monday to Thursday)
C.Two (the full backup and the Thursday differential)
D.Six (all backups from Sunday to Thursday)
AnswerC

The full backup provides the baseline, and the Thursday differential contains all changes since Sunday.

Why this answer

A differential backup copies all data changed since the last full backup. Therefore, to restore data on Thursday, you need the last full backup (Sunday) and the most recent differential backup (Thursday), which contains all changes from Sunday through Thursday. This totals two backups.

Exam trap

The trap here is confusing differential backups with incremental backups, leading candidates to think they need all backups from Monday to Thursday (Option B) or all backups (Option D), when in fact only the full and the latest differential are required.

How to eliminate wrong answers

Option A is wrong because a full backup alone does not include changes made after Sunday, so data from Monday through Thursday would be lost. Option B is wrong because differential backups are cumulative; you do not need all differentials from Monday to Thursday—only the latest differential (Thursday) contains all changes since the full backup. Option D is wrong because you do not need every backup from Sunday to Thursday; the full backup plus the Thursday differential is sufficient, and including the other differentials is redundant and inefficient.

43
MCQhard

A critical vulnerability with a CVSS score of 9.8 is discovered in a web server that cannot be patched due to vendor dependency. What is the best compensating control?

A.Increase the frequency of vulnerability scans
B.Apply a virtual patch via a WAF
C.Decommission the server immediately
D.Disable the server's network connectivity
AnswerB

A WAF can block exploit attempts as a compensating control.

Why this answer

A WAF can apply a virtual patch by inspecting HTTP/HTTPS traffic and blocking exploit attempts against the unpatched vulnerability. This provides a compensating control at the application layer without modifying the vulnerable server, allowing the server to remain operational while mitigating the risk.

Exam trap

The trap here is that candidates may confuse compensating controls with detection or removal actions, choosing increased scanning (A) as a proactive measure, when in fact only a WAF provides active mitigation at the application layer.

How to eliminate wrong answers

Option A is wrong because increasing vulnerability scan frequency only detects the vulnerability; it does not prevent exploitation, so the risk remains unmitigated. Option C is wrong because decommissioning the server immediately may be too disruptive and is not a compensating control; it is a removal of the asset, not a control that allows continued operation. Option D is wrong because disabling network connectivity effectively removes the server from service, which is a last-resort isolation measure, not a compensating control that permits ongoing functionality.

44
MCQmedium

During a security awareness training session, an employee asks how to identify a phishing email. Which of the following is the most reliable indicator of a phishing attempt?

A.The email contains an attachment from an unknown sender
B.The email has grammatical errors or misspellings
C.The email creates a sense of urgency or threatens negative consequences
D.The email address of the sender closely resembles a legitimate domain
AnswerC

Urgency and threats are classic phishing tactics designed to bypass rational thinking.

Why this answer

Phishing emails often contain urgent or threatening language to prompt immediate action. While other indicators like misspellings can be present, the most reliable is the use of urgency or threats, which is a common social engineering tactic.

45
MCQeasy

Which of the following is a key principle of the 3-2-1 backup rule?

A.Two copies on three different media types with one onsite
B.One copy on two different media types with three offsite
C.Three copies on two different media types with one offsite
D.Three copies on three different media types with two offsite
AnswerC

Correct description of the rule.

Why this answer

The 3-2-1 backup rule is a foundational data protection strategy: maintain three copies of your data (one primary and two backups), store them on two different media types (e.g., disk and tape, or local SSD and cloud object storage), and ensure at least one copy is stored offsite to protect against site-level disasters. Option C correctly captures this: three copies, two media types, one offsite.

Exam trap

The trap here is that candidates often misremember the numbers, confusing the '3' copies with '3' media types or '2' offsite, leading them to select options like A or D that sound plausible but violate the exact 3-2-1 structure.

How to eliminate wrong answers

Option A is wrong because it states 'two copies on three different media types with one onsite' — the rule requires three copies, not two, and only two different media types, not three. Option B is wrong because it says 'one copy on two different media types with three offsite' — the rule mandates three copies total, with only one offsite, not three offsite. Option D is wrong because it specifies 'three copies on three different media types with two offsite' — the rule requires only two different media types, not three, and only one offsite copy, not two.

46
MCQhard

After a patch is deployed to a critical server, the system becomes unstable. The change management plan includes a rollback procedure. What should be done FIRST?

A.Create a new change request for the rollback
B.Conduct a post-implementation review
C.Execute the rollback procedure
D.Notify the Change Advisory Board
AnswerC

Correct. Rollback is the immediate corrective action.

Why this answer

When a patch deployment causes system instability, the immediate priority is to restore service stability by executing the pre-approved rollback procedure. The change management plan already includes this procedure, so no new approvals are needed; acting quickly minimizes downtime and risk.

Exam trap

The trap here is that candidates confuse the structured change management process with emergency response, thinking they must follow the full approval chain again, when in fact the rollback is already approved as part of the original change plan.

How to eliminate wrong answers

Option A is wrong because creating a new change request would introduce unnecessary delay; the rollback is already authorized under the original change plan. Option B is wrong because a post-implementation review is conducted after stability is restored, not during an active incident. Option D is wrong because notifying the Change Advisory Board (CAB) is not the first action; the rollback should be executed immediately, and notification can follow as per the plan.

47
MCQeasy

Which of the following physical security controls is designed to prevent tailgating by requiring two doors to be interlocked?

A.Security guard
B.Biometric reader
C.Mantrap
D.CCTV
AnswerC

A mantrap uses two interlocking doors to control access and prevent tailgating.

Why this answer

A mantrap is a physical security control consisting of two interlocking doors that create a small vestibule. Only one door can be opened at a time, preventing an unauthorized person from following an authorized person through a single entry point (tailgating). This design forces each individual to be authenticated before the second door unlocks, ensuring only one person passes per authentication event.

Exam trap

The trap here is that candidates confuse a mantrap with a simple turnstile or revolving door, which also limit passage but do not require two interlocked doors; the key distinction is the interlocking mechanism that prevents both doors from being open simultaneously.

How to eliminate wrong answers

Option A is wrong because a security guard can deter tailgating through observation but does not mechanically enforce the interlocking of two doors; tailgating can still occur if the guard is distracted. Option B is wrong because a biometric reader authenticates identity but does not physically prevent a second person from slipping through the same door; it lacks the interlocking door mechanism. Option D is wrong because CCTV provides surveillance and recording of tailgating incidents but does not actively prevent the act; it is a detective control, not a preventive one.

48
Multi-Selecthard

An organization is enhancing its backup strategy. According to the 3-2-1 rule, which THREE characteristics must the backup strategy include? (Select THREE)

Select 3 answers
A.At least two different media types
B.Daily full backups
C.At least one copy stored offsite
D.At least three copies of the data
E.Encryption of all backups
AnswersA, C, D

e.g., disk and tape.

Why this answer

Option A is correct because the 3-2-1 rule requires at least two different media types (e.g., tape and disk, or disk and cloud) to mitigate the risk of a single media failure or vulnerability. This ensures that if one media type becomes corrupted or obsolete, the other remains viable for recovery.

Exam trap

Cisco often tests the 3-2-1 rule by including plausible but non-essential elements like encryption or backup frequency, tricking candidates into selecting them as mandatory components when they are not part of the rule's core definition.

49
MCQhard

An organization is implementing configuration management and wants to detect unauthorized changes to server configurations. Which of the following tools would be most effective for this purpose?

A.Configuration management database (CMDB)
B.SIEM with change detection rules
C.Vulnerability scanner
D.Patch management tool
AnswerB

A SIEM can aggregate logs and trigger alerts on specific configuration changes, making it effective for deviation detection.

Why this answer

SIEM (Security Information and Event Management) systems can collect and correlate logs from various sources. When configured with rules to detect configuration changes, such as modifications to registry keys or system files, a SIEM can generate alerts on unauthorized changes.

50
Multi-Selecthard

During a post-implementation review of a recent change, it is found that the change introduced a security vulnerability. What TWO actions should be taken? (Select TWO)

Select 2 answers
A.Immediately apply a patch
B.Document the findings and update processes
C.Roll back the change
D.Blame the change implementer
E.Proceed and accept the risk
AnswersB, C

Improves future change management.

Why this answer

Option B is correct because documenting findings and updating processes is a fundamental part of the change management lifecycle. It ensures that the security vulnerability is formally recorded, root causes are analyzed, and preventive measures are incorporated into future changes. This aligns with the post-implementation review (PIR) phase, where lessons learned are captured to improve security operations and administration.

Exam trap

The trap here is that candidates often confuse the immediate operational response (rollback or patch) with the post-review documentation step, but the question specifically asks for actions during the post-implementation review, not the initial incident response.

51
Multi-Selecthard

Which THREE of the following are critical elements of a patch management policy? (Select THREE)

Select 3 answers
A.Patch prioritization based on CVSS score and asset criticality
B.Immediate deployment of all patches without testing
C.Annual review of patch status
D.Vulnerability scanning to identify missing patches
E.Testing patches in a staging environment
AnswersA, D, E

Prioritization ensures critical patches are applied first.

Why this answer

Option A is correct because patch prioritization based on CVSS score and asset criticality ensures that resources are allocated to the most impactful vulnerabilities first. CVSS provides a standardized severity rating (0-10), while asset criticality accounts for the business value and exposure of the system, enabling risk-based decision-making rather than a one-size-fits-all approach.

Exam trap

Cisco often tests the misconception that patch management is solely about speed (immediate deployment) or infrequent reviews, when in fact it requires a balanced, risk-based process with testing, prioritization, and continuous verification.

52
Multi-Selectmedium

A security administrator is implementing the 3-2-1 backup rule. Which THREE actions are required to comply with this rule? (Select THREE.)

Select 3 answers
A.Store one copy offsite
B.Maintain at least three copies of the data
C.Use two different media types (e.g., disk and tape)
D.Perform daily full backups
E.Use encryption for all backup copies
AnswersA, B, C

Correct. Offsite copy protects against site-level disasters.

Why this answer

The 3-2-1 rule requires three copies, two different media types, and one offsite copy.

53
MCQmedium

A security administrator receives an alert from the SIEM indicating a configuration change on a critical server. The change was not part of any approved change request. What should be the first step?

A.Investigate the change to determine its source and impact
B.Notify the server owner
C.Revert the server to the last known good configuration
D.Disable the server's network access
AnswerA

Investigation helps decide the appropriate response.

Why this answer

The first step when an unauthorized configuration change is detected is to investigate the change to determine its source and impact. This aligns with the incident response process, where initial assessment (identification and scoping) precedes containment or remediation. Without investigation, reverting or disabling could destroy forensic evidence or disrupt legitimate services.

Exam trap

The trap here is that candidates often jump to immediate containment (revert or disable) without recognizing that the first step in incident response is always to verify and scope the incident before taking action.

How to eliminate wrong answers

Option B is wrong because notifying the server owner is premature; the security administrator must first gather information about the change to provide accurate context. Option C is wrong because reverting the server to the last known good configuration could destroy forensic evidence and may not address the root cause, potentially allowing the change to reoccur. Option D is wrong because disabling the server's network access is a containment step that should only be taken after investigation confirms malicious intent or immediate threat, as it could cause unnecessary service disruption.

54
MCQmedium

A security metric shows that patch compliance is at 85%. The goal is 95%. Which action should be taken first?

A.Increase the frequency of vulnerability scans
B.Disable automatic updates to prevent issues
C.Prioritize patching based on vulnerability criticality
D.Exclude non-critical systems from patching
AnswerC

Focuses resources on most critical patches first.

Why this answer

To improve patch compliance, prioritize patching based on vulnerability criticality to address highest risk first.

55
MCQmedium

A company has a Recovery Time Objective (RTO) of 4 hours for its critical database. Which backup strategy best supports this RTO?

A.Daily full backups to disk
B.Weekly full backups to tape
C.Hourly incremental backups to disk
D.Monthly full backups with daily differentials to tape
AnswerC

Frequent backups reduce data loss and disk allows fast recovery.

Why this answer

To meet a short RTO, backup frequency should be high and restoration quick, so frequent backups to fast media are needed.

56
MCQeasy

Which of the following is the BEST definition of Recovery Point Objective (RPO)?

A.The cost of data recovery
B.The time it takes to recover data after a disaster
C.The maximum acceptable data loss in terms of time
D.The number of backup copies stored
AnswerC

RPO defines how much data loss is tolerable, e.g., 1 hour.

Why this answer

Recovery Point Objective (RPO) defines the maximum acceptable amount of data loss measured in time, indicating how far back in time the data must be restored to resume operations after a disaster. It directly drives backup frequency and replication intervals, such as setting a 15-minute RPO requiring transaction log backups every 15 minutes in SQL Server or continuous data replication in a SAN environment.

Exam trap

Cisco often tests the confusion between RPO and RTO, where candidates mistakenly select 'the time it takes to recover data' (RTO) instead of the maximum acceptable data loss in time (RPO).

How to eliminate wrong answers

Option A is wrong because RPO is not a cost metric; cost of data recovery is typically associated with Recovery Cost Objective (RCO) or total cost of ownership, not RPO. Option B is wrong because the time to recover data after a disaster is defined as Recovery Time Objective (RTO), not RPO; RTO focuses on downtime duration, while RPO focuses on data loss tolerance. Option D is wrong because the number of backup copies stored relates to backup retention policies or the 3-2-1 rule, not RPO; RPO is a time-based metric, not a count of copies.

57
MCQhard

A patch management process is being audited. Which finding indicates a critical gap in the process?

A.Exception requests for unpatched systems are documented
B.Patches are not tested in a staging environment before production deployment
C.Critical systems are patched monthly
D.Patches are deployed within 30 days of release
AnswerB

Missing testing can cause production issues.

Why this answer

Failure to test patches in a staging environment can lead to instability when deployed to production.

58
Multi-Selecthard

Which THREE of the following are valid steps in the change management process? (Select THREE)

Select 3 answers
A.Post-implementation review
B.Vulnerability scanning
C.Baseline configuration update
D.Impact assessment
E.Change request submission
AnswersA, D, E

After implementation, a review ensures the change was successful and lessons are learned.

Why this answer

A post-implementation review is a valid step in the change management process because it evaluates whether the change met its objectives, identifies any issues, and captures lessons learned. This review typically occurs after the change has been implemented and verified, ensuring that the change was successful and that any unintended consequences are documented.

Exam trap

The trap here is that candidates may confuse operational security activities like vulnerability scanning or configuration updates with formal change management process steps, which are specifically about the lifecycle of a change request from submission through review.

59
Multi-Selectmedium

Which TWO of the following are key components of the 3-2-1 backup rule?

Select 2 answers
A.One copy stored in a different geographic location
B.Daily full backups
C.All backups must be encrypted
D.At least three copies of the data
E.At least two different media types
AnswersD, E

Three copies include the original and two backups.

Why this answer

The 3-2-1 backup rule mandates at least three copies of the data (one primary and two backups) to ensure redundancy against failures. Option D directly states this requirement, which is the '3' in the rule.

Exam trap

Cisco often tests the exact wording of the 3-2-1 rule, and candidates mistakenly think 'different geographic location' is a separate numbered component, but it is actually the '1' (one offsite copy) and not a distinct key component like the number of copies or media types.

60
MCQmedium

A security awareness training program aims to reduce successful phishing attacks. Which metric is most appropriate for measuring the effectiveness of this training?

A.Percentage of employees who click simulated phishing links
B.Training completion rate
C.Number of reported phishing emails
D.Number of security incidents caused by phishing
AnswerA

Correct. This directly measures the effectiveness of training in reducing risky behavior.

Why this answer

The primary goal is to reduce user susceptibility, so tracking the number of employees who click on simulated phishing links directly measures behavior change.

61
MCQmedium

A company wants to track all hardware assets including serial numbers and locations. What is the primary repository for this information?

A.CMDB
B.Patch management tool
C.Vulnerability database
D.SIEM
AnswerA

Central repository for configuration items including hardware.

Why this answer

A Configuration Management Database (CMDB) stores details about hardware assets and their relationships.

62
MCQeasy

Which of the following is the PRIMARY purpose of implementing a clean desk policy?

A.To lower office cleaning costs
B.To comply with fire safety regulations
C.To reduce the risk of data breaches
D.To improve employee productivity
AnswerC

Clean desk policies prevent unauthorized access to sensitive information left on desks.

Why this answer

A clean desk policy is a physical security control designed to prevent unauthorized access to sensitive information by ensuring that documents, devices, and media are securely stored when not in use. By reducing the visibility of confidential data, it directly mitigates the risk of data breaches from shoulder surfing, theft, or accidental exposure. This aligns with the principle of least exposure and supports compliance with data protection frameworks like GDPR or HIPAA.

Exam trap

The trap here is that candidates confuse a clean desk policy with general workplace organization or fire safety, overlooking its core role as a physical security control to protect confidential data from unauthorized access.

How to eliminate wrong answers

Option A is wrong because a clean desk policy does not target cleaning costs; it is a security measure, not a housekeeping budget control. Option B is wrong because while a clean desk may indirectly reduce fire hazards by clearing clutter, fire safety regulations are primarily addressed by fire codes, extinguisher placement, and egress paths, not by a policy focused on information security. Option D is wrong because although a tidy workspace can boost morale, the primary purpose of a clean desk policy is security, not productivity improvement.

63
MCQeasy

Which backup type copies all data that has changed since the last full backup, regardless of any incremental backups?

A.Synthetic full backup
B.Full backup
C.Differential backup
D.Incremental backup
AnswerC

Correct. Differential copies changes since last full backup.

Why this answer

A differential backup copies all data that has changed since the last full backup, regardless of any intermediate incremental backups. This means each differential backup grows in size as it accumulates all changes made after the last full backup, making it distinct from incremental backups which only capture changes since the last backup of any type.

Exam trap

The trap here is that candidates often confuse differential backups with incremental backups, but the key differentiator is the reference point: differential backs up all changes since the last full backup, while incremental backs up changes since the last backup of any type.

How to eliminate wrong answers

Option A is wrong because a synthetic full backup is a logical reconstruction of a full backup from previous full and incremental backups, not a backup type that copies changed data since the last full backup. Option B is wrong because a full backup copies all data, not just the data that has changed since the last full backup. Option D is wrong because an incremental backup copies only data that has changed since the last backup (which could be full, differential, or incremental), not specifically since the last full backup.

64
MCQmedium

A security analyst notices an alert indicating that a user's workstation has been connected to an unauthorized external device. Which physical security control would best help prevent such incidents?

A.Biometric readers on workstations
B.Mantrap at building entrance
C.Clean desk policy
D.CCTV monitoring
AnswerC

A clean desk policy encourages employees to secure their workstations, reducing the risk of unauthorized device connections.

Why this answer

A clean desk policy is a physical security control that requires employees to clear their workstations of sensitive documents, removable media, and devices at the end of each work session. By mandating that external devices like USB drives or peripherals be stored securely, it directly reduces the risk of unauthorized devices being connected to workstations. This policy complements technical controls like device control policies (e.g., Windows Group Policy for USB restrictions) by addressing the human factor.

Exam trap

The trap here is that candidates often confuse detective controls (CCTV) or access controls (biometrics, mantrap) with preventive controls, overlooking that a clean desk policy directly addresses the physical proximity and opportunity to connect unauthorized devices.

How to eliminate wrong answers

Option A is wrong because biometric readers on workstations authenticate users, not devices; they do not prevent connection of unauthorized external devices. Option B is wrong because a mantrap at the building entrance controls physical access to the facility, not to individual workstations or their ports. Option D is wrong because CCTV monitoring provides passive surveillance and detection after an incident, not active prevention of unauthorized device connections.

65
MCQmedium

During a change management process, the Change Advisory Board (CAB) has approved a change to update a critical database server. After implementation, a rollback is necessary due to unforeseen performance issues. What should the change manager do next?

A.Execute the rollback plan and schedule a post-implementation review
B.Leave the server in its current state and escalate to the CAB for a decision
C.Patch the server with the latest updates to resolve the performance issue
D.Submit a new change request for the rollback and await CAB approval
AnswerA

Executing the pre-approved rollback plan is the correct immediate action, followed by a post-implementation review to learn from the failure.

Why this answer

Option A is correct because the change was already approved by the CAB, and the rollback plan is a pre-approved contingency within the original change request. Executing the rollback immediately restores service stability, and scheduling a post-implementation review (PIR) captures lessons learned and ensures compliance with the change management policy. This aligns with ITIL best practices, where rollback is part of the implementation plan and does not require a new change request.

Exam trap

The trap here is that candidates mistakenly think any rollback requires a new change request, but the rollback plan is already part of the approved change, so immediate execution is permitted without further CAB approval.

How to eliminate wrong answers

Option B is wrong because leaving the server in a degraded state violates the principle of restoring service as quickly as possible, and escalating to the CAB for a decision introduces unnecessary delay when a pre-approved rollback plan exists. Option C is wrong because patching the server with latest updates is an unapproved change that bypasses the change management process and could introduce further instability or security issues. Option D is wrong because submitting a new change request for the rollback is redundant and inefficient; the rollback plan was already approved as part of the original change, so immediate execution is authorized without additional CAB approval.

66
Multi-Selectmedium

Which TWO of the following are key components of the 3-2-1 backup rule? (Select TWO)

Select 2 answers
A.One copy in the cloud
B.Daily full backups
C.All copies on the same media
D.Two different media types
E.Three copies of the data
AnswersD, E

The '2' in 3-2-1: use two different media types (e.g., disk and tape).

Why this answer

The 3-2-1 backup rule requires three copies of the data (one primary and two backups), stored on two different media types (e.g., disk and tape, or local disk and cloud storage), with one copy kept offsite. Option D is correct because using two different media types ensures that a failure or vulnerability affecting one medium (e.g., ransomware encrypting a disk array) does not compromise the other copy. This diversity is a core principle of the rule, reducing the risk of simultaneous data loss.

Exam trap

Cisco often tests the misconception that the '2' in 3-2-1 refers to two copies of the data rather than two different media types, leading candidates to incorrectly select options like 'All copies on the same media' or to overlook the requirement for media diversity.

67
MCQmedium

An organization uses a SIEM to alert when a server's configuration changes from its hardened baseline. This is an example of:

A.Deviation detection
B.Patch management
C.Vulnerability scanning
D.Asset management
AnswerA

Correct. Monitoring for changes from baseline is deviation detection.

Why this answer

SIEM alerts on configuration changes from baseline are a form of deviation detection, which is part of configuration management.

68
MCQhard

A security administrator is prioritizing patches for a vulnerability with a CVSS score of 9.8 that is being actively exploited in the wild. The affected server has a low criticality classification. What should the administrator do?

A.Apply the patch immediately without change management
B.Ignore the patch because the server is low criticality
C.Wait for the next scheduled patch cycle
D.Prioritize patching via the change management process
AnswerD

Correct. The high severity and exploitation warrant prioritization even for low criticality assets.

Why this answer

Even though the asset criticality is low, the high CVSS score and active exploitation increase the risk. The patch should be prioritized and deployed through the change management process.

69
MCQmedium

During a security awareness training session, an employee reports receiving an email that appears to be from the CEO requesting an urgent wire transfer. The email has a suspicious domain and poor grammar. Which type of attack is this an example of?

A.Smishing
B.Phishing
C.Spear phishing
D.Whaling
AnswerB

The email is a classic phishing attempt: it impersonates a trusted entity (CEO) and requests sensitive action (wire transfer).

Why this answer

This is a classic example of phishing, a broad category of social engineering attacks where attackers send deceptive emails to trick recipients into revealing sensitive information or performing actions like wire transfers. The email's suspicious domain and poor grammar are telltale signs of a generic phishing attempt, as it is not specifically tailored to the employee or the CEO's identity.

Exam trap

The trap here is confusing the broad category of phishing with its subtypes: candidates often pick 'spear phishing' or 'whaling' because the email targets a specific role (CEO), but the lack of personalization and generic red flags make it a standard phishing attack, not a targeted one.

How to eliminate wrong answers

Option A is wrong because smishing (SMS phishing) uses text messages, not email, as the attack vector. Option C is wrong because spear phishing involves targeted, personalized emails that often include specific details about the recipient or organization, whereas this email lacks such customization and uses generic red flags. Option D is wrong because whaling targets high-profile executives (e.g., the CEO or CFO) directly, but here the email impersonates the CEO, not targets them, and the attack is not specifically aimed at a senior executive.

70
Multi-Selectmedium

Which TWO of the following are valid reasons to deny a change request during the CAB approval process?

Select 2 answers
A.The change is outside the approved budget
B.The change request lacks a rollback plan
C.The change has a low priority
D.The change has not been tested in a staging environment
E.The change was requested by a junior staff member
AnswersB, D

A rollback plan is required to mitigate risks in case of failure.

Why this answer

A change request must include a rollback plan to ensure that if the change fails or causes unexpected issues, the system can be safely restored to its previous state. Without a documented rollback procedure, the change introduces unacceptable operational risk, making it a valid reason for the CAB to deny approval.

Exam trap

Cisco often tests the distinction between operational risk (like missing a rollback plan or skipping staging tests) versus administrative or financial concerns (like budget or requester seniority) to see if candidates understand the CAB's technical risk assessment focus.

71
MCQeasy

Which of the following is the primary purpose of a configuration management database (CMDB)?

A.To provide a centralized repository of configuration items and their relationships
B.To track changes to network devices in real time
C.To automate the deployment of patches
D.To store backup copies of configuration files
AnswerA

This is the core function of a CMDB.

Why this answer

A configuration management database (CMDB) is a centralized repository that stores information about configuration items (CIs) and their relationships. Its primary purpose is to provide a single source of truth for managing IT assets, dependencies, and their interconnections, which is foundational for change management, incident management, and impact analysis.

Exam trap

Cisco often tests the distinction between a CMDB's role as a metadata repository versus operational tools that perform real-time actions, leading candidates to confuse it with change tracking or backup systems.

How to eliminate wrong answers

Option B is wrong because tracking changes to network devices in real time is a function of network monitoring tools (e.g., SNMP traps, NetFlow) or change detection systems, not the primary purpose of a CMDB. Option C is wrong because automating patch deployment is the role of patch management systems (e.g., WSUS, SCCM), while a CMDB stores CI data but does not execute deployment actions. Option D is wrong because storing backup copies of configuration files is a function of backup and version control systems (e.g., RANCID, Git), whereas a CMDB focuses on metadata and relationships, not file-level backups.

72
MCQmedium

A security administrator needs to dispose of hard drives that contain sensitive data. Which method provides the highest assurance that data cannot be recovered?

A.Deleting all files and emptying the recycle bin
B.Performing a quick format of the drive
C.Physically shredding the hard drives
D.Using a degausser to erase magnetic data
AnswerC

Physical destruction provides the highest assurance of data irrecoverability.

Why this answer

Physical destruction (e.g., shredding, crushing) ensures that the storage media is no longer usable and data recovery is virtually impossible. Degaussing may destroy magnetic media but is less effective on SSDs. Overwriting requires multiple passes and may not be effective on all media types.

73
MCQmedium

An organization needs to recover data from a backup after a ransomware attack. The backup was taken 12 hours ago, and the RPO is 4 hours. What is the impact?

A.The RPO is met because data can be recovered
B.The RPO is violated because more than 4 hours of data may be lost
C.The RTO is exceeded
D.The 3-2-1 rule is violated
AnswerB

Correct. The backup frequency does not meet the RPO.

Why this answer

RPO (Recovery Point Objective) defines the maximum acceptable data loss. If the backup is 12 hours old and RPO is 4 hours, the organization has lost 8 hours of data, exceeding the objective.

74
Multi-Selectmedium

Which TWO controls are examples of physical security controls that can help prevent unauthorized access to a data center? (Select TWO.)

Select 2 answers
A.Biometric readers
B.Encryption of data at rest
C.Mantraps
D.Firewalls
E.Intrusion detection system (IDS)
AnswersA, C

Correct. Biometric readers are physical access controls.

Why this answer

Biometric readers are a physical security control that authenticates individuals based on unique biological traits (e.g., fingerprints, iris patterns). They prevent unauthorized access by ensuring only enrolled personnel can enter the data center, directly controlling physical entry points.

Exam trap

The trap here is that candidates often confuse 'physical security controls' with 'technical/administrative controls'—for example, selecting encryption or firewalls because they 'secure' the data center, but they do not prevent physical entry.

Ready to test yourself?

Try a timed practice session using only Security Operations and Administration questions.