CCNA Describe The Concepts Of Security Compliance And Identity Questions

10 of 235 questions · Page 4/4 · Describe The Concepts Of Security Compliance And Identity topic · Answers revealed

226
MCQeasy

A company implements a security strategy that includes multiple layers of controls: a perimeter firewall, an intrusion detection system, endpoint antivirus software, and multi-factor authentication for user access. The goal is that if one layer fails, another layer is in place to prevent or mitigate an attack. Which security principle does this approach best represent?

A.Defense in depth
B.Zero Trust
C.Least privilege
D.CIA triad
AnswerA

Correct. Defense in depth employs overlapping layers of security controls to protect assets and ensure resilience against attacks.

Why this answer

Defense in depth is a security strategy that layers independent defensive mechanisms so that if one layer fails, another layer is already in place to prevent or mitigate an attack. The scenario explicitly describes multiple layers (firewall, IDS, endpoint antivirus, MFA) working together, which is the core definition of defense in depth. This approach ensures no single point of failure can compromise the entire security posture.

Exam trap

The trap here is that candidates often confuse 'Defense in depth' with 'Zero Trust' because both involve multiple security controls, but Zero Trust is specifically about eliminating implicit trust and verifying every access request, not about layering defenses as a fail-safe mechanism.

How to eliminate wrong answers

Option B (Zero Trust) is wrong because Zero Trust is a security model that assumes no implicit trust and requires continuous verification of every access request, regardless of network location; it does not inherently describe a layered defense strategy. Option C (Least privilege) is wrong because least privilege is a principle that restricts users and systems to only the minimum permissions necessary to perform their functions, not a multi-layered control architecture. Option D (CIA triad) is wrong because the CIA triad (Confidentiality, Integrity, Availability) is a set of security objectives, not a design principle for implementing multiple layers of controls.

227
MCQhard

A company deploys Microsoft Defender for Cloud Apps. They want to detect when a user downloads more than 100 files from SharePoint in 10 minutes. Which policy type should they create?

A.File policy
B.Anomaly detection policy
C.App permission policy
D.Session policy
AnswerB

Anomaly detection policies use machine learning to detect unusual user behavior like mass downloads.

Why this answer

Option C is correct because an anomaly detection policy in Defender for Cloud Apps can identify unusual file download activities based on predefined thresholds. Option A is wrong because an app permission policy governs permissions granted to third-party apps. Option B is wrong because a session policy enforces real-time controls on user sessions.

Option D is wrong because a file policy monitors files based on metadata or content, not behavioral patterns.

228
MCQeasy

A security administrator is explaining the concept of defense in depth to a new team member. Which statement best describes this approach?

A.Using a single, strong firewall to block all external traffic
B.Layering multiple security controls across different areas of the IT environment
C.Relying solely on encryption to protect all data at rest and in transit
D.Implementing only physical security measures to protect the data center
AnswerB

This is correct. Defense in depth employs a layered approach, including physical, technical, and administrative controls, so that if one control fails, others still provide protection.

Why this answer

Defense in depth is a cybersecurity strategy that employs multiple layers of security controls across different areas of the IT environment (network, endpoint, application, data, and physical). This approach ensures that if one control fails, another is already in place to mitigate the threat, providing redundancy and reducing the risk of a single point of failure. Microsoft's security framework, including tools like Microsoft Defender for Cloud and Azure Firewall, operationalizes this concept by integrating protections at each layer.

Exam trap

The trap here is that candidates often confuse defense in depth with a single strong control (like a firewall or encryption), failing to recognize that the core principle is layering multiple independent controls to provide redundancy and depth.

How to eliminate wrong answers

Option A is wrong because relying on a single, strong firewall creates a single point of failure; defense in depth requires multiple overlapping controls, not a single barrier. Option C is wrong because encryption alone does not protect against threats like malware, unauthorized access, or denial-of-service attacks; it only secures data confidentiality and integrity, leaving other attack vectors unaddressed. Option D is wrong because physical security is only one layer of defense in depth; it ignores critical layers such as network segmentation, identity management (e.g., Azure AD Conditional Access), and endpoint protection (e.g., Microsoft Defender for Endpoint).

229
MCQeasy

A financial institution uses digital signatures to ensure that a transaction record has not been altered after it was processed. Which security principle is primarily addressed?

A.A. Confidentiality
B.B. Integrity
C.C. Availability
D.D. Non-repudiation
AnswerB

Integrity ensures that data has not been tampered with or altered, which is directly addressed by digital signatures.

Why this answer

Digital signatures use asymmetric cryptography (e.g., RSA or ECDSA) to create a hash of the transaction record, which is then encrypted with the sender's private key. Any alteration to the record after signing would cause the hash verification to fail, directly ensuring data integrity. This is why option B is correct.

Exam trap

The trap here is that candidates often confuse non-repudiation (which focuses on proving the origin of the signature) with integrity (which focuses on proving the data has not been altered), but the question's wording 'has not been altered' points directly to integrity.

How to eliminate wrong answers

Option A is wrong because confidentiality is about preventing unauthorized access to data (e.g., via encryption), not about detecting tampering. Option C is wrong because availability ensures systems and data are accessible when needed, which is unrelated to verifying that a record has not been altered. Option D is wrong because non-repudiation prevents the sender from denying they signed the record, but the question specifically asks about detecting alteration after processing, which is integrity's primary role.

230
MCQhard

A financial services company needs to comply with GDPR and requires that personal data be automatically classified and protected when stored in Microsoft SharePoint and OneDrive. They also need to retain certain records for a minimum of 7 years. Which combination of Microsoft Purview capabilities should they use?

A.Sensitivity labels and data loss prevention (DLP) policies
B.Sensitivity labels and retention labels
C.Data loss prevention (DLP) policies and retention labels
D.eDiscovery and sensitivity labels
AnswerB

Sensitivity labels classify and protect data; retention labels enforce retention periods.

Why this answer

Sensitivity labels classify data and can apply encryption or markings. Retention labels enforce retention or deletion rules. Option A is wrong because retention labels do not automatically classify data.

Option B is wrong because DLP policies do not set retention. Option D is wrong because eDiscovery is for search and export, not classification or retention.

231
MCQeasy

Which Microsoft Purview solution should you use to automatically retain or delete content based on regulations?

A.Records Management
B.Communication Compliance
C.Data Loss Prevention (DLP)
D.eDiscovery
AnswerA

Records Management uses retention labels and policies to retain or delete content.

Why this answer

Option B is correct because retention policies in Microsoft Purview manage data retention and deletion. Option A is incorrect because DLP prevents data leaks. Option C is incorrect because eDiscovery is for legal discovery.

Option D is incorrect because communication compliance monitors communications.

232
MCQmedium

Your organization is deploying Microsoft Entra ID Governance. You need to automate the process of removing user access to a critical application when the user leaves the company. Which feature should you configure?

A.Privileged Identity Management
B.Entitlement Management
C.Access Reviews
D.Lifecycle Workflows
AnswerB

Entitlement Management can expire access packages automatically when a user is removed from a connected organization.

Why this answer

Option D is correct because Entitlement Management can automate access removal when a user's membership ends. Option A is wrong because Access Reviews require manual or scheduled reviews. Option B is wrong because Lifecycle Workflows automate user lifecycle but not access removal.

Option C is wrong because PIM manages just-in-time access, not removal of directly assigned access.

233
MCQeasy

A company is migrating its on-premises virtual machines to Azure Infrastructure-as-a-Service (IaaS). Which security responsibility primarily shifts from the customer to Microsoft during this migration?

A.Physical security of the data center
B.Patching the guest operating system
C.Managing user access to the virtual machines
D.Configuring the firewall rules for the virtual network
AnswerA

Correct. In IaaS, Microsoft is responsible for the physical data center security, including access control, surveillance, and environmental controls.

Why this answer

When migrating on-premises virtual machines to Azure IaaS, Microsoft takes over responsibility for the physical security of the data centers, including environmental controls, hardware maintenance, and physical access controls. This is a fundamental shift from the customer's responsibility under the shared responsibility model, where the customer previously managed the physical infrastructure on-premises.

Exam trap

The trap here is that candidates often confuse the shared responsibility model for IaaS with PaaS or SaaS, mistakenly thinking Microsoft handles guest OS patching or network configuration, when in fact those remain customer responsibilities in IaaS.

How to eliminate wrong answers

Option B is wrong because patching the guest operating system remains the customer's responsibility in an IaaS model, as Microsoft only manages the hypervisor and host OS. Option C is wrong because managing user access to the virtual machines (e.g., via Azure RBAC or local accounts) is always the customer's responsibility, as Microsoft has no knowledge of or control over who should access the VMs. Option D is wrong because configuring firewall rules for the virtual network (e.g., Network Security Groups or Azure Firewall policies) is a customer-managed task, as Microsoft only provides the networking infrastructure but does not define traffic rules.

234
MCQeasy

A company deploys full disk encryption on all employee laptops to protect data in case a device is lost or stolen. Which security goal does this measure primarily address?

A.Confidentiality
B.Integrity
C.Availability
D.Non-repudiation
AnswerA

Encryption protects data from unauthorized access, ensuring only authorized parties can read it.

Why this answer

Full disk encryption (FDE) ensures that data stored on the laptop's hard drive is unreadable without the correct decryption key. This directly protects the confidentiality of the data by preventing unauthorized access if the device is lost or stolen, as the encrypted data cannot be deciphered without the key.

Exam trap

The trap here is that candidates often confuse encryption with integrity or availability, mistakenly thinking encryption also prevents data tampering or ensures data is always accessible, but encryption only addresses unauthorized reading (confidentiality).

How to eliminate wrong answers

Option B (Integrity) is wrong because full disk encryption does not protect against unauthorized modification of data; it only prevents unauthorized reading. Option C (Availability) is wrong because encryption does not ensure data is accessible when needed; in fact, a lost key can reduce availability. Option D (Non-repudiation) is wrong because encryption does not provide proof of origin or action; non-repudiation is typically achieved through digital signatures or audit logs.

235
MCQmedium

A company is moving its on-premises database to Azure SQL Database. According to the shared responsibility model, which security tasks remain the responsibility of the customer?

A.Patching the physical servers hosting the database
B.Managing access controls and authentication for database users
C.Securing the hypervisor running the virtual machines
D.Hardening the network firewalls at the datacenter perimeter
AnswerB

The customer retains responsibility for managing user identities, permissions, and authentication to the database.

Why this answer

In the shared responsibility model for Azure SQL Database, Microsoft manages the physical infrastructure, including servers, storage, and network, while the customer is responsible for data and access management. Option B is correct because managing access controls and authentication for database users, such as configuring logins, users, and permissions via T-SQL or Azure Active Directory, falls squarely on the customer. Microsoft ensures the platform is patched and secure, but the customer must control who can access the database and what they can do.

Exam trap

The trap here is that candidates often confuse PaaS with IaaS and assume the customer is responsible for patching or hypervisor security, but in Azure SQL Database (PaaS), Microsoft handles all infrastructure layers, leaving the customer only with data and access control responsibilities.

How to eliminate wrong answers

Option A is wrong because patching the physical servers hosting the database is the responsibility of Microsoft, not the customer, as Azure SQL Database is a Platform as a Service (PaaS) offering where Microsoft handles all underlying hardware and OS patching. Option C is wrong because securing the hypervisor running the virtual machines is also Microsoft's responsibility in the PaaS model; the customer never has access to the hypervisor and cannot be responsible for its security. Option D is wrong because hardening the network firewalls at the datacenter perimeter is managed by Microsoft as part of the physical network infrastructure; the customer only configures Azure network security groups or firewall rules at the logical level, not the physical datacenter perimeter.

← PreviousPage 4 of 4 · 235 questions total

Ready to test yourself?

Try a timed practice session using only Describe The Concepts Of Security Compliance And Identity questions.