Security Program Management for CompTIA Security+

Sample Practice Questions

1. Question 1

   An administrator notices that several users are logging in from suspicious IP addresses. After speaking with the users, the administrator determines that the employees were not logging in from those IP addresses and resets the affected users’ passwords. Which of the following should the administrator implement to prevent this type of attack from succeeding in the future?
   1. A. Multifactor authentication
   2. B. Permissions assignment
   3. C. Access management
   4. D. Password complexity
   Explanation

   The correct answer is: A. Multifactor authentication.

   The defense most effective against unauthorized log-ins from suspicious IP addresses is multifactor authentication. Whatever credential theft mechanism the attacker used — phishing, leaked password database, infostealer — MFA breaks the kill chain because the attacker still has to defeat a second factor (typically a TOTP code, push approval, or FIDO2 hardware token) tied to a device the legitimate user holds. The SY0-701 objectives single out MFA as the foundational mitigation against credential theft and account takeover. Permissions assignment determines what an account can do once authenticated but does not prevent the unauthorized log-in itself. Access management covers the broader lifecycle of provisioning and review and is the policy umbrella rather than the immediate control. Password complexity makes guessing harder but does nothing against stolen credentials. Only MFA layers an independent factor on top of the password.

2. Question 2

   A company is required to use certified hardware when building networks. Which of the following best addresses the risks associated with procuring counterfeit hardware?
   1. A. A thorough analysis of the supply chain
   2. B. A legally enforceable corporate acquisition policy
   3. C. A right to audit clause in vendor contracts and SOWs
   4. D. An in-depth penetration test of all suppliers and vendors
   Explanation

   The correct answer is: A. A thorough analysis of the supply chain.

   The most direct mitigation for the risk of receiving counterfeit hardware is a thorough analysis of the supply chain. Supply chain analysis verifies the provenance of every component, the legitimacy of intermediate distributors, and the chain of custody from manufacturer to receiving dock; in NIST SP 800-161 (Cybersecurity Supply Chain Risk Management for Systems and Organizations) this practice is the named control for detecting counterfeit, tampered, and grey-market parts. A legally enforceable corporate acquisition policy sets the rules for purchasing but does not by itself inspect what arrives, and even the strongest policy cannot tell a genuine ASIC from a re-marked one. A right-to-audit clause grants the legal authority to inspect a vendor's facilities and records, which is useful when supply chain analysis turns up an irregularity, but the clause is an enabling agreement term rather than the analytical control itself. An in-depth penetration test of suppliers and vendors evaluates their cyber defenses against attackers, which is unrelated to whether the hardware shipped from them is authentic. Supply chain analysis is therefore the best fit because it directly targets the artifact in question.

3. Question 3

   Which of the following provides the details about the terms of a test with a third-party penetration tester?
   1. A. Rules of engagement
   2. B. Supply chain analysis
   3. C. Right to audit clause
   4. D. Due diligence
   Explanation

   The correct answer is: A. Rules of engagement.

   The document that spells out the boundaries of a penetration test is the rules of engagement (ROE). An ROE codifies the in-scope and out-of-scope targets, the permitted attack techniques, the timing window, points of contact for emergencies, evidence handling, and the legal authorization that protects the tester from accidental liability. Without an ROE every tactical decision during a test risks crossing a boundary nobody agreed to. Supply chain analysis is a vendor-management activity for evaluating upstream sourcing risk and is unrelated to the conduct of a test. A right-to-audit clause is a contract term that grants the customer the legal authority to inspect a vendor; it enables audits but does not detail how a particular test is run. Due diligence is the broad pre-engagement assessment of a counterparty's controls and does not specify the operational terms of the test itself. The ROE is the document the tester operates from on the day of the engagement.

4. Question 4

   A company purchased cyber insurance to address items listed on the risk register. Which of the following strategies does this represent?
   1. A. Accept
   2. B. Transfer
   3. C. Mitigate
   4. D. Avoid
   Explanation

   The correct answer is: B. Transfer.

   Buying cyber insurance is the textbook implementation of a risk-transfer strategy. The four risk-management options on the SY0-701 objectives are accept, transfer, mitigate, and avoid, and transfer means moving the financial consequences of a realized risk onto a third party, almost always through an insurance contract. When the company pays a premium to an insurer in exchange for coverage of incident response costs, ransomware payments, business interruption, and legal liability, it is choosing not to absorb those costs itself; the underlying probability of an incident has not changed but the dollar exposure has been shifted. Accepting the risk would mean carrying the loss on the balance sheet with no offsetting contract. Mitigating the risk would mean reducing the likelihood or impact through controls, which insurance does not do on its own. Avoiding the risk would mean ceasing the activity that creates exposure, which is also not what an insurance purchase achieves.

5. Question 5

   Which of the following is the most likely to be used to document risks, responsible parties, and thresholds?
   1. A. Risk tolerance
   2. B. Risk transfer
   3. C. Risk register
   4. D. Risk analysis
   Explanation

   The correct answer is: C. Risk register.

   The single artifact that tracks risks, the people responsible for them, and the thresholds for action is the risk register. A risk register is the controlled, living document at the heart of a risk-management program; each row captures a risk description, likelihood, impact, owner, current treatment, residual risk, and the threshold at which the owner must escalate. It is the place auditors look to confirm the program is being run and the place leadership consults to see where the organization stands. Risk tolerance is a stated organizational appetite (how much risk leadership is willing to absorb) and is an input to threshold-setting rather than the document itself. Risk transfer is a treatment strategy such as buying insurance and is captured inside the register, not equivalent to it. Risk analysis is the activity of evaluating risk and again feeds the register rather than replacing it.

Other CompTIA Security+ domains

• General Security Concepts (132 questions)
• Security Architecture (124 questions)
• Security Operations (141 questions)
• Threats, Vulnerabilities, and Mitigations (118 questions)