Security Architecture for CompTIA SecurityX

Sample Practice Questions

1. Question 1

   A company plans to implement a research facility with intellectual property data that should be protected. The following is the security diagram proposed by the security architect: Which of the following security architect models is illustrated by the diagram?
   1. A. Identity and access management model
   2. B. Agent-based security model
   3. C. Perimeter protection security model
   4. D. Zero Trust security model
   Explanation

   The correct answer is: D. Zero Trust security model.

   A research facility built around protecting intellectual property where every flow is authenticated, authorized, and continuously evaluated regardless of where the requester sits is the textbook Zero Trust security model (option D) as defined in NIST SP 800-207, with explicit per-session policy decisions, identity-aware proxies, microsegmentation, and the assumption that the network itself is hostile. An identity and access management model (option A) is a component of zero trust but not the overarching architecture. An agent-based model (option B) is an implementation detail describing how endpoints participate, not a model. A perimeter protection model (option C) is the older castle-and-moat approach that zero trust explicitly replaces, since once inside the perimeter a user gains broad trust which is exactly what IP-theft scenarios punish.

2. Question 2

   During a gap assessment, an organization notes that BYOD usage is a significant risk. The organization implemented administrative policies prohibiting BYOD usage. However, the organization has not implemented technical controls to prevent the unauthorized use of BYOD assets when accessing the organization's resources. Which of the following solutions should the organization implement to best reduce the risk of BYOD devices? (Choose two.)
   1. A. Cloud IAM, to enforce the use of token-based MFA
   2. B. Conditional access, to enforce user-to-device binding
   3. C. NAC, to enforce device configuration requirements
   4. D. PAM, to enforce local password policies
   5. E. SD-WAN, to enforce web content filtering through external proxies
   6. F. DLP, to enforce data protection capabilities
   Explanation

   The correct answers are: B. Conditional access, to enforce user-to-device binding, C. NAC, to enforce device configuration requirements.

   An administrative ban on BYOD without technical enforcement leaves the network unable to distinguish a corporate asset from a personal phone. Conditional access with user-to-device binding (option B) ties identity to a known, registered device so a stolen credential on an unmanaged endpoint cannot complete authentication, and NAC (option C) enforces device posture, certificates, and configuration at the network layer through 802.1X before any IP-level access is granted. Cloud IAM with token MFA (option A) strengthens authentication but accepts the request from any device. PAM (option D) governs privileged accounts and password vaulting, not device admission. SD-WAN with proxy filtering (option E) shapes traffic but does not gate device admission. DLP (option F) protects data flows but does not stop a BYOD device from connecting in the first place.

3. Question 3

   A manufacturing plant is updating its IT services. During discussions, the senior management team created the following list of considerations: Staff turnover is high and seasonal. Extreme conditions often damage endpoints. Losses from downtime must be minimized. Regulatory data retention requirements exist. Which of the following best addresses the considerations?
   1. A. Establishing further environmental controls to limit equipment damage
   2. B. Using a non-persistent virtual desktop interface with thin clients
   3. C. Deploying redundant file servers and configuring database journaling
   4. D. Maintaining an inventory of spare endpoints for rapid deployment
   Explanation

   The correct answer is: B. Using a non-persistent virtual desktop interface with thin clients.

   Non-persistent virtual desktops with thin clients (option B) address all four considerations at once: high seasonal turnover is handled because every login spins up a fresh, policy-conformant desktop with no user-specific state on the endpoint; harsh environments are tolerated because thin clients hold no critical data and are cheap and fast to swap; downtime is minimized because the desktop image runs centrally and a failed thin client is replaced in minutes; and regulated data stays in the data center under retention controls rather than scattering across endpoints. Environmental controls (option A) help only the damage problem. Redundant file servers with journaling (option C) help only uptime. Spare endpoints (option D) help only rapid replacement and leave data, turnover, and retention untouched.

4. Question 4

   After a company discovered a zero-day vulnerability in its VPN solution, the company plans to deploy cloud-hosted resources to replace its current on-premises systems. An engineer must find an appropriate solution to facilitate trusted connectivity. Which of the following capabilities is the most relevant?
   1. A. Container orchestration
   2. B. Microsegmentation
   3. C. Conditional access
   4. D. Secure access service edge
   Explanation

   The correct answer is: D. Secure access service edge.

   Replacing on-premises VPN concentrators after a zero-day with a cloud-delivered, identity-centric access fabric is the design problem that Secure Access Service Edge (option D) was created to solve, per Gartner: SASE/SSE combines ZTNA, SWG, CASB, and FWaaS in a cloud-hosted plane so trusted connectivity does not depend on a single on-premises appliance with a vulnerable code base. Container orchestration (option A) manages workloads, not user connectivity. Microsegmentation (option B) limits east-west blast radius inside an environment but does not provide remote trusted connectivity in place of a VPN. Conditional access (option C) is a useful policy layer and is in fact a component within SASE, but on its own it is not the connectivity replacement the engineer needs.

5. Question 5

   SIMULATION - You are tasked with integrating a new B2B client application with an existing OAuth workflow that must meet the following requirements: The application does not need to know the users' credentials. An approval interaction between the users and the HTTP service must be orchestrated. The application must have limited access to users' data. INSTRUCTIONS - Use the drop-down menus to select the action items for the appropriate locations. All placeholders must be filled. If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.

Other CompTIA SecurityX domains

• Governance, Risk, and Compliance (15 questions)
• Security Engineering (48 questions)
• Security Operations (26 questions)