Skip to content

CompTIA Practice Tests
A+ Practice Tests
Security+ Practice Tests
Network+ Practice Tests

CompTIA Security+ Practice Test 7

Time limit: 0

Quiz Summary

0 of 32 Questions completed

Questions:

Information

You have already completed the quiz before. Hence you can not start it again.

Quiz is loading…

You must sign in or sign up to start the quiz.

You must first complete the following:

Results

Test complete. Results are being recorded.

Results

0 of 32 Questions answered correctly

Your time:

Time has elapsed

You have reached 0 of 0 point(s), (0)

Earned Point(s): 0 of 0, (0)
0 Essay(s) Pending (Possible Point(s): 0)

Categories

Not categorized 0%

Next Test Main Menu

Question 1 of 32

1. Question
You have been tasked with auditing the vendor who provides a third-party billing server to a local healthcare provider. Which clause provides a legal pathway to verifying that the vendor maintains the agreed-upon standards?
- A. Evidence of internal audits
- B. Independent assessments
- C. Right-to-know clause
- D. Right-to-audit clause
Correct

Incorrect
Question 2 of 32

2. Question
A banking corporation is keen on gaining a competitive edge in the market by demonstrating its commitment to cybersecurity. They want an official attestation that their cybersecurity measures are robust and compliant with industry standards. What should it opt for to obtain this attestation?
- A. Feedback from customers on the bank’s app security
- B. Internal IT team’s report on cybersecurity practices
- C. External independent third-party audit
- D. Informal evaluation by a cybersecurity consultancy
Correct

Incorrect
Question 3 of 32

3. Question
Which type of reconnaissance involves tasks like DNS enumeration, public record searches, or social engineering tactics like phishing or pretexting?
- A. Involved reconnaissance
- B. Passive reconnaissance
- C. Active reconnaissance
- D. Integrated reconnaissance
Correct

Incorrect
Question 4 of 32

4. Question
Which type of detected behavior can indicate compromised accounts, risk of data infiltration, possible brute-force attempts, or the risk of malware infection or system compromise?
- A. Unexpected behavior
- B. Unintentional behavior
- C. Risky behavior
- D. Clandestine behavior
Correct

Incorrect
Question 5 of 32

5. Question
Identify the risk of detection and common techniques used for each type of penetration test by matching the penetration testing type in the left column to its corresponding risk of detection and common techniques.
Sort elements
- Risk of detection: high; Common techniques: blind scanning, social engineering
- Risk of detection: moderate; Common techniques: basic scanning, limited inside information
- Risk of detection: low; Common techniques: detailed scanning, source code analysis
- Unknown Environment
- Partially Known Environment
- Known Environment
Correct

Incorrect
Question 6 of 32

6. Question
Which phase in the penetration testing lifecycle involves the collection of as much information as possible about the target systems to find ways to infiltrate them?
- A. Planning
- B. Scanning
- C. Gaining access
- D. Reconnaissance
Correct

Incorrect
Question 7 of 32

7. Question
A leading technology conglomerate recently conducted a security exercise. The goal was for the internal security team to defend against a series of simulated attacks from an external red team. While the red team launched attacks, the internal team’s objective was to detect, respond, and mitigate those threats. What type of penetration testing is employed for its internal security team?
- A. Offensive penetration testing
- B. Passive penetration testing
- C. Defensive penetration testing
- D. Black box testing
Correct

Incorrect
Question 8 of 32

8. Question
Which of the following is included in the responsibilities of an internal audit committee?
- A. Identification, checklist creation, evaluation, action plan
- B. Regulatory audits, examination, assessment, approval
- C. Scope definition, data gathering, analysis, reporting
- D. Audit planning, review, oversight, accountability
Correct

Incorrect
Question 9 of 32

9. Question
How can an organization add a layer of scrutiny and accountability to the attestation process by assigning a top-level executive to the process?
- A. Meticulously documenting the process
- B. Reviewing and approving the process
- C. Evaluating the system or the process
- D. Applying the latest security patches to the system or the process
Correct

Incorrect
Question 10 of 32

10. Question
A marketing company collects personal data from users and determines how and why that data will be processed. At the same time, they engage an external company, CloudSolutions, to store and manage this data. In this scenario, what role does the marketing company play in relation to data protection regulations?
- A. Processor
- B. Data subject
- C. Controller
- D. Third-party provider
Correct

Incorrect
Question 11 of 32

11. Question
A large enterprise is setting up a new automation system that will allow various teams, including development, operations, and QA, to provision and configure their own environments. The security team is concerned about potential misconfigurations or excessive permissions being granted. Which solution can be used within the automation to ensure security standards are met without limiting the agility of the teams?
- A. Implementing a zero-trust model for all teams
- B. Manually reviewing all requests before provisioning
- C. Setting up guard rails within the automation scripts to define boundaries and prevent misconfigurations
- D. Disabling the automation system for all teams except the security team
Correct

Incorrect
Question 12 of 32

12. Question
Your firm takes corrective actions in response to compliance alerts. It implements more robust encryption protocols for customer data and revises its access control policies. Its automated platform documents these actions, showing a record of proactive measures taken over time to maintain compliance. Which process is being implemented in this scenario?
- A. Due care
- B. Due diligence
- C. Due controls
- D. Cybersecurity framework
Correct

Incorrect
Question 13 of 32

13. Question
How does a PCI-DSS compliance report demonstrate adherence to payment card industry data security standards by detailing how customer payment information is protected?
- A. Reviewing due diligence programs or internal accounting controls
- B. Specifying measures for safeguarding personal data and privacy rights within the European Union
- C. Providing proof that the sensitive data stored in the cloud is secured against unauthorized access or breaches
- D. Summarizing the documentation and testing of security controls
Correct

Incorrect
Question 14 of 32

14. Question
Which metric, which is similar to MTBF, denotes the number of failures per billion hours of operation to help anticipate the frequency of potential failures?
- A. Recovery time objective (RTO)
- B. Recovery point objective (RPO)
- C. Failure in time (FIT)
- D. Failure time operations (FTO)
Correct

Incorrect
Question 15 of 32

15. Question
How does mean time to repair (MTTR) help an organization understand the operational impact of repair times and guide the decision-making process?
- A. Finding cost-effective redundancy solutions
- B. Utilizing other KPIs to create a disaster recovery plan
- C. Quantifying the expected average time between failures
- D. Creating an impact plan to combat natural disasters
Correct

Incorrect
Question 16 of 32

16. Question
A risk report often includes an executive summary, detailed findings, recommendations and an _______________.
- A. action executables
- B. analysis of impact
- C. integrated business analytics
- D. action plan
Correct

Incorrect
Question 17 of 32

17. Question
Refer to the following IPS/IDS log example:

2023-09-23 13:45:32 ALERT SQL Injection detected from 192.168.1.4
2023-09-23 13:46:10 ALERT Brute-force attempt from 203.0.113.7

Which entry shows an attacker trying to get unauthorized access to the system?
- A. The brute-force attempt coming from 203.0.113.7
- B. The first log entry
- C. The time stamp showing the alert
- D. The SQL injection detected coming from 192.168.1.4
Correct

Incorrect
Question 18 of 32

18. Question
Two detergent companies want to engage in a joint marketing campaign. Which written document specifies a cooperative relationship that outlines responsibilities for each party in a non-legally binding agreement?
- A. Service-level agreement (SLA)
- B. Master service agreement (MSA)
- C. Memorandum of agreement (MOA)
- D. Business partners agreement (BPA)
Correct

Incorrect
Question 19 of 32

19. Question
A well-established technology company has been in the market for over 15 years. Recently, the board of directors decided that the company will pursue aggressive growth strategies by entering new, untested markets and launching cutting-edge products, even if these strategies come with significant risks. How would you classify the company’s risk appetite?
- A. Conservative
- B. Expansionary
- C. Neutral
- D. Risk-averse
Correct

Incorrect
Question 20 of 32

20. Question
A retail company has assessed that a security breach might result in a loss of $1 million in sales. The company has determined that it can tolerate a loss of up to $500,000, but anything beyond that would severely impact operations. To cover the potential financial loss beyond its tolerance level, it decided to purchase cybersecurity insurance. Which of the following terms best describes the $500,000 figure?
- A. Risk appetite
- B. Risk threshold
- C. Risk capacity
- D. Risk assessment
Correct

Incorrect
Question 21 of 32

21. Question
A healthcare organization uses a software platform to manage patient records. A recent vulnerability assessment identified a potential exploit where an unauthorized individual might access 30% of stored patient data. Which of the following best describes this scenario?
- A. The threat likelihood is 30%
- B. The vulnerability has a 30% rate of occurrence
- C. The exposure factor of the vulnerability is 30%
- D. 30% of the patients have been impacted
Correct

Incorrect
Question 22 of 32

22. Question
The change management procedure starts with a change request. At what point is the change implemented in a controlled, non-production environment?
- A. Planning phase
- B. Execution phase
- C. Testing phase
- D. Post-implementation phase
Correct

Incorrect
Question 23 of 32

23. Question
You want to determine how much an e-commerce web server’s downtime will cost your company annually. After gathering the required information, which risk assessment formula can be used to calculate the cost of downtime?
- A. SLE X ALE = ARO
- B. SLE X ARO = SLEARO
- C. SLE X ARO = ALE
- D. SLE X ARO = MTBF
Correct

Incorrect
Question 24 of 32

24. Question
An organization experiences an inherent risk if the correct ___________ is not in place. (Fill in the blank.)
- A. pursuit of value
- B. disaster recovery plan
- C. mitigation
- D. risk awareness procedure
Correct

Incorrect
Question 25 of 32

25. Question
What are the key responsibilities of an owner in the governance structure?
- A. Asset classification, policy formulation, risk response, compliance oversight, budget allocation, incident response
- B. Asset classification, policy formulation, risk assessment, compliance oversight, budget allocation, incident response
- C. Legal compliance, data quality, security measures, compliance oversight, budget allocation, incident response
- D. Data handling, security implementation, data accuracy, compliance oversight, budget allocation, incident response
Correct

Incorrect
Question 26 of 32

26. Question
A typical playbook begins with an incident identifications section. Which section comes next?
- A. Initial assessment section
- B. Response strategy outline
- C. Recovery section
- D. Restoration section
Correct

Incorrect
Question 27 of 32

27. Question
In order to implement and manage facility access, which physical security standard procedure should be in place requiring tracking and admittance rules?
- A. Surveillance
- B. Equipment security
- C. Visitor management
- D. Environmental controls
Correct

Incorrect
Question 28 of 32

28. Question
Which of the following is an appropriate example of endpoint security policy?
- A. All endpoints must block incoming traffic that is not explicitly required for the business.
- B. All sensitive customer data must be labeled “Confidential’ and encrypted.
- C. AES-256 bit encryption must be used for all data at rest.
- D. All endpoints must have updated antivirus software installed.
Correct

Incorrect
Question 29 of 32

29. Question
Which policy rule enables employees to enter into an agreement acknowledging they understand that unauthorized data sharing is prohibited?
- A. Information security policies (ISP)
- B. Acceptable use policies (AUP)
- C. Business continuity policies (BCP)
- D. Best practice policies (BPP)
Correct

Incorrect
Question 30 of 32

30. Question
Which type of report alerts you to three large data transfers to an external IP address within a short time raising suspicions for potential data exfiltration?
- A. Packet capture reports
- B. Dashboard reports
- C. Automated reports
- D. Network logs
Correct

Incorrect
Question 31 of 32

31. Question
Certain regulations and industries require longer retention times for vulnerability reports. What is the minimum period for retaining these reports?
- A. 60 months
- B. 40 months
- C. 12 months
- D. 24 months
Correct

Incorrect
Question 32 of 32

32. Question
Which type of metadata includes vital details required for a system to communicate or interact with a specific file and uphold the integrity of a digital file or object?
- A. Preservation metadata
- B. Structural metadata
- C. Descriptive metadata
- D. Provenance metadata
Correct

Incorrect

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32

Current
Correct
Incorrect

About Us
Contact Us
Privacy Policy

CompTIA® is a registered trademark of the Computing Technology Industry Association, Inc. This website is not endorsed, affiliated, or approved by CompTIA Inc.

Quiz Summary

Information

Results

Results

Categories

1. Question

You have been tasked with auditing the vendor who provides a third-party billing server to a local healthcare provider. Which clause provides a legal pathway to verifying that the vendor maintains the agreed-upon standards?

2. Question

A banking corporation is keen on gaining a competitive edge in the market by demonstrating its commitment to cybersecurity. They want an official attestation that their cybersecurity measures are robust and compliant with industry standards. What should it opt for to obtain this attestation?

3. Question

Which type of reconnaissance involves tasks like DNS enumeration, public record searches, or social engineering tactics like phishing or pretexting?

4. Question

Which type of detected behavior can indicate compromised accounts, risk of data infiltration, possible brute-force attempts, or the risk of malware infection or system compromise?

5. Question

Identify the risk of detection and common techniques used for each type of penetration test by matching the penetration testing type in the left column to its corresponding risk of detection and common techniques.

Sort elements

6. Question

Which phase in the penetration testing lifecycle involves the collection of as much information as possible about the target systems to find ways to infiltrate them?

7. Question

8. Question

Which of the following is included in the responsibilities of an internal audit committee?

9. Question

How can an organization add a layer of scrutiny and accountability to the attestation process by assigning a top-level executive to the process?

10. Question

11. Question

12. Question

13. Question

How does a PCI-DSS compliance report demonstrate adherence to payment card industry data security standards by detailing how customer payment information is protected?

14. Question

Which metric, which is similar to MTBF, denotes the number of failures per billion hours of operation to help anticipate the frequency of potential failures?

15. Question

How does mean time to repair (MTTR) help an organization understand the operational impact of repair times and guide the decision-making process?

16. Question

A risk report often includes an executive summary, detailed findings, recommendations and an _______________.

17. Question

Refer to the following IPS/IDS log example:

Which entry shows an attacker trying to get unauthorized access to the system?

18. Question

Two detergent companies want to engage in a joint marketing campaign. Which written document specifies a cooperative relationship that outlines responsibilities for each party in a non-legally binding agreement?

19. Question

20. Question

21. Question

A healthcare organization uses a software platform to manage patient records. A recent vulnerability assessment identified a potential exploit where an unauthorized individual might access 30% of stored patient data. Which of the following best describes this scenario?

22. Question

The change management procedure starts with a change request. At what point is the change implemented in a controlled, non-production environment?

23. Question

You want to determine how much an e-commerce web server’s downtime will cost your company annually. After gathering the required information, which risk assessment formula can be used to calculate the cost of downtime?

24. Question

An organization experiences an inherent risk if the correct ___________ is not in place. (Fill in the blank.)

25. Question

What are the key responsibilities of an owner in the governance structure?

26. Question

A typical playbook begins with an incident identifications section. Which section comes next?

27. Question

In order to implement and manage facility access, which physical security standard procedure should be in place requiring tracking and admittance rules?

28. Question

Which of the following is an appropriate example of endpoint security policy?

29. Question

Which policy rule enables employees to enter into an agreement acknowledging they understand that unauthorized data sharing is prohibited?

30. Question

Which type of report alerts you to three large data transfers to an external IP address within a short time raising suspicions for potential data exfiltration?

31. Question

Certain regulations and industries require longer retention times for vulnerability reports. What is the minimum period for retaining these reports?

32. Question

Which type of metadata includes vital details required for a system to communicate or interact with a specific file and uphold the integrity of a digital file or object?