Welcome to today’s practice test!
Today’s practice test is based on Domain 5.1 (Summarize elements of effective security governance.) from the CompTIA Security+ SY0-701 objectives.
This beginner-level practice test is inspired by the CompTIA Security+ (SY0-701) exam and is designed to help you reinforce key cybersecurity concepts on a daily basis.
These questions are not official exam questions, but they reflect topics and scenarios relevant to the Security+ certification. Use them to test your knowledge, identify areas for improvement, and build daily cybersecurity habits.
Click the button below to start today’s practice exam.
Results
#1. A security administrator at a large healthcare organization is tasked with ensuring that sensitive data is handled in accordance with industry regulations. Which of the following documents best supports this requirement?
#2. A global company must adhere to differing data privacy laws across regions. Which governance element addresses this challenge?
#3. A company implements a policy that limits data access to employees based on their job roles. What type of governance is being applied?
#4. During a security audit, the auditor requests documentation for disaster recovery testing. Which type of document should be provided?
#5. A company is restructuring and centralizing all IT functions. What governance structure is being adopted?
#6. A newly appointed Chief Security Officer is reviewing roles. Who is typically responsible for defining the sensitivity level of data?
#7. An IT team member mistakenly deleted critical files. Which governance element ensures procedures are in place to recover them?
#8. A security administrator is writing a playbook for ransomware incidents. Which governance category does this fall under?
#9. A multinational company is reviewing acceptable device use for employees. What document outlines this?
#10. A regulator asks an enterprise to show it performed regular updates to its data retention policies. This is an example of which governance activity?
Note: CompTIA and Security+ are registered trademarks of CompTIA. This content is not affiliated with or endorsed by CompTIA.
To view CompTIA Security+ practice tests on other days, click here.To view answers and explanations for today’s questions, expand the Answers accordion below.
Answers
| Number | Answer | Explanation |
|---|---|---|
| 1 | C | Information security policy outlines how data, including sensitive data, must be protected in compliance with industry regulations. BCP refers to maintaining operations during disruption. AUP governs user behavior but doesn’t outline regulatory compliance. Incident response playbook deals with incident handling, not ongoing compliance. |
| 2 | B | External considerations include legal, regulatory, and industry-specific requirements essential for global compliance. Local standards and internal compliance committees are narrower in scope. Password policy enforcement is a technical control, not governance. |
| 3 | A | Role-based access control policy directly relates to limiting access according to roles. AUP addresses user behavior. Encryption standard and change management procedure are unrelated to role-based access. |
| 4 | C | Disaster recovery testing requires detailed, step-by-step instructions on how the test was performed. These “how-to” guides are called procedures. Change control records document system modifications, not the testing process itself. Incident response playbook details actions for security incidents, distinct from disaster recovery. Standards state what needs to be achieved (e.g., recovery time objectives), not how the test was conducted. |
| 5 | C | When a company consolidates all IT functions under one central authority, it’s adopting a centralized governance structure, providing unified control and decision-making. Federated involves a mix of central control and local autonomy, not full centralization. A hybrid model combines elements of centralized and decentralized, not a complete centralization. A decentralized structure pushes IT decision-making and functions out to individual departments or business units, the opposite of centralizing. |
| 6 | B | The Data Owner (often a business unit head or executive) is ultimately accountable for the data’s integrity, availability, and confidentiality, and thus defines its sensitivity level based on its business value and regulatory requirements. Data Processor handles data on behalf of the Data Owner but does not determine its sensitivity. A Data Steward focuses on data quality, metadata, and access rules, often implementing the Data Owner’s policies, but typically doesn’t define initial sensitivity. A System Administrator manages the infrastructure where data resides. They implement security controls based on defined sensitivity, but don’t define the sensitivity level itself. |
| 7 | D | A Disaster Recovery Plan outlines the procedures and processes to restore IT infrastructure and data after a significant disruptive event, including accidental data loss, ensuring recovery from critical file deletions. Business Continuity Policy focuses on maintaining essential business functions during and after a disruption, but not the detailed technical steps for data recovery. Acceptable Use Policy defines how users can use IT resources, aiming to prevent misuse, not to recover from it. Incident Response Planoutlines steps for managing and containing security incidents (like a breach), but typically doesn’t detail the technical recovery of deleted files in the way a DR plan does |
| 8 | D | A playbook for ransomware incidents contains detailed, step-by-step instructions on how to respond. These “how-to” documents are called procedures. Guidelines offer recommendations or advice, which are less strict and detailed than a playbook’s required actions. Policies are high-level statements of what must be done (e.g., “we will have a ransomware response plan”), not the granular steps of how to do it. Standards specify mandatory requirements (e.g., “all ransomware playbooks must include X, Y, and Z elements”), but not the full operational steps themselves. |
| 9 | A | An Acceptable Use Policy (AUP) explicitly outlines what employees can and cannot do with the company’s IT resources, including devices, networks, and data. A Non-Disclosure Agreement (NDA) is a legal contract protecting confidential information. A Memorandum of Understanding (MOU) is a non-binding agreement between two or more parties. A Disaster Recovery Plan (DRP) details procedures for restoring operations after a major disruption. |
| 10 | C | The regulator’s request directly pertains to ensuring policies are reviewed and updated as needed over time. This ongoing review and modification of policies based on changing needs or regulations is the essence of policy monitoring and revision. Change management is a broader process for controlling changes to IT systems, infrastructure, or processes. While updating a policy might go through a change management process, the act of proving regular updates to the policy itself is a policy governance activity, not the general change process. Standards development refers to the creation of detailed, mandatory requirements (standards) that support policies. The question is about updating existing policies, not creating new standards. Regulatory impact analysis is the process of assessing how new or changing regulations will affect the organization. While a regulatory impact analysis might trigger a policy revision, the act of showing regular updates to existing policies is the policy governance activity. |