Welcome to today’s CompTIA Security+ practice test!
Today’s practice test is based on subdomain 5.3 (Explain the processes associated with third-party risk assessment and management.) from the CompTIA Security+ SY0-701 objectives.
This beginner-level practice test is inspired by the CompTIA Security+ (SY0-701) exam and is designed to help you reinforce key cybersecurity concepts on a daily basis.
These questions are not official exam questions, nor are they brain dumps, but they reflect topics and scenarios relevant to the Security+ certification. Use them to test your knowledge, identify areas for improvement, and build daily cybersecurity habits.
Click the button below to start today’s practice exam. To view answers and explanations for today’s questions, expand the Answers accordion.
Results
#1. A security administrator at a mid-sized company is evaluating a SaaS HR platform that will store PII for 2,000 employees. Legal wants the contract to allow the company to verify the provider’s controls on demand, especially after material incidents. Which contractual element BEST addresses this requirement?
#2. A security administrator at a mid-sized company is contracting a managed detection and response (MDR) provider. Mid-project, the company decides to add 24×7 threat hunting and adjust the delivery timeline. Which document should be updated FIRST to reflect scope and schedules?
#3. Your organization is selecting between two managed SOC providers. One offers self-published “security posture summaries.” The other shares recent penetration testing reports performed by an external firm. Which evidence provides the STRONGEST basis for vendor assessment?
#4. A SOC analyst observes that its organization’s SaaS backup provider stores daily replicas in a region where the organization is prohibited from keeping healthcare data. The provider explains that a subcontractor handles replication. What third-party risk process should have identified this issue BEFORE go-live?
#5. Your company is crafting a document for a new endpoint-management rollout by an MSP. The document will define deliverables, milestones, acceptance criteria, and pricing for that specific project. Which agreement type is MOST appropriate?
#6. A security manager must ensure the new e-commerce payment gateway maintains 99.99% uptime, with defined escalation paths and credits if the provider fails to meet targets. Which agreement best addresses this requirement?
#7. A security administrator at a regional bank wants to perform a live red-team exercise against an MSSP’s monitoring stack to validate detection coverage. Which preparatory artifact is MOST critical to establish boundaries, timing, and legal protections?
#8. Your organization signed an MSA with a software vendor last year. You now need to add a discrete project to build a custom API integration with specific milestones and acceptance tests. Which combination BEST reflects how to proceed?
#9. Your company is evaluating a startup that will receive customer telemetry. Before awarding the contract, the security team sends a detailed survey requesting evidence about encryption, key management, incident response, and use of sub-processors. What third-party risk activity does this represent?
#10. Your organization and a regional ISP plan to share limited network telemetry during DDoS incidents. The relationship is cooperative, non-binding, and meant to establish intent and responsibilities at a high level before a formal contract. Which agreement fits BEST?
Note: CompTIA and Security+ are registered trademarks of CompTIA. This content is not affiliated with or endorsed by CompTIA.
To choose CompTIA Security+ practice tests based on specific domains/subdomains, click that link.
Answers
| Number | Answer | Explanation |
|---|---|---|
| 1 | B | A security administrator at a mid-sized company is evaluating a SaaS HR platform that will store PII for 2,000 employees. Legal wants the contract to allow the company to verify the provider’s controls on demand, especially after material incidents. Which contractual element BEST addresses this requirement? A. Indemnification clause (Incorrect): An indemnification clause requires one party to compensate the other for specified losses or damages. While important for financial protection, it does not grant the company the right to verify the provider’s security controls directly. B. Right-to-audit clause (Correct): A right-to-audit clause is a contractual provision that grants a customer the right to audit the provider’s security controls, compliance, and records. This clause directly addresses the company’s need to verify the SaaS provider’s controls on demand, particularly after a material incident that could impact employee PII. C. Force majeure clause (Incorrect): A force majeure clause excuses a party from fulfilling its contractual obligations when a major event (e.g., natural disaster, war) makes performance impossible or impracticable. This is unrelated to the verification of security controls. D. Non-compete clause (Incorrect): A non-compete clause prevents one party (e.g., a former employee or vendor) from competing with the other party’s business for a specified period. This is a business provision and has no relevance to security audits. |
| 2 | A | A security administrator at a mid-sized company is contracting a managed detection and response (MDR) provider. Mid-project, the company decides to add 24×7 threat hunting and adjust the delivery timeline. Which document should be updated FIRST to reflect scope and schedules? A. Statement of Work (SOW) (Correct): The Statement of Work (SOW) is the document that details the specific project activities, deliverables, scope, and timelines. When a company wants to add new services (24×7 threat hunting) and adjust the delivery schedule, the SOW is the primary document that needs to be updated to formally reflect these changes to the project’s scope. B. Master Service Agreement (MSA) (Incorrect): The MSA is the overarching contract that defines the general terms and conditions of the business relationship between the company and the provider. While a new SOW would be a part of the MSA, the MSA itself does not contain the project-specific details that need to be changed. C. Service-level Agreement (SLA) (Incorrect): The SLA defines the performance metrics and penalties for the service provider. While the new services might have a new SLA, the SLA itself does not define the project scope or schedule. D. Non-Disclosure Agreement (NDA) (Incorrect): An NDA is a legal contract that protects confidential information. It is unrelated to the project’s scope, deliverables, or timeline. |
| 3 | C | Your organization is selecting between two managed SOC providers. One offers glossy marketing and self-published “security posture summaries.” The other shares recent penetration testing reports performed by an external firm. Which evidence provides the STRONGEST basis for vendor assessment? A. Internal audit certificates produced by the vendor (Incorrect): Internal audits are conducted by the vendor’s own team. While they show some level of diligence, they lack the objectivity and rigor of an independent, third-party assessment. B. A vendor-authored whitepaper about its SIEM tuning (Incorrect): A whitepaper is a marketing tool. It is written and published by the vendor to promote its services and expertise. It is not an objective assessment of its security posture or effectiveness. C. Independent assessments performed by a third party (Correct): Independent assessments such as a recent penetration testing report from an external firm provide the strongest evidence. This is because a third-party, unbiased firm has objectively verified the vendor’s security posture, controls, and capabilities. This evidence is far more trustworthy than self-published claims or marketing materials. D. Customer testimonials on a review site (Incorrect): While customer testimonials can provide insight into a vendor’s service quality and customer support, they are often subjective and do not provide a technical, objective assessment of the vendor’s security capabilities. They can also be curated or fabricated. |
| 4 | A | A SOC analyst observes that its organization’s SaaS backup provider stores daily replicas in a region where the organization is prohibited from keeping healthcare data. The provider explains that a subcontractor handles replication. What third-party risk process should have identified this issue BEFORE go-live? A. Supply chain analysis (Correct): Supply chain analysis is the process of evaluating the risks associated with all third parties, including vendors and their subcontractors. A thorough supply chain analysis would have identified that the SaaS provider uses a subcontractor who operates in a prohibited region, revealing the non-compliance issue with data residency requirements before the service went live. B. Business impact analysis (Incorrect): A business impact analysis (BIA) identifies critical business functions and the impact of their disruption. While it helps a company understand the importance of its data, it does not assess the security practices or locations of a third-party vendor’s subcontractors. C. Data classification (Incorrect): Data classification is the process of organizing data into categories based on its sensitivity. The company may have already classified the data as healthcare data, but this process itself would not have identified the third-party’s non-compliant storage location. D. Secure coding review (Incorrect): A secure coding review is a software development practice to identify vulnerabilities in an application’s source code. It is completely unrelated to a provider’s data storage locations or its use of subcontractors. |
| 5 | C | Your company is crafting a document for a new endpoint-management rollout by an MSP. The document will define deliverables, milestones, acceptance criteria, and pricing for that specific project. Which agreement type is MOST appropriate? A. Service-level agreement (SLA) (Incorrect): An SLA defines the performance metrics, quality standards, and penalties for a service. While it would be part of the overall agreement, it does not define the project’s specific deliverables or scope. B. Master service agreement (MSA) (Incorrect): An MSA is a high-level, overarching contract that sets the general terms and conditions of the business relationship between two parties. It serves as a framework, while a SOW is used for the specific project details. C. Statement of work / work order (SOW/WO) (Correct): A Statement of Work (SOW), or a Work Order (WO), is the specific document that details the deliverables, milestones, acceptance criteria, and pricing for a single project or task. It is used to define the scope and specifics of a new project that falls under the general terms of an existing master agreement. D. Non-disclosure agreement (NDA) (Incorrect): An NDA is a legal contract that protects confidential information. It is unrelated to defining the scope, deliverables, or pricing of a project. |
| 6 | C | A security manager must ensure the new e-commerce payment gateway maintains 99.99% uptime, with defined escalation paths and credits if the provider fails to meet targets. Which agreement best addresses this requirement? A. Memorandum of understanding (MOU) (Incorrect): An MOU is a non-binding agreement that outlines a general understanding between two or more parties. It lacks the legal enforceability and specific performance metrics of an SLA. B. Business partners agreement (BPA) (Incorrect): A BPA is a legal contract between business partners. While it may contain an SLA, the BPA itself is the broader agreement that defines the entire relationship, not just the performance metrics of a specific service. C. Service-level agreement (SLA) (Correct): A Service-level agreement (SLA) is the specific document that defines the performance metrics, such as a 99.99% uptime target, and the consequences for failing to meet them, such as escalation paths and service credits. The SLA is a core component of a contract that holds a provider accountable for performance. D. Master service agreement (MSA) (Incorrect): An MSA is the overarching contract that defines general terms and conditions for a business relationship. It provides the framework, but the specific performance targets for a service like 99.99% uptime would be detailed in a separate SLA attached to or referenced by the MSA. |
| 7 | B | A security administrator at a regional bank wants to perform a live red-team exercise against an MSSP’s monitoring stack to validate detection coverage. Which preparatory artifact is MOST critical to establish boundaries, timing, and legal protections? A. Purchase order (Incorrect): A purchase order is a commercial document that authorizes a financial transaction. It confirms the purchase of the service but does not detail the technical scope or legal specifics of the exercise itself. B. Rules of Engagement (Correct): The Rules of Engagement (ROE) is the most critical preparatory artifact for a red-team exercise. It is a highly specific document that defines the legal authority, boundaries, timing, and methodology of the test. The ROE is essential for ensuring that the authorized attack remains within its scope and does not cause unintended harm. C. Privacy impact assessment (Incorrect): A Privacy Impact Assessment (PIA) is used to identify and mitigate privacy risks associated with a project. While relevant to the overall exercise, it does not define the specific technical boundaries or legal protections. D. System security plan (Incorrect): A system security plan is a document that provides an overview of a system’s security requirements and controls. It describes the system’s security posture but does not govern the conduct of a red-team exercise. |
| 8 | B | Your organization signed an MSA with a software vendor last year. You now need to add a discrete project to build a custom API integration with specific milestones and acceptance tests. Which combination BEST reflects how to proceed? A. Amend the NDA and add uptime targets (Incorrect): An NDA is for confidentiality and is unrelated to project scope. Uptime targets are part of a Service-Level Agreement (SLA), not an NDA. B. Create a new SOW under the existing MSA (Correct): This is the standard and most efficient way to add a new project. The Master Service Agreement (MSA) establishes the overarching legal and business terms for the entire relationship. A Statement of Work (SOW) is the specific document that defines the scope, deliverables, milestones, and acceptance criteria for a new, discrete project that falls under the MSA’s framework. C. Replace the MSA with an SLA (Incorrect): An SLA defines performance metrics, not the scope of a new project. It is a supplement to, not a replacement for, the MSA. D. Issue a BPA to supersede all prior agreements (Incorrect): A Business Partners Agreement (BPA) is a broad contract for a business partnership. It is not the appropriate or typical document for defining a specific project with an existing vendor. |
| 9 | D | Your company is evaluating a startup that will receive customer telemetry. Before awarding the contract, the security team sends a detailed survey requesting evidence about encryption, key management, incident response, and use of sub-processors. What third-party risk activity does this represent? A. Vendor monitoring (Incorrect): Vendor monitoring is an ongoing activity that takes place after a vendor is under contract. It involves continuously tracking a vendor’s security posture for changes and new risks. B. Compliance examination (Incorrect): While related, a compliance examination is a more formal and typically more in-depth audit or review. The scenario describes a specific tool for initial due diligence—a questionnaire—which is a part of a broader vendor assessment. C. Penetration testing (Incorrect): Penetration testing is an active, hands-on security assessment that involves trying to exploit vulnerabilities. The scenario describes a passive, document-based request for information. D. Questionnaires during vendor assessment (Correct): The activity described is a core part of a vendor assessment, also known as third-party due diligence. Security teams use detailed questionnaires to collect information and evidence about a potential vendor’s security controls and practices before a contract is awarded to identify and quantify risks. |
| 10 | B | Your organization and a regional ISP plan to share limited network telemetry during DDoS incidents. The relationship is cooperative, non-binding, and meant to establish intent and responsibilities at a high level before a formal contract. Which agreement fits BEST? A. Memorandum of agreement (MOA) (Incorrect): An MOA is a more formal and legally binding document than an MOU. It is typically used after an MOU to detail and formalize the specific actions and obligations of each party. B. Memorandum of understanding (MOU) (Correct): A Memorandum of Understanding (MOU) is the best fit. It is a non-binding agreement between two or more parties that outlines their cooperative relationship and establishes a mutual understanding of their intentions and responsibilities. It is often used as a preliminary step before drafting a more formal, legally binding contract. C. Business partners agreement (BPA) (Incorrect): A BPA is a legal contract that establishes a commercial relationship between two or more business partners. It is a binding agreement and is too formal for the cooperative, non-binding relationship described. D. Non-disclosure agreement (NDA) (Incorrect): An NDA is a legal contract that protects confidential information shared between parties. While it may be a component of a larger agreement, its sole purpose is confidentiality, not outlining a cooperative relationship and shared responsibilities |