Welcome to today’s CompTIA Security+ practice test!
Today’s practice test is based on subdomain 5.4 (Summarize elements of effective security compliance) from the CompTIA Security+ SY0-701 objectives.
This beginner-level practice test is inspired by the CompTIA Security+ (SY0-701) exam and is designed to help you reinforce key cybersecurity concepts on a daily basis.
These questions are not official exam questions, nor are they brain dumps, but they reflect topics and scenarios relevant to the Security+ certification. Use them to test your knowledge, identify areas for improvement, and build daily cybersecurity habits.
Click the button below to start today’s practice exam. To view answers and explanations for today’s questions, expand the Answers accordion.
Results
#1. A security administrator at a mid-sized healthcare provider must submit an annual document to the national regulator showing the organization’s adherence to data-protection controls and remediation of deficiencies. Which activity BEST describes what the administrator is preparing?
#2. Your organization missed a mandated privacy assessment deadline and continued processing customer data without required controls. The CISO asks what tangible outcomes the board should anticipate. Which set BEST aligns with compliance consequences?
#3. A security manager rolls out an annual “read-and-sign” of the information security policy and AUP for all employees, tracked in the LMS. What is the PRIMARY compliance purpose of this control?
#4. Your company provides a SaaS platform that processes customer PII strictly under each client’s instructions and data-retention schedule. In privacy terms, your company is acting as the:
#5. An EU customer submits a request to permanently remove their personal data from your systems unless retention is legally required. Which compliance concept does this invoke?
#6. Your organization wants a proactive activity to verify adherence to internal policies without involving regulators. Which option BEST fits?
#7. A compliance lead is designing controls to demonstrate ongoing due diligence/care. Which action BEST supports this aim?
#8. A retailer preparing for an external assessment realizes it cannot map which systems store PII or how long each dataset is retained. Which compliance workstream should be prioritized?
#9. During a privacy workshop, a product leader claims the company “owns” customer personal data. The privacy officer corrects them. In compliance terms, who holds the rights over personal data?
#10. An e-discovery request requires that email archives be preserved beyond their normal 7-year deletion schedule. Which compliance concept BEST applies in this situation?
Note: CompTIA and Security+ are registered trademarks of CompTIA. This content is not affiliated with or endorsed by CompTIA.
To choose CompTIA Security+ practice tests based on specific domains/subdomains, click that link.
Answers
| Number | Answer | Explanation |
|---|---|---|
| 1 | A | A security administrator at a mid-sized healthcare provider must submit an annual document to the national regulator showing the organization’s adherence to data-protection controls and remediation of deficiencies. Which activity BEST describes what the administrator is preparing? A. External compliance reporting to a regulator (Correct): The scenario describes the administrator preparing an annual document for a national regulator to show adherence to data protection controls. This is the definition of external compliance reporting, which involves formally submitting evidence to an outside governing body to demonstrate compliance with a law or regulation. B. Internal compliance attestation to the audit committee (Incorrect): This activity involves reporting to an internal body, such as an audit committee, not an external regulator. While similar, the destination of the report is different. C. Security operations weekly metrics report (Incorrect): A security operations report typically focuses on operational metrics, like incident response times or alert volumes, and is usually generated more frequently than annually for an internal audience. D. Independent third-party penetration test summary (Incorrect): A penetration test summary is a report on the findings of a specific security test. While it may be used as supporting evidence, it is not the annual, comprehensive document submitted to a regulator. |
| 2 | A | Your organization missed a mandated privacy assessment deadline and continued processing customer data without required controls. The CISO asks what tangible outcomes the board should anticipate. Which set BEST aligns with compliance consequences? A. Fines, sanctions, reputational damage, loss of license, contractual impacts (Correct): These are the most common and direct consequences of a failure to comply with privacy regulations. Regulatory bodies can levy significant fines and sanctions. This can lead to severe reputational damage, loss of customer trust, and in extreme cases, a loss of license to operate. Non-compliance can also trigger contractual impacts with business partners who have their own compliance requirements. B. Service degradation, increased MTTR, reduced MTTF (Incorrect): These are metrics related to IT service reliability and availability. While a lack of security controls could eventually lead to these issues, they are not the primary, direct consequences of a compliance failure. C. Higher capital expenditure and slower deployments (Incorrect): These are business consequences that might result from implementing new security and compliance controls, not from the failure to adhere to them. D. More false positives in the SIEM and alert fatigue (Incorrect): These are operational problems for a security team. They are not the high-level, tangible consequences that a board would be concerned with after a compliance failure. |
| 3 | B | A security manager rolls out an annual “read-and-sign” of the information security policy and AUP for all employees, tracked in the LMS. What is the PRIMARY compliance purpose of this control? A. Incident response preparation (Incorrect): While policy awareness is a component of overall security, this activity is a passive acknowledgment. Active incident response preparation involves training, drills, and established procedures, not just a document signing. B. Attestation and acknowledgement as part of compliance monitoring (Correct): The primary compliance purpose of a “read-and-sign” policy is to obtain a formal attestation from each employee that they have read and understood the security policy and AUP. The tracking in the LMS provides a documented audit trail, which is essential for compliance monitoring and demonstrating to auditors or regulators that the organization has met its obligation to inform and train its personnel. C. Vulnerability management baseline (Incorrect): A vulnerability management baseline is a set of technical standards and controls for systems and software. It is completely unrelated to employee policy acknowledgement. D. Forensics readiness (Incorrect): Forensics readiness involves ensuring a system is prepared for a digital forensics investigation (e.g., through proper logging and data retention). This is a technical control and is not the purpose of an employee policy acknowledgement. |
| 4 | C | Your company provides a SaaS platform that processes customer PII strictly under each client’s instructions and data-retention schedule. In privacy terms, your company is acting as the: A. Data subject (Incorrect): The data subject is the individual person whose data is being processed (e.g., the customer). The company is not the data subject. B. Controller (Incorrect): The data controller is the entity that determines the purposes and means of the data processing. In this scenario, your client is the data controller, as they are providing the instructions. C. Processor (Correct): The company is acting as a data processor. A data processor is an entity that processes personal data on behalf of and according to the instructions of a data controller. Because your company is processing the PII strictly under your client’s instructions, it fits this role precisely. D. Owner of record (Incorrect): This is not a standard or legally defined term in the context of data privacy regulations like GDPR or CCPA. |
| 5 | D | An EU customer submits a request to permanently remove their personal data from your systems unless retention is legally required. Which compliance concept does this invoke? A. Data minimization (Incorrect): Data minimization is the principle of only collecting the minimum amount of personal data necessary for a specific purpose. It is a proactive design principle, not a response to a deletion request. D. Legal hold (Incorrect): A legal hold is a process where an organization suspends its data-retention and destruction policies to preserve data that may be relevant to an upcoming legal case. This is the opposite of a request to delete data. C. Purpose limitation (Incorrect): Purpose limitation means that data collected for one purpose cannot be used for a different, unrelated purpose. This principle relates to the use of data, not its deletion. D. Right to be forgotten (Correct): The “right to be forgotten,” also known as the right to erasure, is a core principle of the EU’s General Data Protection Regulation (GDPR). It gives individuals the right to have their personal data deleted by a data controller under certain conditions, such as when the data is no longer necessary for its original purpose or when the individual withdraws their consent. |
| 6 | C | Your organization wants a proactive activity to verify adherence to internal policies without involving regulators. Which option BEST fits? A. Conduct a regulatory examination (Incorrect): A regulatory examination is performed by an external regulator to verify compliance with laws. This directly contradicts the requirement to not involve regulators. B. Perform independent third-party audit (Incorrect): While an independent audit is a valid form of verification, it involves an external party and is often conducted to satisfy a regulatory or contractual requirement, making it less of a purely internal control. C. Run quarterly self-assessments overseen by the audit committee (Correct): A self-assessment is a proactive internal activity where the organization verifies its own adherence to its policies and standards. The oversight by the audit committee ensures accountability. This process is designed to find and fix issues internally without involving external parties, such as regulators. D. Commission a red-team exercise (Incorrect): A red-team exercise is a simulated attack used to test an organization’s security defenses and response capabilities. Its primary purpose is not to verify adherence to administrative or operational policies. |
| 7 | A | A compliance lead is designing controls to demonstrate ongoing due diligence/care. Which action BEST supports this aim? A. Documenting controls and using automation to continuously verify adherence (Correct): This is the BEST way to demonstrate ongoing due diligence and care. Documenting controls proves that the organization has a plan, and using automation to continuously verify that those controls are working provides an auditable record of ongoing action. This is far more robust than one-time or reactive activities. B. Accepting all medium risks via an exception memo (Incorrect): This is a risk acceptance strategy, not a demonstration of due diligence. By accepting risks, the organization is choosing not to take action, which is the opposite of due diligence. C. Only publishing an annual security whitepaper (Incorrect): A whitepaper is a marketing or informational document. It does not provide auditable evidence of the company’s security practices or demonstrate ongoing due diligence. D. Tracking SIEM alerts for 90 days then deleting them (Incorrect): This is a basic log-retention practice. While it is a part of a security program, it’s a very limited and insufficient activity to represent comprehensive, ongoing due diligence across an entire organization’s controls. |
| 8 | B | A retailer preparing for an external assessment realizes it cannot map which systems store PII or how long each dataset is retained. Which compliance workstream should be prioritized? A. Asset tagging of network switches (Incorrect): This activity focuses on hardware inventory at the network level. It does not provide the necessary information about what specific data is stored on a system or its retention period. B. Data inventory and retention (Correct): The core problem is the inability to know where Personally Identifiable Information (PII) is located and how long it is kept. A data inventory is the process of discovering and cataloging all data, its location, and its attributes. Implementing a data retention policy defines how long different types of data should be stored. Prioritizing these two workstreams directly addresses the deficiencies and is essential for any privacy-related assessment. C. Endpoint hardening baseline (Incorrect): Hardening involves securing individual systems by disabling unnecessary services and closing vulnerabilities. This is a security control, not a process for mapping data locations and flows. D. Vulnerability scanning cadence (Incorrect): Vulnerability scanning is a technical process for identifying security weaknesses in systems. It does not help to identify the location of specific data types or their retention requirements. |
| 9 | A | During a privacy workshop, a product leader claims the company “owns” customer personal data. The privacy officer corrects them. In compliance terms, who holds the rights over personal data? A. The data subject (Correct): In modern data privacy compliance, the individual person (the data subject) holds the rights over their personal data. An organization that collects and processes this data acts as a steward or custodian, not an owner. The data subject retains fundamental rights, such as the right to access, correct, or request the deletion of their data. B. The processor (Incorrect): The data processor is a third-party entity that processes data on behalf of the data controller. It has a legal obligation to protect the data but holds no rights over it. C. The controller (Incorrect): The data controller is the entity that determines the purpose and means of processing personal data. While the controller has significant responsibilities, they do not “own” the data; the rights remain with the data subject. D. The custodian (Incorrect): The custodian is a general term for the individual or team responsible for the security and maintenance of the data. This is a role of care, not a legal title of ownership. |
| 10 | C | An e-discovery request requires that email archives be preserved beyond their normal 7-year deletion schedule. Which compliance concept BEST applies in this situation? A. Right to be forgotten (Incorrect): This is a data privacy concept that grants individuals the right to have their personal data deleted. It is the opposite of a legal hold. B. Data minimization (Incorrect): Data minimization is the principle of collecting and retaining only the data that is necessary for a specific purpose. A legal hold is a specific exception to this principle. C. Legal hold (Correct): A legal hold, also known as a litigation hold, is a process used to preserve relevant data when litigation or an investigation is anticipated. This legal directive overrides standard data retention and deletion policies, requiring that data (like email archives) be preserved beyond their normal schedule for a specific period. D. Attestation (Incorrect): Attestation is a formal statement or confirmation that something is true. While an organization may attest to a legal hold, attestation itself is not the legal concept requiring the data preservation. |