Welcome to today’s CompTIA Security+ practice test!
Today’s practice test is based on subdomain 1.1 (Compare and contrast various types of security controls) from the CompTIA Security+ SY0-701 objectives.
This beginner-level practice test is inspired by the CompTIA Security+ (SY0-701) exam and is designed to help you reinforce key cybersecurity concepts on a daily basis.
These questions are not official exam questions, nor are they brain dumps, but they reflect topics and scenarios relevant to the Security+ certification. Use them to test your knowledge, identify areas for improvement, and build daily cybersecurity habits.
Click the button below to start today’s practice exam. To view answers and explanations for today’s questions, expand the Answers accordion.
Results
#1. A security administrator at a mid-sized financial company configures the perimeter firewall to block all inbound traffic except HTTPS connections on port 443. The goal is to ensure that only secure, encrypted traffic reaches the public-facing servers while blocking everything else. Which type of control is this?
#2. A healthcare organization installs CCTV cameras at every hallway intersection and posts signs informing staff and visitors that video surveillance is in use. The cameras store video feeds for later review, and the signs are prominently displayed to discourage malicious activity. Which type of control is best represented by this scenario?
#3. A company requires all new employees to complete a mandatory cybersecurity awareness program that covers phishing, password hygiene, and data handling best practices. Employees are also tested periodically to ensure knowledge retention. Which category of control does this best represent?
#4. A security officer at a large manufacturing facility installs badge-access locks and a mantrap system at the entrance to the company’s secure R&D area. These systems ensure that only authorized employees can physically access the restricted zone, and entry logs are stored for later review. Which control category does this represent?
#5. During an investigation, a SOC analyst notices suspicious login attempts and uses SIEM alerts to confirm that multiple failed authentications originated from a foreign IP. The system logs captured the details and generated automated alerts for review. Which control type is illustrated here?
#6. After a ransomware attack encrypts several shared drives, the IT team restores affected data from secure, offline backups. Within hours, normal operations are restored with minimal data loss. Which type of control is this?
#7. Due to vendor restrictions, a company cannot implement multifactor authentication on its legacy ERP system. Instead, administrators enforce strict password rotation policies, enable real-time monitoring, and implement additional logging. What type of control is being applied in this case?
#8. Before being granted access to corporate systems, all employees must sign an acceptable use policy (AUP) that clearly states the rules for handling company data and consequences for violations. Which control type does this represent?
#9. A security architect designs a new system where all user passwords are stored using bcrypt hashing with salts. This ensures that even if the password database is compromised, credentials cannot easily be reversed. Which category of security control does this best represent?
#10. A multinational company implements geofencing rules on its VPN system so that logins are only permitted from countries where the company operates. Attempts from other regions are automatically blocked, even if the username and password are correct. Which type of security control is this?
Note: CompTIA and Security+ are registered trademarks of CompTIA. This content is not affiliated with or endorsed by CompTIA.
To choose CompTIA Security+ practice tests based on specific domains/subdomains, click that link.
Answers
| Number | Answer | Explanation |
|---|---|---|
| 1 | B | A security administrator at a mid-sized financial company configures the perimeter firewall to block all inbound traffic except HTTPS connections on port 443. The goal is to ensure that only secure, encrypted traffic reaches the public-facing servers while blocking everything else. Which type of control is this? A. Detective (Incorrect): A detective control identifies a security event after it has happened (e.g., an intrusion detection system). The firewall rule’s purpose is to block, not detect and alert. B. Preventive (Correct): This is a preventive control. The firewall rule is designed to actively stop a security event—in this case, unauthorized or unencrypted traffic—from occurring. Its purpose is to prevent an attack or policy violation from reaching its target. C. Corrective (Incorrect): A corrective control is designed to restore a system to a secure state after an event (e.g., restoring from a backup). This is a post-incident action. D. Compensating (Incorrect): A compensating control is an alternative control used when a primary control is not feasible. The firewall rule is a primary, foundational security control. |
| 2 | C | A healthcare organization installs CCTV cameras at every hallway intersection and posts signs informing staff and visitors that video surveillance is in use. The cameras store video feeds for later review, and the signs are prominently displayed to discourage malicious activity. Which type of control is best represented by this scenario? A. Detective (Incorrect): While the CCTV cameras themselves can also function as a detective control (by capturing evidence for later review), their prominent placement along with the signs is primarily intended to be a deterrent, discouraging the malicious act from happening in the first place. B. Preventive (Incorrect): A preventive control physically stops an event from happening (e.g., a locked door). The cameras and signs do not physically prevent an action; they simply discourage it. C. Deterrent (Correct): The combination of visible CCTV cameras and prominent signs is a classic example of a deterrent control. A deterrent control is designed to discourage or dissuade a potential attacker from attempting a security violation by making the potential consequences of their actions known. The signs explicitly state this purpose. D. Directive (Incorrect): A directive control is a policy or rule that dictates behavior (e.g., a “no smoking” sign). While the sign is a directive, its security purpose in this context is to deter. |
| 3 | A | A company requires all new employees to complete a mandatory cybersecurity awareness program that covers phishing, password hygiene, and data handling best practices. Employees are also tested periodically to ensure knowledge retention. Which category of control does this best represent? A. Operational (Correct): This is an operational or administrative control. Operational controls are the policies, procedures, and training programs that are implemented and managed by people as part of an organization’s day-to-day operations. A mandatory cybersecurity awareness program is a prime example, as it is a procedural control designed to influence human behavior to reduce risk. B. Technical (Incorrect): A technical control uses technology to enforce security policies, such as firewalls, intrusion detection systems, or encryption. The awareness program is not a technology-based control. C. Physical (Incorrect): A physical control is a tangible barrier or mechanism used to protect physical assets, such as fences, locks, or security guards. D. Corrective (Incorrect): A corrective control is designed to restore a system to a secure state after an incident has occurred. The awareness program is a proactive measure meant to prevent incidents from happening. |
| 4 | D | A security officer at a large manufacturing facility installs badge-access locks and a mantrap system at the entrance to the company’s secure R&D area. These systems ensure that only authorized employees can physically access the restricted zone, and entry logs are stored for later review. Which control category does this represent? A. Managerial (Incorrect): Managerial controls are policies, procedures, and governance frameworks that are used to manage risk (e.g., a data retention policy). B. Technical (Incorrect): Technical controls use technology to protect information and systems (e.g., firewalls, antivirus software, encryption). While a badge reader is a technology, its purpose is to enforce a physical control. C. Operational (Incorrect): Operational controls are day-to-day procedures and practices carried out by people (e.g., a clean desk policy or security awareness training). The mantrap system and locks are security mechanisms, not procedures. D. Physical (Correct): The badge-access locks and mantrap system are examples of physical security controls. These controls are tangible mechanisms designed to protect physical assets and restrict unauthorized access to secure areas. |
| 5 | A | During an investigation, a SOC analyst notices suspicious login attempts and uses SIEM alerts to confirm that multiple failed authentications originated from a foreign IP. The system logs captured the details and generated automated alerts for review. Which control type is illustrated here? A. Detective (Correct): This scenario illustrates a detective control. Detective controls are designed to identify a security event or incident after it has occurred. The system logs that captured the failed authentications and the SIEM alerts that notified the analyst are examples of controls that are used to discover an attack in progress or after the fact. B. Preventive (Incorrect): A preventive control is designed to stop a security event from happening in the first place (e.g., a multi-factor authentication requirement). The login attempts in the scenario were not prevented. C. Corrective (Incorrect): A corrective control is designed to restore a system to a secure state after an incident has occurred. The scenario describes the detection of an event, not the correction. D. Directive (Incorrect): A directive control is a policy or guideline that tells people what to do. The controls described here (logs, SIEM) are technical and operational. |
| 6 | C | After a ransomware attack encrypts several shared drives, the IT team restores affected data from secure, offline backups. Within hours, normal operations are restored with minimal data loss. Which type of control is this? A. Preventive (Incorrect): A preventive control is designed to stop an incident from happening in the first place (e.g., antivirus software). The ransomware attack in the scenario was not prevented. B. Detective (Incorrect): A detective control identifies an incident after it has happened or while it’s taking place (e.g., an intrusion detection system). While the ransomware attack was likely detected, the action of restoring from backups is not a detective function. C. Corrective (Correct): This is a corrective control. Corrective controls are designed to mitigate the damage caused by a security incident and restore a system or process to its secure, normal state. Restoring from secure backups after a ransomware attack is a classic example of correcting the damage done. D. Compensating (Incorrect): A compensating control is an alternative control used to meet a security requirement when a primary control is not feasible. Restoring from backups is a primary control for disaster recovery. |
| 7 | C | Due to vendor restrictions, a company cannot implement multifactor authentication on its legacy ERP system. Instead, administrators enforce strict password rotation policies, enable real-time monitoring, and implement additional logging. What type of control is being applied in this case? A. Corrective (Incorrect): A corrective control is designed to restore a system to a secure state after an incident. The controls described are proactive. B. Preventive (Incorrect): While the strict password policy is a preventive control, the broader strategy of using it as a substitute for a missing control makes the entire set of actions best categorized as compensating. C. Compensating (Correct): This is a compensating control. A compensating control is an alternative security measure used to satisfy a security requirement when the primary control (in this case, multifactor authentication) cannot be implemented due to technical or business constraints. The organization is using strict password policies and enhanced monitoring to compensate for the lack of MFA. D. Directive (Incorrect): A directive control is a policy or guideline that tells people what to do. While the password policy is a directive, the overall purpose of these combined controls is to compensate for a technical limitation. |
| 8 | B | Before being granted access to corporate systems, all employees must sign an acceptable use policy (AUP) that clearly states the rules for handling company data and consequences for violations. Which control type does this represent? A. Preventive (Incorrect): While the goal of an AUP is to prevent misuse, the policy itself does not physically or technically stop a user from violating it. It provides rules, but not enforcement. B. Directive (Correct): An acceptable use policy is a directive control. A directive control is a policy, guideline, or standard that dictates or prescribes required actions or behaviors. By having employees read and sign the AUP, the organization is directing them on how to properly handle company systems and data. C. Detective (Incorrect): A detective control identifies a security event after it has occurred (e.g., a log file). An AUP is not a detective control. D. Compensating (Incorrect): A compensating control is an alternative security measure used when a primary control cannot be implemented. An AUP is a primary, foundational policy. |
| 9 | A | A security architect designs a new system where all user passwords are stored using bcrypt hashing with salts. This ensures that even if the password database is compromised, credentials cannot easily be reversed. Which category of security control does this best represent? A. Technical (Correct): The use of bcrypt hashing with salts is a technical control. Technical controls are security measures that use technology to protect systems and information. Password hashing is a cryptographic technique implemented in software to secure credentials. B. Operational (Incorrect): Operational controls are day-to-day procedures and practices, such as security awareness training or a clean desk policy. Password hashing is an automated technical process, not a procedure. C. Physical (Incorrect): Physical controls are tangible barriers that protect physical assets, such as locks, fences, and security guards. D. Managerial (Incorrect): Managerial controls are policies, standards, or governance frameworks that guide security decisions and behaviors. While a managerial policy would mandate the use of hashing, the hashing itself is the technical implementation of that policy. |
| 10 | A | A multinational company implements geofencing rules on its VPN system so that logins are only permitted from countries where the company operates. Attempts from other regions are automatically blocked, even if the username and password are correct. Which type of security control is this? A. Preventive (Correct): This is a preventive control. A preventive control is designed to stop a security event or an attack from happening. The geofencing rule automatically blocks unauthorized login attempts based on their geographic location, thereby preventing potential access before it can be granted. B. Detective (Incorrect): A detective control identifies a security event after it has occurred (e.g., an alert for a failed login). While the system likely logs the blocked attempts, its primary function is to prevent, not detect. C. Compensating (Incorrect): A compensating control is an alternative measure used when a primary control cannot be implemented. Geofencing is a primary control in this scenario. D. Corrective (Incorrect): A corrective control is designed to fix a system after an incident has occurred. The geofencing rule is a proactive measure that takes place before an incident. |