Welcome to today’s CompTIA Security+ practice test!
Today’s practice test is based on subdomain 1.3 (Explain the importance of change management processes and the impact to security) from the CompTIA Security+ SY0-701 objectives.
This beginner-level practice test is inspired by the CompTIA Security+ (SY0-701) exam and is designed to help you reinforce key cybersecurity concepts on a daily basis.
These questions are not official exam questions, nor are they brain dumps, but they reflect topics and scenarios relevant to the Security+ certification. Use them to test your knowledge, identify areas for improvement, and build daily cybersecurity habits.
Click the button below to start today’s practice exam. To view answers and explanations for today’s questions, expand the Answers accordion.
Results
#1. A security administrator at a mid-sized company must deploy an urgent server patch that will briefly interrupt an internal HR web app used during business hours. Which approach best minimizes security and business risk?
#2. Your organization plans to disable TLS 1.0 on a legacy payroll portal hosted behind a reverse proxy. Several third-party integrations consume the portal’s API. What should the change owner insist on before executing the change?
#3. An analyst in a SOC observes a proposed cloud firewall rule expanding outbound access for a build server to “any.” Which control should the approver require before granting the change?
#4. A security engineer will update a shared authentication library used by multiple microservices in a Kubernetes cluster. The change requires each pod to reload the app process. What should be documented as a security-relevant impact?
#5. Your company deploys a new VPN profile; users can’t connect. Which change-management artifact enables a rapid and safe revert?
#6. A product team requests database schema changes affecting customer PII. Who should be identified as the owner for approving the change’s risk?
#7. During a Windows GPO hardening update, the admin wants traceability and the ability to revert specific policy edits. Which practice best supports this?
#8. An analyst proposes enabling HTTP/2 on the external WAF. In pre-prod testing, a legacy client intermittently fails. What is the appropriate next step?
#9. Your organization is onboarding a third-party tax service that requires outbound connections to a narrow set of vendor IPs. Which requirement should be included in the change’s technical implementation?
#10. A security engineer wants to standardize monthly Linux kernel patching across edge gateways. What should be produced to reduce variance and risk?
Note: CompTIA and Security+ are registered trademarks of CompTIA. This content is not affiliated with or endorsed by CompTIA.
To choose CompTIA Security+ practice tests based on specific domains/subdomains, click that link.
Answers
| Number | Answer | Explanation |
|---|---|---|
| 1 | A | A security administrator at a mid-sized company must deploy an urgent server patch that will briefly interrupt an internal HR web app used during business hours. Which approach best minimizes security and business risk? A. Schedule the change in an approved after-hours maintenance window with a documented backout plan and stakeholder notifications (Correct): This approach is the industry best practice for balancing security and business risk. It minimizes business disruption by scheduling the change when the app is not in use, reduces security risk by deploying the patch in a controlled manner, and mitigates all risk by having a formal backout plan and informing stakeholders. B. Deploy immediately during peak usage to reduce the time the vulnerability is exposed (Incorrect): While this may seem to reduce security risk, it introduces significant and uncontrolled business risk. An unplanned outage during peak hours can disrupt critical operations, leading to data loss and user frustration. C. Perform an unannounced “silent” deploy and roll forward if users complain (Incorrect): This is a highly unprofessional and irresponsible approach. It shows a complete disregard for business operations, lacks proper planning, and is a violation of sound change management practices. D. Mark the change as “standard” and push at the next CI/CD run without approvals (Incorrect): This is a severe policy violation. Urgent, service-impacting changes are never “standard” and always require formal approval to ensure that all risks have been properly considered and managed. |
| 2 | B | Your organization plans to disable TLS 1.0 on a legacy payroll portal hosted behind a reverse proxy. Several third-party integrations consume the portal’s API. What should the change owner insist on before executing the change? A. Extend the change freeze to avoid business disruption (Incorrect): A change freeze is meant to prevent changes. Indefinitely extending it would avoid a business disruption but would also leave a known security vulnerability unaddressed, which is not a viable long-term solution. B. Conduct an impact analysis of downstream dependencies and attach test results to the change record (Correct): The most critical step is to perform an impact analysis. This process identifies all affected systems, including the third-party integrations. By working with the integration partners to confirm their TLS version support and testing the change in a non-production environment, the change owner can ensure the update does not cause business-critical outages. The test results provide documented evidence that the change is safe to implement. C. Force all clients to upgrade after the change and monitor incidents (Incorrect): This is a reactive and high-risk strategy that will almost certainly cause a service outage for unprepared clients. A proper change management process seeks to prevent incidents, not simply to monitor them after the fact. D. Create a help desk article after deployment (Incorrect): Creating a help desk article is a good step for user support, but doing so after a disruptive change is a reactive measure. It does not address the core problem of a lack of preparation and risk mitigation. |
| 3 | C | An analyst in a SOC observes a proposed cloud firewall rule expanding outbound access for a build server to “any.” Which control should the approver require before granting the change? A. Convert to a deny list to block known-bad addresses (Incorrect): A deny list (blacklist) is a poor control for a critical asset because it’s impossible to list every malicious address. This approach leaves the server open to communication with any address not yet on the list, which is a major risk. B. Accept the broad egress and rely on host EDR (Incorrect): This is a failure of the defense-in-depth strategy. Relying solely on a host-based control like EDR is insufficient. A firewall should always be used as a primary layer of protection to restrict network-level access. C. Restrict the rule to an allow list of required FQDNs/IPs and document restricted activities in the SOP (Correct): This is the industry best practice and aligns with the principle of least privilege. Instead of allowing outbound access to “any” destination, the approver should require the change owner to identify and document a specific allow list (or whitelist) of necessary FQDNs or IPs. This dramatically reduces the attack surface and ensures the server can only communicate with required destinations. D. Approve the change but schedule it for a holiday weekend (Incorrect): Scheduling the change during a holiday weekend is a business continuity practice to minimize service interruption. It does nothing to address the fundamental security risk of broad |
| 4 | C | A security engineer will update a shared authentication library used by multiple microservices in a Kubernetes cluster. The change requires each pod to reload the app process. What should be documented as a security-relevant impact? A. “No downtime; rolling restart is transparent, so no need to notify” (Incorrect): This is a dangerous assumption. While rolling restarts are designed for high availability, they can still fail, and unforeseen issues can cause downtime. Notifying stakeholders is a core change management principle. B. “Service restart required; OS stays up so no impact” (Incorrect): This statement incorrectly minimizes the impact. The state of the host OS is irrelevant if the application service itself, which is what users interact with, is interrupted. C. “Application restart required; brief service interruption possible—schedule within maintenance window and notify stakeholders” (Correct): This is the most accurate and responsible statement. It correctly acknowledges the technical impact (application restart required) and the potential business risk (brief service interruption possible). It then documents the proper change management procedures to mitigate that risk, namely, scheduling the change within a planned maintenance window and notifying all relevant stakeholders. D. “No backout needed; immutable images guarantee success” (Incorrect): This is a false and dangerous assumption. While immutable images can simplify a rollback, they do not guarantee that the new deployment will be successful. A backout plan is an essential part of any high-risk change. |
| 5 | C | Your company deploys a new VPN profile; users can’t connect. Which change-management artifact enables a rapid and safe revert? A. Emergency approval (Incorrect): Emergency approval is the process used to expedite a change that must be implemented immediately, but it is not a plan for reverting the change. B. Test results (Incorrect): Test results document the outcome of pre-deployment testing. They do not provide the instructions for reverting a change once it has failed in a production environment. C. Backout plan (Correct): A backout plan (also called a rollback plan) is a documented procedure that specifies the steps required to reverse a failed change and restore a system to its state before the change was deployed. It is a critical change-management artifact that enables a rapid and safe revert, minimizing downtime and business impact. D. Stakeholder RACI (Incorrect): A RACI matrix defines roles and responsibilities for a project or change. It does not contain the technical steps for a backout. |
| 6 | C | A product team requests database schema changes affecting customer PII. Who should be identified as the owner for approving the change’s risk? A. The DBA on call (Incorrect): The DBA is responsible for the technical implementation of the change, not the business risk associated with it. They are the executor of the change, not the owner of the risk. B. The CISO (Incorrect): The CISO is responsible for the overall security posture and for providing risk guidance. While they may advise on the risk, the ultimate responsibility for accepting the business risk for a specific system lies with its owner. C. The system/data owner responsible for the impacted service (Correct): The system/data owner is the individual or group ultimately accountable for the security and integrity of a specific system and the data it contains. They are the ones who benefit from the business function and are therefore the best-suited to approve and accept the risk associated with changes to that system’s data. D. The SOC manager (Incorrect): The SOC manager is responsible for security monitoring and incident response. They do not own the business risk for a specific system. |
| 7 | B | During a Windows GPO hardening update, the admin wants traceability and the ability to revert specific policy edits. Which practice best supports this? A. Screenshot GPO settings and save to a wiki (Incorrect): Screenshots are static, time-consuming to create, and cannot be used for a technical rollback. This method is highly inefficient and prone to human error. B. Use version control to track the policy files and link commits to the change ticket; update diagrams/policies (Correct): Using a version control system (like Git) is the industry best practice for configuration management. It provides a complete and auditable history of every change, allowing for easy traceability and a straightforward revert to a previous state if needed. Linking changes to a ticket ensures accountability and context. C. Export the GPO to a ZIP and email it to the team (Incorrect): Exporting and emailing a file is not a scalable, secure, or auditable method for change management. It lacks a clear history and makes it difficult to manage concurrent changes. D. Rely on AD replication logs for history (Incorrect): Active Directory replication logs are not designed for detailed policy change history. They track the synchronization of changes across domain controllers, not the specific policy edits themselves, which are required for a proper audit and rollback. |
| 8 | B | An analyst proposes enabling HTTP/2 on the external WAF. In pre-prod testing, a legacy client intermittently fails. What is the appropriate next step? A. Proceed; intermittent issues are acceptable during rollout (Incorrect): This is a high-risk and irresponsible approach. Deploying a change with a known issue, even if intermittent, is likely to cause a production outage and business disruption for the legacy client. B. Attach the failed test results and request updated approval or adjust the plan (Correct): The appropriate next step is to stop the change and follow a formal change management process. The failed test results provide critical information that the original plan is not viable. The analyst must document the issue and seek updated approval for an adjusted plan, which might include configuring the WAF to support both HTTP/1.1 and HTTP/2 or a decision to delay the change. C. Deploy to production and monitor for tickets (Incorrect): This is a reactive strategy. A robust change management process aims to prevent problems in production, not just to react to them after they happen. D. Escalate as a security incident (Incorrect): The intermittent failure is a change management issue and a business risk. It is not a security incident, which involves a security breach or policy violation. |
| 9 | C | Your organization is onboarding a third-party tax service that requires outbound connections to a narrow set of vendor IPs. Which requirement should be included in the change’s technical implementation? A. Configure an outbound deny list covering known malicious IPs (Incorrect): A deny list (or blacklist) is a reactive and incomplete security control. It’s impossible to list every malicious IP, leaving the system open to communication with any IP not on the list. B. Permit all outbound traffic, relying on the vendor’s TLS (Incorrect): This is a serious security risk. While TLS encrypts the traffic, it does not prevent the system from connecting to a malicious destination, which could lead to data exfiltration or a system compromise. C. Add the vendor IPs/FQDNs to an egress allow list and document the dependency (Correct): This approach applies the security principle of least privilege. By using an egress allow list (or whitelist), the system is explicitly permitted to connect only to the necessary, known vendor addresses, while all other outbound traffic is blocked by default. Documenting the dependency is a critical change management best practice. D. Force all traffic through a SOCKS proxy without rule changes (Incorrect): A SOCKS proxy does not inherently enforce access control. It would still require a firewall rule to permit traffic to the proxy, and unless the proxy itself is configured to use an allow list, it does not mitigate the outbound security risk. |
| 10 | B | A security engineer wants to standardize monthly Linux kernel patching across edge gateways. What should be produced to reduce variance and risk? A. A “lessons learned” report from the last outage (Incorrect): A lessons learned report is a reactive document that analyzes a past event. It can inform the creation of an SOP but does not, by itself, standardize a new proactive process. B. A standard operating procedure with steps, validation, and backout (Correct): A standard operating procedure (SOP) is a formal document that defines a routine process. By creating an SOP for patching, the security engineer standardizes the steps to be followed every month. Including validation steps ensures consistency and success, while a documented backout plan is a critical risk mitigation measure. C. A Slack announcement reminding teams to patch on time (Incorrect): A Slack announcement is a communication method. It does not provide the detailed, repeatable steps necessary to reduce variance or manage the technical risk of the patching process. D. A dashboard showing patch compliance (Incorrect): A dashboard is a reporting tool that shows the results of a process. It is used to monitor compliance after the fact but does not define the steps of the process itself. |