CompTIA Security+ Practice Test of the Day 260318

Welcome to today’s CompTIA Security+ practice test!

This practice test uses our new UI!

Today’s practice test is based on Subdomain 4.2 (Explain the security implications of proper hardware, software, and data asset management) from the CompTIA Security+ SY0-701 objectives.

This beginner-level practice test is inspired by the CompTIA Security+ (SY0-701) exam and is designed to help you reinforce key cybersecurity concepts on a daily basis.

These questions are not official exam questions, nor are they brain dumps, but they reflect topics and scenarios relevant to the Security+ certification. Use them to test your knowledge, identify areas for improvement, and build daily cybersecurity habits.

Note: CompTIA and Security+ are registered trademarks of CompTIA. This content is not affiliated with or endorsed by CompTIA.

To choose CompTIA Security+ practice tests based on specific domains/subdomains, click that link.

CompTIA Security+ Practice Test of the Day 260318

10 questions • Single best answer

Question 1

A security administrator at a regional hospital is tasked with retiring 200 magnetic hard disk drives that previously stored patient records protected under HIPAA. The drives have been removed from decommissioned workstations and are awaiting final disposal. The administrator must choose a method that ensures patient data cannot be recovered under any circumstances and meets the hospital's compliance obligations. Given that the drives use conventional magnetic platters, which sanitization or destruction method BEST guarantees data cannot be recovered?

A. Performing a standard single-pass overwrite using the operating system's built-in format utility B. Degaussing the drives using an NSA-approved magnetic field degausser C. Encrypting the drives with AES-256 and storing the keys securely D. Removing the drives from the systems and storing them in a locked cabinet

Question 2

A penetration tester is performing an internal assessment at a manufacturing company and discovers multiple unmanaged devices connected to the corporate network — including an old HVAC controller, a legacy industrial PC, and a personal laptop belonging to a contractor. None of these assets appear in the company's configuration management database (CMDB). The security team acknowledges they have not performed a formal asset discovery exercise in over two years. Which asset management activity, if performed regularly, would have MOST directly allowed the security team to detect and account for these unknown devices?

A. Ownership assignment B. Asset classification C. Enumeration D. Acquisition/procurement tracking

Question 3

The IT director at a financial services firm is reviewing the organization's laptop decommissioning process. During an audit, the auditor finds that when laptops are retired, the IT team performs a factory reset using the device's built-in recovery partition and then donates the machines to a local charity. Several of the donated laptops previously held sensitive financial records and customer PII. A forensic analyst hired as part of the audit is able to recover data from three of the donated laptops using commercially available tools. Which step in the decommissioning process was MOST critically missing?

A. Certification B. Data retention verification C. Sanitization D. Inventory removal

Question 4

An IT security manager at a defense contractor is developing a formal hardware acquisition policy. The organization frequently purchases servers and networking equipment from multiple vendors, and there have been recent concerns about the integrity of components sourced through secondary markets and unauthorized resellers. A recent industry report highlighted incidents where adversaries embedded malicious firmware in legitimate-looking network interface cards sold through gray-market channels. Which acquisition and procurement control BEST mitigates the risk of receiving tampered or counterfeit hardware?

A. Requiring all devices to pass a post-delivery vulnerability scan before deployment B. Purchasing hardware exclusively through authorized, manufacturer-approved channels C. Applying firmware updates to all newly acquired hardware before placing it in service D. Encrypting all new hardware drives upon arrival before initial configuration

Question 5

A senior security analyst at a large university is performing a review of the institution's asset management practices. The university has thousands of assets spread across departments, buildings, and remote campuses — ranging from workstations and printers to lab equipment and IoT sensors. The analyst discovers that no single individual or team has been formally designated as responsible for most non-server assets, leading to inconsistent patching, missed software license renewals, and a complete lack of decommissioning records for equipment that has gone offline. Which asset management concept, if implemented, would MOST directly address the accountability gap the analyst identified?

A. Asset inventory maintenance B. Asset classification C. Ownership assignment D. Asset enumeration

Question 6

A security operations team at a cloud services provider is decommissioning a fleet of solid-state drives that stored customer virtual machine images. Because SSDs use wear-leveling algorithms and flash memory cells, traditional overwriting methods may leave residual data in cells that were marked as unavailable during normal operation. The compliance team requires that the drives be sanitized in a way that the original data is verifiably irrecoverable, while also allowing the drives to be reused internally for non-sensitive workloads. Which sanitization method is MOST appropriate for this scenario?

A. Physical shredding of the SSD casings B. Degaussing the SSDs with an industrial magnetic degausser C. Cryptographic erasure using the drive's built-in self-encrypting drive functionality D. Performing a seven-pass DoD 5220.22-M overwrite on each drive

Question 7

An IT governance committee at a multinational corporation is auditing the organization's hardware disposal practices after discovering that retired equipment was sold to a third-party recycler without any formal documentation of data destruction. The committee is concerned that if data recovery from the disposed assets were ever alleged by regulators or in litigation, the organization would have no evidence to demonstrate that proper sanitization was performed. Which decommissioning element would MOST directly provide the legal and regulatory defensibility the committee is seeking?

A. Data retention policy enforcement B. Certification of destruction C. Asset enumeration logging D. Hardware inventory audit trail

Question 8

A systems administrator at an e-commerce company is onboarding a batch of 50 new laptops purchased for the customer support team. The organization's security policy requires that all new assets be formally registered in the asset management system, assigned a classification label based on the sensitivity of the data they will process, and linked to an accountable owner before they are placed into service. The laptops will be used to handle customer PII and payment card data subject to PCI DSS requirements. Which classification label should the administrator apply to these laptops based on the data they will process?

A. Public B. Confidential C. Internal use only D. Unclassified

Question 9

An analyst in a SOC observes that the endpoint detection platform is generating alerts on a workstation with an IP address not listed in the organization's asset inventory. Upon investigation, the analyst determines the device is a personal laptop belonging to an employee who connected it to the corporate network without authorization while working remotely. The organization does not have a formal BYOD policy, and its existing asset tracking processes rely entirely on manual entry at time of provisioning. Which asset management improvement would BEST prevent this situation from recurring systematically?

A. Implementing role-based access control for all provisioned corporate assets B. Conducting quarterly manual audits of all registered assets in the CMDB C. Deploying automated network-based asset monitoring and continuous inventory tracking D. Enforcing mandatory encryption on all devices connected to the corporate VPN

Question 10

The CISO of a healthcare network is reviewing the organization's policy for retiring end-of-life medical devices, including imaging systems and patient monitoring equipment that store diagnostic data internally. Legal counsel advises that applicable HIPAA and state law requirements mandate that certain categories of patient records must be retained for a minimum of six years from the date of last service. Some of the retiring devices hold records that may still fall within this mandatory retention window. Which decommissioning consideration should the security team address BEFORE initiating sanitization on the retiring medical devices?

A. Obtaining a certificate of destruction from a third-party vendor B. Verifying whether data on the devices is subject to active retention obligations C. Applying full-disk encryption to the devices prior to sanitization D. Removing the devices from the asset inventory and reassigning their IP addresses