CompTIA Security+ Practice Test of the Day 260409

Question 1

An external auditor engaged by a mid-sized manufacturing company is reviewing compliance evidence packages in preparation for an ISO 27001 certification review. Each department manager has submitted a signed declaration formally confirming that the security controls within their area of responsibility are fully implemented and operating as designed. The auditor must classify this type of evidence in the final audit report. Which term BEST describes what the department managers have provided?

A. Self-assessment B. Attestation C. Compliance audit D. Independent third-party audit

Question 2

A security director at a logistics company tasks the internal audit team with evaluating whether the organization's current data classification procedures, endpoint encryption configurations, and employee access provisioning workflows comply with the company's published information security policy. The findings will feed into a corrective action plan ahead of an upcoming external audit engagement. Which type of internal audit activity does this engagement represent?

A. Self-assessment B. Attestation C. Compliance D. Audit committee review

Question 3

At a publicly traded financial services company, a standing subgroup of the board of directors — composed entirely of independent directors with no operational role in the company — meets quarterly to review internal audit findings, assess whether management has addressed previously identified control deficiencies, and approve the internal audit plan for the coming fiscal year. This group has formal fiduciary oversight responsibility for the organization's risk and audit processes. Which governance body does this subgroup represent?

A. Change advisory board B. Risk management committee C. Security steering committee D. Audit committee

Question 4

A small regional credit union lacks the budget for external assessors and has no dedicated internal audit team. The IT manager develops a structured questionnaire based on the FFIEC Cybersecurity Assessment Tool and distributes it to department heads, asking each to evaluate their own team's adherence to the credit union's security policies and identify control gaps. The completed questionnaires are compiled into a summary report for the board. Which type of compliance assessment is the credit union conducting?

A. Regulatory examination B. Attestation C. Self-assessment D. Independent third-party audit

Question 5

A healthcare network receives official written notice from the Department of Health and Human Services Office for Civil Rights that investigators will conduct an on-site review of the organization's HIPAA compliance following a breach notification. The investigators carry statutory authority to examine policies, access logs, and technical safeguards — and their findings can result in mandatory corrective action plans and civil monetary penalties. Which type of external audit does this investigation represent?

A. Independent third-party audit B. Assessment C. Examination D. Regulatory

Question 6

A national bank's primary federal banking regulator schedules a routine supervisory review of the institution's IT security controls. Regulatory examiners arrive on site and follow a standardized examination methodology — published by the regulatory agency — to review policies and procedures, interview key personnel, and test selected controls against defined benchmarks. No enforcement action has been initiated; this is a standard, periodic supervisory activity required of all institutions in the regulator's portfolio. Which type of external audit does this engagement represent?

A. Regulatory B. Assessment C. Examination D. Independent third-party audit

Question 7

An energy company pursuing a federal contract must demonstrate that its security controls align with the NIST Cybersecurity Framework. The contracting authority requires the company to engage an approved external firm to evaluate the maturity of its security program, identify control gaps, and produce a detailed findings report with prioritized improvement recommendations. Unlike a pass/fail compliance audit, this engagement measures the organization's current security posture and provides actionable guidance. Which type of external audit does this engagement BEST represent?

A. Examination B. Regulatory C. Attestation D. Assessment

Question 8

A SaaS provider seeking SOC 2 Type II certification engages a licensed CPA firm — one with no prior business relationship with the vendor — to evaluate the design and operating effectiveness of the vendor's security, availability, and confidentiality controls over a twelve-month period. At the conclusion of the engagement, the CPA firm issues a formal opinion report that the SaaS provider distributes to prospective enterprise customers as assurance of its compliance posture. Which type of external audit does this engagement represent?

A. Self-assessment B. Examination C. Assessment D. Independent third-party audit

Question 9

A large enterprise engages a cybersecurity firm to conduct a penetration test in which the offensive team and the organization's defensive security team participate simultaneously. The red team executes realistic attack techniques against production systems while the blue team — operating in its normal monitoring mode, without advance knowledge of specific attack timing or methods — attempts to detect, contain, and respond to the activity. The engagement's success metrics evaluate both the attacker's ability to achieve objectives and the defender's effectiveness in responding. Which type of penetration test is described?

A. Physical B. Offensive C. Defensive D. Integrated

Question 10

A penetration testing firm is engaged to assess the security of a fintech company's customer-facing web application. The testers are provided only with the company's name and the application's URL — no source code, no architecture documentation, no credentials, and no internal network diagrams. The engagement is designed to simulate the perspective of an external attacker with no insider knowledge of the target environment. Which testing environment does this scenario describe?

A. Known environment B. Partially known environment C. Unknown environment D. Passive reconnaissance

CompTIA Security+ Practice Test of the Day 260409

ByThe Test Master

Related Post

CompTIA Security+ Practice Test of the Day 260410

CompTIA Security+ Practice Test of the Day 260408

CompTIA Security+ Practice Test of the Day 260407

Leave a Reply Cancel reply

You missed

CEH v13 Domain 3.3 Practice Test 002

CEH v13 Domain 3.2 Practice Test 002

CEH v13 Domain 3.1 Practice Test 002

CEH v13 Domain 2.3 Practice Test 002