CompTIA Security+ Practice Test of the Day 260506

Welcome to today’s CompTIA Security+ practice test!

This practice test uses our new UI!

Today’s practice test is based on Subdomain 3.3 (Compare and contrast concepts and strategies to protect data) from the CompTIA Security+ SY0-701 objectives.

This beginner-level practice test is inspired by the CompTIA Security+ (SY0-701) exam and is designed to help you reinforce key cybersecurity concepts on a daily basis.

These questions are not official exam questions, nor are they brain dumps, but they reflect topics and scenarios relevant to the Security+ certification. Use them to test your knowledge, identify areas for improvement, and build daily cybersecurity habits.

Note: CompTIA and Security+ are registered trademarks of CompTIA. This content is not affiliated with or endorsed by CompTIA.

To choose CompTIA Security+ practice tests based on specific domains/subdomains, click that link.

CompTIA Security+ Practice Test of the Day 260506

10 questions • Single best answer

Question 1

The CISO of a global e-commerce company is expanding operations into multiple regions, including the European Union. The legal team informs the CISO that EU regulations require customer data collected in EU member states to be stored and processed exclusively on servers located within the EU. The CISO must identify the correct concept governing this requirement to communicate it accurately to the engineering team.

A. Data classification B. Data sovereignty C. Geolocation tagging D. Data segmentation

Question 2

A security analyst is evaluating controls for an enterprise application that processes sensitive financial data. The data is encrypted when written to disk and encrypted when transmitted across the network between services. During a threat model review, the team identifies that data is briefly exposed in plaintext in application memory while calculations are being performed. The analyst must classify this exposure correctly to recommend appropriate controls.

A. Data at rest B. Data in transit C. Data in use D. Data in motion

Question 3

A penetration tester is assessing a retail company's payment processing environment. When testing the checkout flow, the tester observes that the actual credit card number entered by the customer is immediately replaced by a randomly generated value that bears no mathematical relationship to the original. Internal systems use this surrogate value throughout order processing, while the actual card number is retained in a secure external vault managed by the payment processor.

A. Encryption B. Hashing C. Tokenization D. Masking

Question 4

A financial institution's security team needs to provide developers with a realistic dataset for testing a new loan processing application. The team delivers a sanitized copy of the production database where customer names appear as 'XXXXX XXXXX', social security numbers are replaced with sequential fake numbers, and account balances are shifted by a random offset. Developers cannot recover the original values from what they receive, and the data retains the same format and statistical patterns as production.

A. Tokenization B. Obfuscation C. Masking D. Encryption

Question 5

A security administrator at a law firm is implementing a formal data classification policy. Attorney-client privileged case files must be accessible only to the assigned legal team and must never be transmitted outside the firm's infrastructure under any circumstances. Routine internal billing records are accessible to all partners and administrative staff. The administrator must assign the correct classification label to the privileged case files.

A. Private B. Sensitive C. Confidential D. Restricted

Question 6

A database administrator is auditing a legacy web application's authentication system. When examining the users table, the DBA finds that passwords are stored as fixed-length 64-character strings. Testing confirms that the application processes an entered password and compares the result to the stored string — but the stored value cannot be reversed or decrypted to obtain the original password, regardless of the tools or methods used.

A. Symmetric encryption B. Tokenization C. Hashing D. Masking

Question 7

A technology company's legal team is reviewing the organization's information assets. They identify a proprietary recommendation engine that the company has maintained as a closely guarded internal secret for seven years, has never patented, and protects entirely through strict access controls, employee NDAs, and internal confidentiality agreements. The algorithm is the primary source of the company's competitive advantage in its market.

A. Intellectual property B. Regulated data C. Trade secret D. Financial information

Question 8

A mobile application developer is hardening a banking app against reverse engineering. After compiling the application, the team uses an automated tool that renames internal functions and variables to meaningless strings, restructures conditional logic, inserts non-functional dummy code paths, and scrambles string literals throughout the binary. The resulting application functions identically to the original but is extremely difficult to analyze after decompilation.

A. Masking B. Obfuscation C. Tokenization D. Segmentation

Question 9

A cloud architect at a streaming media company is addressing new data residency regulations in several countries. The regulations require that subscriber data for residents of those countries must not be stored or processed on servers outside their home country. The architect must implement controls at the cloud infrastructure level to enforce these boundaries automatically across all data ingestion and storage pipelines.

A. Data sovereignty declarations B. Permission restrictions C. Geographic restrictions D. Data segmentation

Question 10

An audit at a large enterprise reveals that all employees, regardless of department, have read access to the complete HR database, including salary data, performance reviews, and disciplinary records. The CISO recommends restructuring access so that only HR personnel can view compensation and disciplinary fields, payroll staff can access only payroll-relevant records, and all other employees are denied access to sensitive HR data entirely.