CompTIA Security+ Practice Test of the Day 260527

Welcome to today’s CompTIA Security+ practice test!

This practice test uses our new UI!

Today’s practice test is based on Subdomain 5.3 (Explain the processes associated with third-party risk assessment and management) from the CompTIA Security+ SY0-701 objectives.

This beginner-level practice test is inspired by the CompTIA Security+ (SY0-701) exam and is designed to help you reinforce key cybersecurity concepts on a daily basis.

These questions are not official exam questions, nor are they brain dumps, but they reflect topics and scenarios relevant to the Security+ certification. Use them to test your knowledge, identify areas for improvement, and build daily cybersecurity habits.

Note: CompTIA and Security+ are registered trademarks of CompTIA. This content is not affiliated with or endorsed by CompTIA.

To choose CompTIA Security+ practice tests based on specific domains/subdomains, click that link.

CompTIA Security+ Practice Test of the Day 260527

10 questions • Single best answer

Question 1

A vendor manager at a healthcare company is evaluating a new cloud storage provider. The security team wants assurance that the provider's controls meet expectations without performing their own on-site audit. Which vendor assessment method BEST addresses this?

A. Reviewing the vendor's evidence of internal audits or third-party assessments B. Sending a penetration tester to the vendor's data center C. Requiring the vendor to sign an NDA before sharing any information D. Performing a supply chain analysis of the vendor's hardware components

Question 2

A contract between a SaaS provider and a customer specifies that the system must be available 99.9% of the time, and the provider must notify the customer within 1 hour of any outage. Which agreement type is this?

A. Memorandum of understanding (MOU) B. Non-disclosure agreement (NDA) C. Service-level agreement (SLA) D. Master service agreement (MSA)

Question 3

Before awarding a contract to a new IT services vendor, a company investigates the vendor's ownership structure, financial stability, past legal issues, and references. Which vendor selection activity does this describe?

A. Right-to-audit clause negotiation B. Supply chain analysis C. Rules of engagement definition D. Due diligence

Question 4

An organization discovers that its payment processor is using a subcontractor in another country to handle parts of its transaction workflow without prior notification. Which third-party risk concern does this BEST represent?

A. Conflict of interest B. Supply chain risk from undisclosed sub-processors C. Failure to maintain an SLA D. Violation of a right-to-audit clause

Question 5

A security team sends a detailed questionnaire to a prospective vendor asking about their encryption practices, patch management, incident response capabilities, and data retention policies. What is the PRIMARY purpose of this questionnaire?

A. To satisfy a contractual right-to-audit obligation B. To assess the vendor's security posture as part of vendor risk management C. To create evidence for an external regulatory audit D. To define the rules of engagement for a penetration test

Question 6

Two organizations agree to share threat intelligence data on an informal basis. No binding legal obligations exist, but both parties document their intent to cooperate and the scope of information sharing. Which agreement type is MOST appropriate?

A. Non-disclosure agreement (NDA) B. Service-level agreement (SLA) C. Memorandum of understanding (MOU) D. Business partners agreement (BPA)

Question 7

A penetration testing firm is engaged by a retailer to test its point-of-sale systems. Before testing begins, the scope, allowed techniques, testing hours, and out-of-scope systems are documented. What are these parameters collectively called?

A. Statement of work (SOW) B. Rules of engagement C. Right-to-audit clause D. Vendor monitoring requirements

Question 8

An organization's contract with a cloud provider includes a clause granting the organization the right to inspect the provider's security controls, logs, and processes at any time with reasonable notice. Which contract element does this represent?

A. Memorandum of agreement (MOA) B. Non-disclosure agreement (NDA) C. Right-to-audit clause D. Business partners agreement (BPA)

Question 9

A company hires a managed security service provider (MSSP) under a long-term engagement. Six months in, the MSSP fails to meet agreed detection and response time commitments. Which risk management activity should have been established to detect this early?

A. Conflict of interest review B. Supply chain penetration testing C. Vendor monitoring D. Independent pre-contract assessment

Question 10

A large enterprise requires all new vendors handling customer PII to complete an independent security assessment before onboarding. The assessment is performed by a neutral third party hired by the enterprise. Which vendor assessment type is this?