Text preview & study summary

CompTIA Security+ Full Exam Simulator

A free sample of 5 questions from this quiz, shown in full with answer choices and explanations. No interactivity — everything is visible on this page for study and review.

Want to test your knowledge? Launch the Interactive Exam Simulator

Question 1

Before authorizing a third-party security assessment, an organization specifies testable systems, permitted methods, and authorized testing hours.

What is this document called?

Answer choices

  • A. Business impact analysis

  • B. Rules of engagement (Correct)

  • C. Service level agreement

  • D. Risk register

Explanation

Rules of engagement define the boundaries, authorized methods, and constraints governing how a third-party assessment may be conducted.

Business impact analysis evaluates operational consequences of disruptions, not assessment authorization terms.

A service level agreement defines uptime and response expectations between parties, not security testing constraints.

A risk register tracks identified risks and treatments, not pre-assessment authorization parameters.

Question 2

An employee uses a company laptop for a personal side business, non-work cloud services, and unlicensed software. HR references a signed onboarding document when initiating discipline.

Which document is HR most likely referencing?

Answer choices

  • A. Disaster recovery plan

  • B. Data retention policy

  • C. Acceptable use policy (Correct)

  • D. Change management log

Explanation

An acceptable use policy defines permitted and prohibited uses of company technology, providing the basis for disciplinary action.

A disaster recovery plan addresses system restoration after failures, not personal misuse of equipment.

A data retention policy governs how long data is kept, not personal business use of corporate assets.

A change management log tracks production modifications, not employee technology misuse.

Question 3

Why is physical destruction often recommended when disposing of SSDs containing highly sensitive information?

Answer choices

  • A. SSD wear-leveling can make data recovery concerns more difficult to address through software methods alone (Correct)

  • B. SSDs cannot be reformatted

  • C. SSDs do not support encryption

  • D. SSDs automatically replicate data externally

Explanation

SSD wear-leveling distributes write operations across memory cells, making it difficult to ensure all copies of data are overwritten through software sanitization alone.

SSDs can be reformatted, but software-based methods may not reliably erase all data due to wear-leveling and over-provisioning.

SSDs support encryption, but encryption alone does not guarantee data destruction when media is disposed without proper key destruction.

SSDs do not automatically replicate data externally; the concern is internal data remanence from wear-leveling algorithms.

Question 4

A stolen laptop's confidential files remain inaccessible because the drive requires cryptographic authentication before startup.

Which technology provided this protection?

Answer choices

  • A. Tokenization

  • B. HTTPS

  • C. SSH

  • D. Full disk encryption (Correct)

Explanation

Full disk encryption requires authentication to decrypt the entire drive, protecting data at rest on a stolen device.

Tokenization protects specific data fields in applications, not an entire laptop drive.

HTTPS encrypts web sessions in transit, not local stored files on a powered-off laptop.

SSH secures remote administration sessions, not data at rest on a local disk.

Question 5

A developer pushes an untested configuration update directly to a production database, causing a four-hour outage.

Which governance process failure does this represent?

Answer choices

  • A. Disaster recovery

  • B. Data owner noncompliance

  • C. Change management (Correct)

  • D. Acceptable use policy violation

Explanation

Change management requires review, testing, and approval before production modifications; bypassing this process caused the outage.

Disaster recovery addresses restoration after failures but the root failure here is uncontrolled change deployment.

Data owner noncompliance involves governance accountability for data, not unauthorized production changes.

An acceptable use policy violation may also apply but the primary governance failure is missing change control.