Text preview & study summary
CompTIA Security+ Full Exam Simulator
A free sample of 5 questions from this quiz, shown in full with answer choices and explanations. No interactivity — everything is visible on this page for study and review.
Want to test your knowledge? Launch the Interactive Exam Simulator
Question 1
Before authorizing a third-party security assessment, an organization specifies testable systems, permitted methods, and authorized testing hours.
What is this document called?
Explanation
Rules of engagement define the boundaries, authorized methods, and constraints governing how a third-party assessment may be conducted.
Business impact analysis evaluates operational consequences of disruptions, not assessment authorization terms.
A service level agreement defines uptime and response expectations between parties, not security testing constraints.
A risk register tracks identified risks and treatments, not pre-assessment authorization parameters.
Question 2
An employee uses a company laptop for a personal side business, non-work cloud services, and unlicensed software. HR references a signed onboarding document when initiating discipline.
Which document is HR most likely referencing?
Explanation
An acceptable use policy defines permitted and prohibited uses of company technology, providing the basis for disciplinary action.
A disaster recovery plan addresses system restoration after failures, not personal misuse of equipment.
A data retention policy governs how long data is kept, not personal business use of corporate assets.
A change management log tracks production modifications, not employee technology misuse.
Question 3
Why is physical destruction often recommended when disposing of SSDs containing highly sensitive information?
Explanation
SSD wear-leveling distributes write operations across memory cells, making it difficult to ensure all copies of data are overwritten through software sanitization alone.
SSDs can be reformatted, but software-based methods may not reliably erase all data due to wear-leveling and over-provisioning.
SSDs support encryption, but encryption alone does not guarantee data destruction when media is disposed without proper key destruction.
SSDs do not automatically replicate data externally; the concern is internal data remanence from wear-leveling algorithms.
Question 4
A stolen laptop's confidential files remain inaccessible because the drive requires cryptographic authentication before startup.
Which technology provided this protection?
Explanation
Full disk encryption requires authentication to decrypt the entire drive, protecting data at rest on a stolen device.
Tokenization protects specific data fields in applications, not an entire laptop drive.
HTTPS encrypts web sessions in transit, not local stored files on a powered-off laptop.
SSH secures remote administration sessions, not data at rest on a local disk.
Question 5
A developer pushes an untested configuration update directly to a production database, causing a four-hour outage.
Which governance process failure does this represent?
Explanation
Change management requires review, testing, and approval before production modifications; bypassing this process caused the outage.
Disaster recovery addresses restoration after failures but the root failure here is uncontrolled change deployment.
Data owner noncompliance involves governance accountability for data, not unauthorized production changes.
An acceptable use policy violation may also apply but the primary governance failure is missing change control.
