Q1. Which document outlines rules for acceptable use of company resources?
- A.SLA
- B.AUP✓ Correct
- C.MOU
- D.SOW
Explanation: The Acceptable Use Policy (AUP) defines proper and improper use of organizational IT resources. Learn more.
CompTIA Security+ Practice Questions: Governance, Risk & Compliance
28 free, exam-style CompTIA Security+ (SY0-701) practice questions covering Governance, Risk & Compliance. Each question shows the correct answer and a clear explanation. Ready for the real thing? Take the full timed quiz below.
Q2. Which principle ensures users have only the access needed for their job?
- A.Least privilege✓ Correct
- B.Defense in depth
- C.Separation of duties
- D.Need to know
Explanation: The principle of least privilege restricts users to the minimum access necessary for their role. Learn more.
Q3. Which regulation protects healthcare information in the US?
- A.PCI DSS
- B.HIPAA✓ Correct
- C.SOX
- D.GDPR
Explanation: HIPAA establishes national standards for protecting sensitive patient health information. Learn more.
Q4. What is the PRIMARY purpose of a business impact analysis (BIA)?
- A.To identify critical systems and recovery priorities✓ Correct
- B.To detect network intrusions
- C.To encrypt sensitive data
- D.To authenticate remote users
Explanation: A BIA helps organizations understand which systems are most critical and their recovery requirements. Learn more.
Q5. Which principle ensures no single person controls all critical functions?
- A.Least privilege
- B.Separation of duties✓ Correct
- C.Defense in depth
- D.Need to know
Explanation: Separation of duties divides responsibilities to prevent fraud or abuse of privileges. Learn more.
Q6. What is the PRIMARY purpose of a risk assessment?
- A.To eliminate all risks
- B.To identify and prioritize risks✓ Correct
- C.To encrypt all sensitive data
- D.To authenticate all users
Explanation: Risk assessments identify threats and vulnerabilities to prioritize mitigation efforts. Learn more.
Q7. What is the PRIMARY purpose of a data retention policy?
- A.To maximize storage space
- B.To define how long different data types should be kept✓ Correct
- C.To encrypt all stored data
- D.To authenticate data access
Explanation: Retention policies specify storage durations based on legal and operational requirements. Learn more.
Q8. What is the PRIMARY purpose of a non-disclosure agreement (NDA)?
- A.To define acceptable use of resources
- B.To protect confidential information✓ Correct
- C.To establish service level expectations
- D.To document incident response procedures
Explanation: NDAs legally bind parties to maintain confidentiality of sensitive information. Learn more.
Q9. Which regulation governs credit card data security?
- A.HIPAA
- B.PCI DSS✓ Correct
- C.SOX
- D.GDPR
Explanation: PCI DSS establishes security standards for organizations handling credit card information. Learn more.
Q10. What is the PRIMARY purpose of PII (Personally Identifiable Information) protection?
- A.To maximize data storage efficiency
- B.To safeguard individual privacy✓ Correct
- C.To improve network performance
- D.To authenticate users
Explanation: PII protections prevent unauthorized disclosure of sensitive personal data. Learn more.
Q11. What is the PRIMARY purpose of a security awareness program?
- A.To eliminate all security risks
- B.To educate users about security policies and threats✓ Correct
- C.To monitor employee internet usage
- D.To encrypt sensitive data
Explanation: Awareness programs train employees to recognize and avoid security risks. Learn more.
Q12. What is the PRIMARY purpose of a security policy?
- A.To eliminate all security risks
- B.To define organizational security expectations✓ Correct
- C.To monitor employee internet usage
- D.To encrypt sensitive data
Explanation: Security policies establish formal rules for protecting organizational assets. Learn more.
Q13. What is the PRIMARY purpose of a security baseline?
- A.To eliminate all security risks
- B.To establish minimum security configurations✓ Correct
- C.To monitor employee internet usage
- D.To encrypt sensitive data
Explanation: Baselines define secure starting configurations for systems and software. Learn more.
Q14. What is the PRIMARY purpose of a data classification policy?
- A.To eliminate all security risks
- B.To categorize data based on sensitivity✓ Correct
- C.To monitor employee internet usage
- D.To encrypt sensitive data
Explanation: Classification policies determine appropriate handling based on data sensitivity. Learn more.
Q15. What is the PRIMARY purpose of change management?
- A.To eliminate all security risks
- B.To control modifications to IT systems✓ Correct
- C.To monitor employee internet usage
- D.To encrypt sensitive data
Explanation: Change management ensures proper review and approval of system modifications. Learn more.
Q16. Which of the following BEST describes the concept of 'confidentiality' in the CIA triad?
- A.Ensuring that data is accurate and has not been tampered with.
- B.Ensuring that systems and data are available to authorized users when needed.
- C.Preventing the unauthorized disclosure of sensitive information.✓ Correct
- D.Ensuring that actions can be traced back to an individual or entity.
Explanation: Confidentiality is the C in the CIA triad (Confidentiality, Integrity, Availability) and refers to protecting information from unauthorized access or disclosure. Encryption is a primary control for ensuring confidentiality. Learn more.
Q17. What is the primary goal of performing a security audit?
- A.To actively exploit vulnerabilities in the network.
- B.To provide an independent assessment of an organization's security controls and compliance.✓ Correct
- C.To immediately remediate all identified security weaknesses.
- D.To deploy new security technologies within the organization.
Explanation: A security audit is a systematic, independent evaluation of an organization's security posture, policies, procedures, and controls against established criteria or standards (e.g., ISO 27001, NIST CSF). Learn more.
Q18. What is the process of identifying, quantifying, and prioritizing risks to an organization called?
- A.Incident response
- B.Vulnerability scanning
- C.Risk assessment✓ Correct
- D.Penetration testing
Explanation: A risk assessment involves identifying potential threats and vulnerabilities, determining the likelihood and impact of these risks, and then prioritizing them for mitigation or acceptance. Learn more.
Q19. Which software development practice involves integrating security testing early and throughout the software development lifecycle (SDLC)?
- A.Waterfall
- B.Shift Left✓ Correct
- C.Obfuscation
- D.Sandboxing
Explanation: 'Shifting Left' moves security testing to the earlier stages of development (the left side of the timeline) to find and fix vulnerabilities sooner. Learn more.
Q20. Which concept refers to the legal requirement that data collected on citizens must be stored and processed within the physical borders of the country where the citizen resides?
- A.Data classification
- B.Data sovereignty✓ Correct
- C.Data masking
- D.Data loss prevention
Explanation: Data sovereignty is the concept that digital data is subject to the laws of the country in which it is located, often requiring data to remain within national borders. Learn more.
Q21. Which privacy regulation grants European Union citizens the 'right to be forgotten' (erasure of personal data)?
- A.PCI DSS
- B.GDPR✓ Correct
- C.HIPAA
- D.SOX
Explanation: The General Data Protection Regulation (GDPR) is an EU regulation that includes the right to erasure, allowing individuals to request the deletion of their personal data. Learn more.
Q22. Which control category describes security measures like security guards, fences, and lighting?
- A.Technical
- B.Managerial
- C.Physical✓ Correct
- D.Administrative
Explanation: Physical controls are measures taken to prevent physical access or harm to facilities and IT systems, such as locks, guards, and cameras. Learn more.
Q23. Which risk response transfers financial impact to a third party?
- A.Cyber insurance✓ Correct
- B.Risk acceptance
- C.Risk avoidance only
- D.Disabling controls
Explanation: Insurance is a common risk transference method because it shifts some financial impact to another party. Learn more.
Q24. Which document defines expected uptime and support responsibilities for a vendor service?
- A.SLA✓ Correct
- B.NDA
- C.AUP
- D.MOU only
Explanation: A service level agreement defines measurable service expectations such as uptime, response, and support targets. Learn more.
Q25. Which activity helps employees practice incident response roles without disrupting production systems?
- A.Tabletop exercise✓ Correct
- B.Unannounced data deletion
- C.Credential sharing drill
- D.Patch rollback removal
Explanation: Tabletop exercises walk teams through scenarios to validate roles, communication, and decisions. Learn more.
Q26. Which concept separates duties so no single person can complete a sensitive process alone?
- A.Separation of duties✓ Correct
- B.Implicit trust
- C.Privilege creep
- D.Open access
Explanation: Separation of duties reduces fraud and error by splitting responsibilities across multiple people. Learn more.
Q27. Which document tells users what they may and may not do with company systems?
- A.Acceptable use policy✓ Correct
- B.Certificate signing request
- C.Data flow diagram only
- D.Chain of custody form
Explanation: An acceptable use policy defines permitted and prohibited use of organizational systems. Learn more.
Q28. Which risk treatment accepts the risk because mitigation cost exceeds expected loss?
- A.Risk acceptance✓ Correct
- B.Risk transference only
- C.Risk avoidance only
- D.Risk exploitation
Explanation: Risk acceptance is a deliberate decision to tolerate risk when justified by business analysis. Learn more.