CertHead

Security Program Management and Oversight — Security+ practice questions

Domain 5 of the CompTIA Security+ (SY0-701) exam. 193 questions on this domain in the full bank — here are four free samples with answers and explanations.

Question 1 · Difficulty 2/5

Which of the following best describes the Exposure Factor (EF) used in quantitative risk analysis? (Select the best answer.)
  1. The total financial value of an asset before any loss event occurs
  2. The percentage of an asset's value lost in a single realized threat event
  3. The estimated number of times a threat event is expected to occur in one year
  4. The annualized cost of implementing a safeguard to protect an asset
Show answer & explanation

Correct answer: B

The percentage of an asset's value lost in a single realized threat event
The Exposure Factor (EF) is expressed as a percentage (0 to 1.0) representing the proportion of an asset's value that would be destroyed or lost in a single loss event; it is multiplied by the Asset Value (AV) to calculate the Single Loss Expectancy (SLE = AV x EF). The total financial value of the asset is the Asset Value (AV), a separate input. The estimated number of occurrences per year is the Annualized Rate of Occurrence (ARO). The annualized safeguard cost is used in cost-benefit analysis to determine whether a control is economically justified, not in the EF definition.

Question 2 · Difficulty 3/5

A security team is deciding between qualitative and quantitative risk analysis for a newly acquired subsidiary. The team cannot find reliable historical loss data for most of the subsidiary's assets, but must produce results quickly for an executive briefing. Which characteristic most accurately describes qualitative risk analysis in this context? (Select the best answer.)
  1. It produces precise monetary loss values by computing SLE, ARO, and ALE from actuarial data
  2. It ranks risks using subjective scales (such as high, medium, or low) without requiring exact financial figures
  3. It requires a validated asset inventory with dollar values assigned to every asset before results can be generated
  4. It applies Monte Carlo simulations to model uncertainty across a range of probable loss outcomes
Show answer & explanation

Correct answer: B

It ranks risks using subjective scales (such as high, medium, or low) without requiring exact financial figures
Qualitative risk analysis uses descriptive or ordinal scales (high/medium/low, 1-5, red/yellow/green) to rank risks based on expert judgment and is well-suited when hard financial data is unavailable or when a rapid assessment is needed. Producing precise monetary values from SLE, ARO, and ALE is the defining characteristic of quantitative analysis, which requires reliable historical or actuarial data. Requiring a dollar-valued asset inventory is a prerequisite for quantitative, not qualitative, analysis. Monte Carlo simulation is a quantitative technique used to model probability distributions across uncertain variables.

Question 3 · Difficulty 2/5

Which of the following best describes the distinguishing characteristic of a guideline compared to a policy in an organizational security program? (Select the best answer.)
  1. A guideline is mandatory and enforced through disciplinary action, while a policy is advisory.
  2. A guideline provides recommended practices that are not strictly mandatory, while a policy states mandatory rules.
  3. A guideline is approved by executive leadership, while a policy is authored by individual departments.
  4. A guideline applies only to technical staff, while a policy applies to all employees.
Show answer & explanation

Correct answer: B

A guideline provides recommended practices that are not strictly mandatory, while a policy states mandatory rules.
Policies are mandatory, organization-wide statements of intent that carry enforcement weight and consequences for non-compliance. Guidelines, by contrast, offer recommended approaches and best practices that help staff meet policy goals but are not strictly required. The other options invert or misrepresent the mandatory vs. advisory distinction, or incorrectly scope the applicability of each document type.

Question 4 · Difficulty 3/5

An employee receives a warning after accessing a peer's personnel files without authorization. The HR department cites a signed document the employee acknowledged during onboarding that explicitly lists prohibited uses of organizational systems and the consequences for violations. Which policy type is most likely being enforced? (Select the best answer.)
  1. Information security policy
  2. Acceptable use policy (AUP)
  3. Change management policy
  4. Business continuity policy
Show answer & explanation

Correct answer: B

Acceptable use policy (AUP)
An acceptable use policy (AUP) defines what employees are and are not permitted to do with organizational systems and data, and is typically signed at onboarding to establish individual accountability. An information security policy sets broader security objectives and requirements but does not enumerate specific prohibited user behaviors in the same granular, user-facing way. Change management policy governs how system changes are proposed and approved, and business continuity policy addresses maintaining operations during disruptions, neither of which is relevant here.

More Security+ domains

Ready to test yourself for real?

The free quiz pulls live questions from the same banks — no account required.

Start the free quiz