CompTIA Sec+ SY0-701: Domain 5, Quiz 2

Which of the following is a potential consequence of failing to meet security compliance regulations?

a. Enhanced operational efficiency
b. Reputational damage
c. Increase in customer trust
d. Increase in stock prices

The right for an individual to have their personal data erased by an entity that is storing it, especially online, is referred to as:

a. Data retention
b. Data accountability
c. Right to be forgotten
d. Data integrity

What primarily differentiates a data controller from a data processor?

a. Data processors have the final say in data retention policies.
b. Data controllers are solely responsible for data breaches.
c. Data processors create the data while controllers analyze it.
d. A data controller determines the purpose and means of processing, while a processor processes data on behalf of the controller.

An organization is looking for an assessment where a third party verifies its adherence to certain regulations. Which of the following best describes this?

a. Penetration testing
b. Self-assessment
c. Independent third-party audit
d. Internal compliance

During a penetration test, an attacker has no prior knowledge of the network infrastructure. Which type of testing environment does this represent?

a. Unknown environment
b. Integrated environment
c. Partially known environment
d. Known environment

What kind of reconnaissance involves using openly available sources without directly interacting with the target system?

a. Defensive
b. Passive
c. Active
d. Integrated

A company regularly sends out simulated phishing emails to test employee awareness. What is this practice called?

a. Campaigns
b. Attestation
c. User guidance
d. Phishing prevention

What is the primary goal of security awareness training for employees?

a. To ensure they are aware of the company’s security policy.
b. To enable them to recognize and respond appropriately to security threats.
c. To ensure they know the IT department’s contact information.
d. To inform them of the latest industry news.

Which of the following best explains the role of a regulatory external audit for a company?

a. To verify the company’s adherence to industry-specific laws and regulations.
b. To evaluate the company’s internal communication effectiveness.
c. To ensure the company’s marketing strategy aligns with industry trends.
d. To check if the company’s financial statements are accurate.

In the context of privacy, who is responsible for determining the purpose, conditions, and means of processing personal data?

a. Controller
b. Data subject
c. Processor
d. Data inventory manager

If an organization conducts a test by hiring ethical hackers to simulate an attack on its premises to identify vulnerabilities in its physical security measures, it is conducting which type of penetration test?

a. Active reconnaissance
b. Physical
c. Defensive
d. Offensive

When an employee is trained to be cautious about sharing office details over casual conversations outside work, this training is primarily against which type of threat?

a. Insider threats
b. Password attacks
c. Phishing
d. Social engineering

An employee was given a USB stick at a conference, which they want to use at work. Before using it, what is the best security measure they should take?

a. Copy the USB contents to the cloud.
b. Have the IT department scan it for malware.
c. Format the USB stick.
d. Use it on a personal computer first.

For which reason might an organization want its employees to undergo regular training on recognizing a phishing attempt?

a. To replace the need for email filtering systems.
b. To shift all responsibility for phishing attacks to employees.
c. To reduce the need for advanced firewall systems.
d. To minimize the risk of successful phishing attacks.

An organization requires all employees to acknowledge they have read and understood the security policy every year. What best describes this practice?

a. Regulatory audit
b. Attestation
c. Data inventory
d. Due diligence/care