Try 10 focused CompTIA Security+ SY0-701 questions on General Security Concepts, with explanations, then continue with IT Mastery.
Open the matching IT Mastery practice page for timed mocks, topic drills, progress tracking, explanations, and full practice.
Try CompTIA Security+ SY0-701 on Web View full CompTIA Security+ SY0-701 practice page
| Field | Detail |
|---|---|
| Exam route | CompTIA Security+ SY0-701 |
| Topic area | General Security Concepts |
| Blueprint weight | 12% |
| Page purpose | Focused sample questions before returning to mixed practice |
Use this page to isolate General Security Concepts for CompTIA Security+ SY0-701. Work through the 10 questions first, then review the explanations and return to mixed practice in IT Mastery.
| Pass | What to do | What to record |
|---|---|---|
| First attempt | Answer without checking the explanation first. | The fact, rule, calculation, or judgment point that controlled your answer. |
| Review | Read the explanation even when you were correct. | Why the best answer is stronger than the closest distractor. |
| Repair | Repeat only missed or uncertain items after a short break. | The pattern behind misses, not the answer letter. |
| Transfer | Return to mixed practice once the topic feels stable. | Whether the same skill holds up when the topic is no longer obvious. |
Blueprint context: 12% of the practice outline. A focused topic score can overstate readiness if you recognize the pattern too quickly, so use it as repair work before timed mixed sets.
These questions are original IT Mastery practice items aligned to this topic area. They are designed for self-assessment and are not official exam questions.
Topic: General Security Concepts
A company historically treats any device on the internal LAN or connected via VPN as trusted. After an incident where an attacker used stolen VPN credentials from an unmanaged laptop to access internal apps and SaaS data, the CISO decides to move toward a zero trust model.
The CISO’s priorities are:
Which of the following actions/controls will BEST meet these requirements? (Select TWO.)
Options:
A. Reduce SaaS application session timeouts from 30 days to 8 hours so users must log in again at least daily.
B. Allow full internal network access to any device that successfully connects to the corporate VPN, but tighten perimeter firewall rules against the internet.
C. Implement network segmentation by creating separate VLANs for users and servers and allowing all traffic between them once a device is on the corporate LAN or VPN.
D. Require all users to access internal and SaaS applications through an SSO portal with MFA and device-compliance checks on each new application session.
E. Deploy network access control (NAC) that checks device posture (patch level, EDR status, encryption) at connection time and periodically revalidates it, moving noncompliant devices to a quarantine network.
Correct answers: D and E
Explanation: Zero trust is a security model built around the idea of “never trust, always verify”. Instead of assuming anything on the internal network is trustworthy, every access request is evaluated based on the user, device, context, and policies.
Two key ideas in this question are:
Requiring access through an SSO portal with MFA and device-compliance checks ensures identity and device posture are evaluated each time a new application session is started, regardless of whether the user is “inside” or “outside” the network. Deploying NAC with posture checks and periodic revalidation ensures that devices are not considered permanently trusted just because they connected once; instead, their security state is continuously monitored and enforced.
Other options either maintain a perimeter-focused model (trusting anything on the VPN or LAN), rely purely on network segmentation, or make only minor improvements to session management without embodying continuous verification and reduced implicit trust.
Topic: General Security Concepts
A mid-sized medical office stores electronic health records (EHRs) on an internal application server that staff access from their Windows laptops. A recent assessment highlighted three main risks: tailgating into staff areas, shared weak passwords for the EHR system, and a lack of documented access rules.
Management wants to improve security using a defense-in-depth approach that clearly includes physical, technical, and administrative layers, while keeping the system reasonably usable for staff and staying within a modest budget (no full network redesign).
Which of the following strategies BEST meets these requirements?
Options:
A. Move the EHR server to an isolated, air-gapped network that only IT can access directly, and have staff request needed patient records from IT via an internal ticketing system with documented procedures.
B. Deploy full network micro-segmentation around the EHR server, require all staff to use a VPN even on-site, and enable host-based firewalls on every laptop, but make no changes to facility access or policies.
C. Install badge-controlled locks on doors to the staff area, require MFA and role-based permissions on the EHR application, and implement a formal access control policy with training and periodic access reviews.
D. Add door locks and a visitor sign-in sheet at reception, require staff to sign a confidentiality agreement once at hiring, and place the EHR server in a locked cabinet with no changes to user authentication.
Best answer: C
Explanation: The scenario asks for a defense-in-depth strategy that explicitly combines physical, technical, and administrative controls to protect the same asset (the EHR system), while preserving day-to-day usability and avoiding a major network redesign.
Defense in depth means you do not rely on a single barrier. Instead, if one layer fails (for example, someone tailgates into the office), other layers (strong authentication, clear policies, monitoring) still protect the data.
The strategy that uses badge-controlled doors (physical), MFA and role-based access on the EHR (technical), and a formal access control policy with training and periodic reviews (administrative) clearly provides multiple, complementary layers. It specifically addresses the identified risks of tailgating, weak/shared passwords, and lack of documented rules, without overcomplicating the environment or breaking usability.
The other options either over-focus on a single type of control, fail to address key risks, or introduce impractical complexity and usability issues, which violates the scenario’s constraints.
Topic: General Security Concepts
Which statement accurately compares symmetric and asymmetric encryption in terms of key use, performance, and typical use cases?
Options:
A. Both symmetric and asymmetric encryption use public/private key pairs, but symmetric is slower and used for small messages, while asymmetric is faster and used for streaming data.
B. Symmetric encryption uses a public/private key pair, is slower, and is mainly used for digital signatures, while asymmetric encryption uses one shared key, is faster, and is used for bulk data encryption.
C. Symmetric encryption uses one shared secret key, is faster, and is typically used to encrypt large amounts of data, while asymmetric encryption uses a public/private key pair, is slower, and is commonly used for key exchange and digital signatures.
D. Symmetric encryption uses different keys for encryption and decryption and is mainly used for password hashing, while asymmetric encryption uses the same key for both operations and is mainly used for database encryption.
Best answer: C
Explanation: Symmetric and asymmetric encryption differ primarily in how they use keys, their performance characteristics, and what they are typically used for.
Symmetric encryption uses a single shared secret key for both encryption and decryption. Because the algorithms are computationally efficient, symmetric encryption is fast and is therefore the standard choice for encrypting large volumes of data (for example, disks, database fields, or data moving through a VPN tunnel). The main challenge is securely sharing and managing the secret key.
Asymmetric encryption uses a mathematically related public/private key pair. Operations are much more computationally expensive, so asymmetric encryption is slower and not usually used directly for bulk data. Instead, it is commonly used for key exchange (for example, establishing a session key for symmetric encryption) and for digital signatures and certificate-based authentication, where its public/private key properties are most useful.
The correct statement is the one that reflects all three aspects together: symmetric = one shared key, faster, bulk data; asymmetric = key pair, slower, key exchange and digital signatures.
Topic: General Security Concepts
A security analyst has completed a simple risk assessment for a critical asset, as shown below.
Exhibit:
| Asset | SLE (per incident) | ARO (per year) |
|---|---|---|
| E-commerce web server | $10,000 | 2 |
Based only on the information in the exhibit, which statement BEST describes the annual loss expectancy (ALE) for this risk?
Options:
A. The ALE is $20,000, representing the maximum one-time loss the organization could suffer if this threat occurs.
B. The ALE is $10,000, representing the replacement cost of the server each time an incident occurs, regardless of frequency.
C. The ALE is $20,000, meaning the organization can expect to lose about this amount per year from this threat.
D. The ALE is $5,000, meaning the server will fail on average once every five years.
Best answer: C
Explanation: The exhibit shows a single asset, an e-commerce web server, with a single loss expectancy (SLE) of $10,000 per incident and an annualized rate of occurrence (ARO) of 2 incidents per year.
In basic risk management, annual loss expectancy (ALE) is calculated as:
\[ \text{ALE} = \text{SLE} \times \text{ARO} \]Using the values in the exhibit:
So:
\[ \text{ALE} = 10{,}000 \times 2 = 20{,}000 \]This $20,000 is an expected annual loss value for this particular risk, averaged over time. It is not a guarantee, not the per-incident loss, and not the maximum single loss; it is a planning number used to compare and prioritize risks and potential controls.
Topic: General Security Concepts
A company has several remote employees who access on-premises file shares over the internet using SMB from their home networks. The security team is concerned that attackers could intercept data in transit and that confidential files stored on employees’ laptops could be exposed if a laptop is lost or stolen. Which of the following actions/controls will BEST meet these requirements? (Select TWO.)
Options:
A. Require remote users to connect through a VPN tunnel before accessing file shares
B. Enable full-disk encryption on all company laptops
C. Configure host-based firewalls on laptops to block inbound SMB connections
D. Schedule nightly copies of file shares to a cloud backup service
E. Enforce complex passwords on all file server shares
Correct answers: A and B
Explanation: This scenario has two clear needs mapped to basic cryptographic use cases:
The best way to protect data in transit over an untrusted network (the internet) is to encrypt the communication channel. A VPN provides this by creating an encrypted tunnel between the remote user and the corporate network. To protect data at rest on the laptops, full-disk encryption ensures that even if someone gains physical access to the device, the stored data remains unreadable without the proper keys.
Mapping each option to the requirements:
Together, the VPN and full-disk encryption directly address the two cryptographic use cases the question is testing: securing data in transit and securing data at rest.
Topic: General Security Concepts
A mid-sized company is formalizing its security team structure. The security manager needs to:
Which of the following actions/controls will BEST meet these requirements? (Select TWO.)
Options:
A. Define the security analyst role to write HR disciplinary procedures and manage performance reviews for staff who violate policy.
B. Define the security architect role to perform user account provisioning, password resets, and routine access changes.
C. Define the security analyst role to monitor SIEM dashboards, investigate alerts, and escalate incidents according to documented playbooks.
D. Define the security architect role to design network and cloud security reference architectures, including segmentation and security control placement.
E. Define the security analyst role to approve all security policies and set the organization’s risk appetite.
Correct answers: C and D
Explanation: This scenario tests understanding of common security job roles, specifically how a security architect differs from a security analyst.
A security architect is primarily responsible for designing the organization’s security architecture: choosing where to place controls such as firewalls, IDS/IPS, and IAM components; designing network segmentation; and defining secure patterns for on‑prem and cloud environments.
A security analyst, especially in a SOC, is focused on operations: monitoring security tools (like SIEM and EDR), triaging alerts, performing initial investigations, and escalating incidents according to playbooks. They execute and tune controls rather than define enterprise‑wide architecture or policy.
The correct options assign architecture and monitoring/triage activities to the appropriate roles, while the incorrect options mis-assign management, HR, or administrative duties to technical roles.
Topic: General Security Concepts
A developer on your team is designing how a new web application will handle user credentials and other sensitive data. During a design review, several statements are made about hashing, encryption, and encoding.
Which of the following statements is INCORRECT and reflects an unsafe understanding of these concepts?
Options:
A. Encryption is designed to be reversible using the correct key so that authorized parties can recover the original plaintext from the ciphertext.
B. Hashing is a one-way process used primarily to verify data integrity; you cannot recover the original data from a properly designed cryptographic hash.
C. Base64-encoding passwords before storing them in a database is sufficient protection because attackers cannot realistically reverse the encoded values.
D. Encoding formats data for compatibility or transmission (for example, in URLs or email) and is not intended to provide security or confidentiality.
Best answer: C
Explanation: This question targets the basic cryptographic concepts of hashing, encryption, and encoding, focusing on their purposes and whether they are reversible.
Hashing uses one-way functions. A cryptographic hash function takes input data and produces a fixed-size output (the hash or digest). It is computationally infeasible to recover the original input from the hash or to find another input with the same hash. This property makes hashing useful for integrity verification and password storage (when combined with salting and appropriate algorithms such as PBKDF2, bcrypt, scrypt, or Argon2).
Encryption provides confidentiality. It transforms plaintext into ciphertext using an encryption algorithm and a key. With the correct decryption key, the process is reversible and the original plaintext can be recovered by authorized parties. Without the key, an attacker should not be able to feasibly obtain the plaintext.
Encoding is about representation, not security. Schemes like Base64, URL encoding, or character set encodings (such as UTF-8) are designed to ensure data can be safely transported or stored across systems that may not accept arbitrary binary data. Encoding is fully reversible and does not involve secrets; therefore, it does not provide confidentiality or meaningful protection against attackers.
The unsafe statement is the one that treats Base64 encoding of passwords as if it were a secure protective control. Because encoding is easily reversed, storing passwords this way leaves them exposed if the database is compromised, violating basic security principles for credential handling.
Topic: General Security Concepts
A mid-sized company has never done a formal risk assessment. The CISO has 2 weeks to present a clear, business-friendly list of the top security risks to senior executives so they can decide which projects to fund this year. The company has very limited historical loss data and cannot reliably estimate exact dollar impacts.
Which approach is the most appropriate for this situation?
Options:
A. Perform a qualitative risk assessment using a likelihood-and-impact matrix scored as low/medium/high.
B. Perform a full quantitative risk assessment calculating annual loss expectancy (ALE) for each asset.
C. Perform a detailed business impact analysis (BIA) focusing on recovery time and recovery point objectives for all applications.
D. Conduct only a technical vulnerability scan of critical systems and report the number of high-severity findings.
Best answer: A
Explanation: This scenario is about choosing the right risk assessment approach when time is limited and there is little reliable financial data. The CISO must quickly communicate to executives which risks are most important so they can decide on funding.
A qualitative risk assessment uses descriptive scales (such as low/medium/high or 1–5) for both likelihood and impact. It allows stakeholders to compare and rank risks without requiring precise dollar figures. This makes it ideal when an organization lacks detailed historical loss data or when the goal is to provide an easy-to-understand, relative ranking rather than exact cost estimates.
In contrast, a fully quantitative assessment attempts to assign numeric values to likelihood and impact (for example, calculating annual loss expectancy), which requires fairly good data about frequencies and costs. That kind of detail is not available here, and the 2-week deadline makes it even less practical.
Other activities like vulnerability scanning and business impact analysis support aspects of risk management but do not, by themselves, produce the high-level, prioritized risk list the CISO needs for executive decision-making.
Topic: General Security Concepts
A security team estimates there is a “high probability that a phishing email will successfully trick at least one employee into revealing their VPN password this quarter.”
Which risk management term BEST describes what the team is estimating in this statement?
Options:
A. Vulnerability
B. Impact
C. Likelihood
D. Threat
Best answer: C
Explanation: Basic risk management separates different but related ideas: threats, vulnerabilities, risk, likelihood, and impact.
In this scenario, the team already knows the threat (a phishing campaign) and the potential outcome (credential theft). What they are specifically estimating is how probable it is that the threat will result in at least one successful compromise within a set time frame (this quarter). In risk management terms, that probability is called likelihood.
Understanding the distinction helps security practitioners communicate clearly: likelihood answers “How probable is it?”, while impact answers “How bad would it be if it happened?” Together, they help prioritize which risks to address first.
Topic: General Security Concepts
A small company stores all customer records on a single on-premises file server located in a locked closet. Many IT and non-IT staff share the same physical key to the closet, and any domain user with a password can access the shared folders. Management wants to improve protection of this server and its data by applying defense in depth using physical, technical, and administrative controls, without completely redesigning the network. Which of the following changes BEST meets this goal?
Options:
A. Install an additional internet-facing firewall and a secure web gateway to filter employee web traffic, leaving the server closet and file server configuration unchanged.
B. Move the file server into the main office area for easier observation by staff and give all IT personnel local administrator rights to maintain it quickly.
C. Replace the shared closet key with individual badge access to the server room, require manager-approved access lists and visitor sign-in, and enable full-disk encryption plus a host-based firewall on the file server.
D. Require all users to change their Windows passwords to longer passphrases but continue using the same shared physical key and keep existing file share permissions as-is.
Best answer: C
Explanation: Defense in depth, also called layered security, means protecting the same asset with multiple, independent security controls across different layers—such as physical, technical, and administrative—so that if one control fails, others still reduce the likelihood or impact of compromise.
In this scenario, the critical asset is the on-premises file server and the customer data it stores. Currently, the protection is weak: many people share the same physical key to the closet, and any domain user with a password can access the data. Management’s goal is not to redesign the whole network but to add meaningful, layered protections specifically around this server and its data.
The best option is the one that introduces complementary physical controls for the room, administrative controls over who is allowed in, and technical controls on the server itself. This combination clearly demonstrates defense in depth: an attacker must bypass multiple independent safeguards to reach and misuse the data.
Use the CompTIA Security+ SY0-701 Practice Test page for the full IT Mastery route, mixed-topic practice, timed mock exams, explanations, and web/mobile app access.
Try CompTIA Security+ SY0-701 on Web View CompTIA Security+ SY0-701 Practice Test
Read the CompTIA Security+ SY0-701 Cheat Sheet on Tech Exam Lexicon, then return to IT Mastery for timed practice.