Try 10 focused CompTIA Security+ SY0-701 questions on Security Program Oversight, with explanations, then continue with IT Mastery.
Open the matching IT Mastery practice page for timed mocks, topic drills, progress tracking, explanations, and full practice.
Try CompTIA Security+ SY0-701 on Web View full CompTIA Security+ SY0-701 practice page
| Field | Detail |
|---|---|
| Exam route | CompTIA Security+ SY0-701 |
| Topic area | Security Program Management and Oversight |
| Blueprint weight | 20% |
| Page purpose | Focused sample questions before returning to mixed practice |
Use this page to isolate Security Program Management and Oversight for CompTIA Security+ SY0-701. Work through the 10 questions first, then review the explanations and return to mixed practice in IT Mastery.
| Pass | What to do | What to record |
|---|---|---|
| First attempt | Answer without checking the explanation first. | The fact, rule, calculation, or judgment point that controlled your answer. |
| Review | Read the explanation even when you were correct. | Why the best answer is stronger than the closest distractor. |
| Repair | Repeat only missed or uncertain items after a short break. | The pattern behind misses, not the answer letter. |
| Transfer | Return to mixed practice once the topic feels stable. | Whether the same skill holds up when the topic is no longer obvious. |
Blueprint context: 20% of the practice outline. A focused topic score can overstate readiness if you recognize the pattern too quickly, so use it as repair work before timed mixed sets.
These questions are original IT Mastery practice items aligned to this topic area. They are designed for self-assessment and are not official exam questions.
Topic: Security Program Management and Oversight
An online retail company is updating its disaster recovery plan. A recent BIA shows that for a primary data center outage, the business requires an RTO of 4 hours and an RPO of 1 hour. Leadership has approved a mid-range DR budget that can pay for warm cloud-based capabilities but explicitly cannot fund a fully mirrored hot site with dedicated 24/7 staff.
Which of the following strategies should you AVOID? (Select TWO.)
Options:
A. Pre-provision a minimal set of servers in a cloud region, keep them powered off, and replicate production data hourly; during a disaster, IT staff bring systems online and scale out capacity as needed.
B. Use a cloud DRaaS provider to maintain a warm standby environment with key virtual machines powered on and databases replicated every 15 minutes, tested to fail over within 2 hours.
C. Use the primary data center as normal but perform encrypted VM image backups every 30 minutes to low-cost cloud storage, with documented runbooks to restore critical services into cloud IaaS within 3 hours.
D. Contract for a dedicated hot site that mirrors the primary data center with fully redundant hardware, synchronous replication, and 24/7 on-site staff, at a cost significantly above the approved DR budget.
E. Lease empty rack space at a secondary facility with only power and network; after a disaster, order hardware and restore from weekly offline backups, expecting 2–3 days to resume operations.
Correct answers: D and E
Explanation: This scenario tests understanding of business continuity and disaster recovery site strategies—specifically hot, warm, and cold sites—and how to choose them based on recovery time objective (RTO), recovery point objective (RPO), and budget.
A cold site provides space, power, and connectivity but little or no pre-installed hardware or data. It is inexpensive but typically has very long RTO and RPO because hardware must be acquired and backups restored after a disaster.
A hot site mirrors the primary site with live, synchronized data and ready-to-run systems. It offers very low RTO and RPO but at very high ongoing cost for duplicate infrastructure and staffing.
A warm site falls between these extremes: some infrastructure and data are pre-staged (for example, pre-provisioned servers, replicated data, or DRaaS), allowing recovery in hours instead of days, at a cost lower than a full hot site. In this scenario, the company needs an RTO of 4 hours and RPO of 1 hour, with a budget that can support warm capabilities but not a fully mirrored hot site. Therefore, any option that cannot meet the RTO/RPO or that obviously exceeds the approved budget is inappropriate and should be avoided.
Topic: Security Program Management and Oversight
Which TWO of the following are appropriate due diligence activities before onboarding a new cloud-based HR/payroll vendor that will handle employee PII? (Select TWO.)
Options:
A. Requesting and reviewing recent independent security attestations or audit reports (for example, third-party assessment summaries)
B. Sending a structured security and privacy questionnaire to the vendor and reviewing their responses for control gaps
C. Relying solely on the vendor’s marketing material and sales presentations to assess their security posture
D. Skipping formal security review if the vendor is a large, well-known brand with a strong market reputation
E. Granting the vendor full production access first, then evaluating their security practices based on how they operate
Correct answers: A and B
Explanation: Due diligence for vendor and supply chain risk management is performed before onboarding a new provider to understand and manage the risks they introduce. This is especially critical when a vendor will process or store sensitive data such as employee personally identifiable information (PII).
Common due diligence activities include structured questionnaires about the vendor’s security controls, policies, and incident response, as well as reviewing independent audit reports or assessment summaries. These help the organization judge whether the vendor’s controls meet internal policy, regulatory, and contractual requirements and whether any compensating controls are needed.
In contrast, informal signals such as marketing claims, brand recognition, or waiting to observe behavior after granting access do not provide sufficient assurance and can expose the organization to unnecessary risk. Security+ candidates should recognize that due diligence is proactive, evidence-based, and documented, not based on trust or reputation alone.
Topic: Security Program Management and Oversight
A security manager is reviewing the company’s insider risk reporting policy shown in the exhibit. Employees rarely report concerns about coworkers’ potentially harmful behavior.
Based on the policy text, which change would MOST improve employees’ willingness to report potential insider threats?
Exhibit:
Insider Risk Reporting Policy (Excerpt)
• Employees who observe behavior that may harm the company
must report it in writing to their direct supervisor.
• Reports may not be anonymous.
• The supervisor will decide whether to inform Security or HR.
• Knowingly false reports may result in disciplinary action,
up to and including termination.
Options:
A. Change the requirement from written reports to in-person verbal reports to the direct supervisor so that reports feel more personal and less formal.
B. Keep the policy as written but add a yearly e-learning module that explains common insider threat attack techniques and case studies.
C. Require employees to obtain their manager’s written approval before any report can be sent to Security to reduce unnecessary investigations.
D. Create a confidential reporting hotline and web form that allow optional anonymous reports directly to the security/ethics team, and communicate a clear non-retaliation statement.
Best answer: D
Explanation: This question focuses on insider threat awareness and the importance of clear, confidential reporting channels. Effective insider risk programs emphasize reporting of concerning behaviors (for example, policy violations, unusual data access, or signs of sabotage) through channels that feel safe, confidential, and free from retaliation.
In the exhibit, the policy forces employees to report only to their direct supervisor, explicitly states that reports “may not be anonymous,” and emphasizes the possibility of discipline for false reports. These elements can create fear and discourage reporting.
The best improvement is to introduce a confidential reporting channel (such as a hotline or secure web form) that allows optional anonymity and goes directly to an appropriate team (security, ethics, or compliance). Coupled with a clear non-retaliation commitment, this addresses the main barriers shown in the policy and encourages employees to report behavior-based insider risk concerns earlier and more often.
Other changes that add bureaucracy, keep everything under the supervisor’s control, or only increase training without fixing the reporting channel do not directly solve the problem highlighted by the exhibit.
Topic: Security Program Management and Oversight
Which of the following metrics would MOST directly demonstrate that a company’s security awareness training is becoming more effective over time?
Options:
A. The total number of security awareness emails sent to all employees each month
B. A decreasing percentage of users who click links in periodic phishing simulation emails
C. The number of training modules created by the security team during the year
D. The percentage of employees who opened the invitation to the training session
Best answer: B
Explanation: To show that security awareness training is effective, organizations should measure behavioral outcomes, not just training activity. In the context of phishing awareness, one of the clearest indicators of success is a reduction in risky actions—specifically, fewer users falling for simulated phishing attempts.
A decreasing percentage of users who click on links in phishing simulation emails across multiple campaigns shows that employees are recognizing suspicious messages and making safer choices. This aligns directly with the training objective: to reduce the likelihood that users will be tricked by real phishing attacks.
By contrast, metrics such as how many emails were sent, how many modules were created, or how many invitations were opened only measure inputs or engagement, not whether users actually apply secure behaviors in practice. Domain 5 of Security+ emphasizes using meaningful metrics like phishing simulation results and feedback to assess and improve training programs.
Topic: Security Program Management and Oversight
Which TWO statements correctly describe due care and due diligence in security risk management? (Select TWO.)
Options:
A. Due diligence involves researching and assessing security risks and options before management decides how to treat those risks.
B. Due care involves implementing and operating reasonable security controls and practices based on previously made risk decisions.
C. Due diligence primarily refers to emergency response actions taken after a security incident has already occurred.
D. Due care means an organization may accept all identified risks as long as they are documented in a risk register.
E. Due care and due diligence are strictly legal terms with no practical impact on day-to-day security activities.
Correct answers: A and B
Explanation: Due care and due diligence are governance concepts that describe how management is expected to handle security risks.
Due diligence is about investigation and decision-making. Management gathers information about threats, vulnerabilities, impacts, and control options so they can make informed choices about how to treat each risk (mitigate, transfer, accept, or avoid). This is the “deciding” side.
Due care is about taking reasonable, appropriate action based on those decisions. That includes implementing security policies, technical controls, training, and monitoring, and keeping them up to date. This is the “doing” side that shows the organization behaved responsibly in protecting its assets.
Together, due diligence and due care help ensure that an organization is not only thinking about security risks but also acting on them in a reasonable, defensible way.
Topic: Security Program Management and Oversight
Which of the following statements about security policies, standards, guidelines, and procedures is NOT correct?
Options:
A. Security standards define specific, measurable requirements (such as minimum password length) that help enforce broader policy objectives.
B. Security procedures describe step-by-step tasks for implementing policies and standards, often in a checklist or workflow format.
C. Security policies provide high-level management direction, explaining what must be protected and why, without listing detailed technical steps.
D. Security guidelines are mandatory instructions that must always be followed exactly, like a checklist with no flexibility.
Best answer: D
Explanation: This question focuses on the governance hierarchy: policies, standards, guidelines, and procedures. Each type of document plays a different role in organizing and communicating security expectations.
Policies are high-level, management-approved statements of intent and direction. They say what must be protected and why, not exactly how. Standards support policies by defining consistent, measurable requirements, like minimum password length or required encryption algorithms.
Guidelines are recommended approaches or best practices that provide flexibility; they help people decide how to meet policies and standards when situations vary. Procedures, on the other hand, are mandatory, step-by-step instructions that describe exactly what to do, in what order, to implement policies and standards.
The incorrect statement is the one that claims guidelines are mandatory, exact instructions with no flexibility. That description actually matches procedures, not guidelines.
Topic: Security Program Management and Oversight
An organization requires all employees to read and sign an acceptable use policy during onboarding. The document clearly describes permitted and prohibited uses of company systems and data, warns that activity may be monitored, and explains possible disciplinary actions for violations. This policy is primarily an example of which security concept?
Options:
A. An incident response procedure for containing and eradicating threats
B. An administrative control that sets user behavior expectations and deters misuse
C. A cryptographic standard that specifies required encryption algorithms
D. A technical control that enforces least privilege on user accounts
Best answer: B
Explanation: An acceptable use policy (AUP) is part of security governance and is classified as an administrative control. Its main role is to define what users may and may not do with organizational systems and data, and to state that activity may be monitored and that violations can lead to disciplinary action.
By clearly stating expectations and consequences, an AUP shapes user behavior and acts as a deterrent control: users understand that misuse is forbidden, may be detected, and will have repercussions. This supports the organization’s overall security posture by reducing intentional and unintentional misuse of resources.
It does not directly configure systems, enforce access rights, or define technical standards. Instead, it sets the human and behavioral framework within which those technical controls operate.
Topic: Security Program Management and Oversight
A CISO is onboarding new security analysts and uses the following slide to explain how governance, risk management, and compliance relate to the security program.
Exhibit:
| Function | Main focus | Example security activity |
|---|---|---|
| Governance | Decide direction and expectations | Approve security policy; set acceptable risk levels |
| Risk management | Identify, analyze, and treat threats and impacts | Perform risk assessments; choose risk responses |
| Compliance | Verify adherence to required rules and standards | Conduct audits; map controls to laws and regulations |
Based on the exhibit, which planned activity BEST aligns with the governance function?
Options:
A. The compliance team maps existing technical controls to privacy regulations and prepares documentation for an upcoming audit.
B. The risk team calculates the likelihood and impact of phishing attacks and recommends specific new controls.
C. The board formally approves the enterprise security policy and defines the organization’s tolerance for data loss incidents.
D. The SOC tunes SIEM correlation rules to alert on violations of the current security policy and reports weekly statistics to management.
Best answer: C
Explanation: The exhibit distinguishes three related but different functions: governance, risk management, and compliance.
Governance is about direction and expectations. It is typically performed by senior leadership or a governing body, and includes decisions such as approving the overall security policy and defining what levels of risk the organization is willing to accept. These high-level decisions guide how the security program operates.
Risk management is about identifying, analyzing, and treating risks. Teams performing risk assessments, estimating likelihood and impact, and choosing mitigations are doing risk management, guided by the risk appetite and policies defined by governance.
Compliance is about checking whether the organization is following required rules and standards, such as laws, regulations, and internal policies. Activities such as audits and mapping controls to regulatory requirements belong here.
Because the exhibit explicitly lists governance example activities as “Approve security policy; set acceptable risk levels,” the activity where the board approves the enterprise security policy and defines tolerance for data loss is the clearest match to governance.
Topic: Security Program Management and Oversight
A mid-sized company is formalizing its governance model. The board wants a function that is independent of day-to-day operations and can provide objective assurance that risk management and compliance activities are working as intended across the organization. Which of the following functions BEST fits this role in the overall lines of defense?
Options:
A. Business unit managers who own their processes, accept or mitigate risks, and ensure staff follow procedures
B. An internal audit team that reports functionally to the board and periodically assesses the design and effectiveness of controls
C. An IT security operations center (SOC) that monitors alerts, responds to incidents, and tunes security tools
D. A centralized risk and compliance office that defines policies, tracks key risks, and oversees remediation plans
Best answer: B
Explanation: Governance models often describe three broad “lines of defense” for managing and overseeing risk and controls.
The first line of defense is operations: business units, IT teams, and security operations that own and run day-to-day processes and controls. They identify and manage risks directly within their activities.
The second line of defense consists of risk management and compliance functions. These groups help define policies and standards, monitor key risks, and oversee that the first line is following the organization’s risk and compliance expectations. They are still part of management, not fully independent.
The third line of defense is an independent audit function. Internal audit does not design or operate the controls it reviews. Instead, it provides objective assurance to senior leadership and the board that governance, risk management, and control processes are designed and operating effectively. The key discriminating factor is organizational independence from day-to-day operations and from the risk/compliance oversight function.
Because of that independence and assurance role, an internal audit team that reports to the board fits the third line of defense requirement in the scenario.
Topic: Security Program Management and Oversight
A regional healthcare provider plans to onboard a new cloud‑based electronic records system from a third‑party SaaS vendor. The system will store large amounts of patient PII/PHI, and the project sponsor wants reasonable assurance of the vendor’s security posture before signing the contract, without performing intrusive testing against the vendor’s environment.
Which activity is the MOST appropriate due diligence step in this situation?
Options:
A. Delay any security review until after the vendor has been in production for several months, then use internal audit findings to decide whether to continue the contract.
B. Perform background checks on the vendor’s sales representatives and rely on their personal reputations as a proxy for the company’s security maturity.
C. Send the vendor a structured security questionnaire and review their responses alongside recent independent security assessment or audit reports before contract signature.
D. Rely on the vendor’s uptime SLA and financial penalty clauses as evidence that their overall security controls are adequate.
Best answer: C
Explanation: Vendor and supply chain risk management requires organizations to perform due diligence before onboarding a third‑party, especially when the vendor will handle sensitive data such as PII or PHI. Due diligence is about gathering enough information to understand the vendor’s security posture and decide whether the risk is acceptable before signing a contract.
Common due diligence activities include sending security questionnaires, reviewing independent security assessments or audit reports, and performing reference checks with existing customers. These methods provide insight into the vendor’s policies, controls, and past performance without requiring intrusive testing against their environment, which many vendors restrict.
In this scenario, the organization needs assurance about confidentiality and integrity of sensitive healthcare data before contract signature and cannot conduct direct penetration testing. The best action is therefore to use a structured security questionnaire and existing third‑party assessment reports to evaluate the vendor’s controls as part of the pre‑onboarding process.
Use the CompTIA Security+ SY0-701 Practice Test page for the full IT Mastery route, mixed-topic practice, timed mock exams, explanations, and web/mobile app access.
Try CompTIA Security+ SY0-701 on Web View CompTIA Security+ SY0-701 Practice Test
Read the CompTIA Security+ SY0-701 Cheat Sheet on Tech Exam Lexicon, then return to IT Mastery for timed practice.