CompTIA Security+ SY0-801: General Security Concepts

Topic snapshot

Sample questions

These original IT Mastery practice questions are aligned to this topic area. Use them for self-assessment, scope review, and deciding what to drill next.

Question 1

Topic: General Security Concepts

A company adopts a policy that employees must not enter customer personal data into unapproved generative AI tools. The security team cannot immediately block all external AI features because several approved SaaS applications include embedded AI, and the approved tool list is still being finalized. The immediate goal is to communicate expected behavior and create accountability. Which control best maps to this requirement?

Options:

• A. Block all AI-related domains at the web proxy

• B. Disable browser access to all external SaaS applications

• C. Publish an AI acceptable use standard with required acknowledgment

• D. Deploy a DLP rule that blocks every personal-data web submission

Best answer: C

Explanation: Directive controls tell users what is expected, such as policies, standards, procedures, signage, and required acknowledgments. In this scenario, the organization has a policy objective but cannot yet enforce it technically without disrupting approved SaaS applications that include AI features. A directive control fits the immediate requirement because it communicates the rule, supports accountability, and can be implemented while the approved tool list and technical controls are refined. Technical enforcement may still be added later, but it is not the best first match when the scope is unclear and business-approved services could be blocked.

• Overblocking domains misses the constraint that some approved SaaS applications include embedded AI features.
• Disabling SaaS access is too broad and would disrupt legitimate business use beyond the stated objective.
• Blocking every submission is an overreaching technical control and does not specifically address the incomplete approved-tool scope.

Question 2

Topic: General Security Concepts

A healthcare support system stores case data in a shared database table. The security team must choose the narrowest encryption level that satisfies the access requirement shown in the exhibit.

Exhibit: Data-protection requirement

Which encryption level best meets this requirement?

Options:

• A. Full-disk encryption

• B. Database-level encryption

• C. Volume-level encryption

• D. Record-level encryption

Best answer: D

Explanation: The requirement calls for the narrowest protection boundary: individual support case records inside a shared database table. Record-level encryption supports per-record protection and can pair each record with authorization decisions, such as allowing only the assigned agent to decrypt that case. This still lets DBAs maintain the database structure, indexes, and backups without making all case contents readable to them. Broader encryption levels protect larger storage areas and are useful for lost-device or broad at-rest protection, but they do not meet the stated need for separate access to individual records.

• Full disk protects the whole device at rest, but it does not separate access between individual database records.
• Volume level protects a storage volume, which is broader than the case-by-case access boundary.
• Database level protects the database as a whole, but it does not provide the required per-case decryption control.

Question 3

Topic: General Security Concepts

A company that processes sensitive customer data had a firewall change approved and implemented by the same administrator, causing unintended Internet exposure for an internal application. The new change process requires the requester and approver to be different authorized staff members, with approvals recorded in the ticket before the maintenance window. Which foundational security principle is BEST supported by this practice?

Options:

• A. Least privilege

• B. Availability

• C. Non-repudiation

• D. Separation of duties

Best answer: D

Explanation: Separation of duties divides sensitive tasks among multiple authorized people so no single person can complete a high-risk action without oversight. In this scenario, the key control is that the firewall change requester cannot also approve the same change. The ticket record supports accountability, but the primary risk reduction comes from independent approval before implementation. Least privilege would focus on limiting permissions, while availability would focus on keeping systems accessible. The closest distractor is non-repudiation because recorded approvals help prove who approved what, but that is not the main principle enforced by requiring two different roles.

• Least privilege is related to access limits, but the scenario focuses on splitting approval authority, not reducing permissions.
• Non-repudiation is supported by recorded approvals, but the decisive control is independent review by a different person.
• Availability matters because a bad change caused exposure and potential outage, but the practice is not primarily a resilience control.

Question 4

Topic: General Security Concepts

A security team changes the remote access design so administrators must now use a bastion host with MFA before reaching production servers. The change was approved, tested, and deployed during the maintenance window. Which follow-up action best keeps documentation accurate for future operations and audits?

Options:

• A. Record only the test results in the change ticket

• B. Notify administrators but leave the baseline diagrams unchanged

• C. Update the network diagram, access policy, and remote access SOP

• D. Update the asset inventory with server warranty dates

Best answer: C

Explanation: Change management does not end when a technical control is deployed. After a security change, the organization should update the documents that describe the current environment and how it is operated. In this scenario, the bastion host and MFA requirement affect the network path, the remote access policy, and the procedure administrators follow. Keeping those artifacts current helps operations teams troubleshoot correctly, supports audits, and prevents later teams from bypassing or misunderstanding the new control. Test results and notifications are useful change records, but they do not replace updating the authoritative diagrams, policies, and SOPs.

• Test evidence only misses the need to update operational and governance documents that define the new remote access process.
• Notification only helps awareness but leaves future operators with inaccurate diagrams and baselines.
• Unrelated inventory update may be valid asset management, but warranty dates do not document the access-path change.

Question 5

Topic: General Security Concepts

A company is preparing a support dashboard that shows billing records. Based on the data-handling note, which tool category best meets the stated need?

Exhibit: Data-handling note

Options:

• A. Data masking or obfuscation

• B. Salted hash

• C. Digital signature

• D. Symmetric encryption

Best answer: A

Explanation: The exhibit describes a masking need: support staff must see only a limited part of a sensitive value, and the dashboard does not need to recover or process the full card number. Data masking or obfuscation is used to conceal sensitive fields while preserving enough visible information for a business task. Digital signatures primarily support integrity, authentication, and non-repudiation. Hashing, especially with salting, is commonly used for one-way verification such as password storage. Encryption protects confidentiality, but it is reversible and normally used when authorized systems must recover the plaintext. Here, the safest fit is to avoid exposing the full value at all in the support view.

• Digital signature fails because signing proves integrity and origin; it does not hide most of the card number.
• Salted hash fails because a hash is not useful when the dashboard must display the last four digits.
• Symmetric encryption is stronger for reversible confidentiality, but the dashboard does not need plaintext recovery.

Question 6

Topic: General Security Concepts

A security team is updating a firewall configuration standard used by several administrators. The change must show who approved each edit, preserve prior versions, and allow the team to quickly restore the last known good version if the update causes an outage. Which control best meets these requirements?

Options:

• A. Send the updated standard by encrypted email

• B. Announce the change during the maintenance window

• C. Store the standard in a version-control repository

• D. Require administrators to sign an acceptable use policy

Best answer: C

Explanation: Version-control reasoning applies when a change must be traceable and reversible. A repository can record each revision, associate changes with users, preserve previous versions, and support review or approval workflows. If a configuration, procedure, or policy update creates an operational problem, the team can compare revisions and restore the last known good version instead of rebuilding the document or configuration from memory. Encryption, communication, and policy acknowledgment may support security governance, but they do not provide the same change history and rollback capability.

• Encrypted email protects the document in transit but does not maintain a controlled revision history or rollback path.
• Maintenance announcement communicates timing but does not prove approval or preserve prior versions.
• Acceptable use signing documents user acknowledgment, not technical traceability for configuration-standard changes.

Question 7

Topic: General Security Concepts

A network administrator is preparing a production firewall rule change during an approved maintenance window. The security manager wants the change to remain traceable to the approval and reversible if connectivity fails.

Exhibit: Change record excerpt

Change ID: CHG-1842
Approved by: CAB
Planned action: Update firewall allow list
Current method: Edit /etc/fw/rules.conf on firewall01
Backup noted: Copy rules.conf to rules.conf.old on same device
Repository link: None
Rollback steps: "Undo the edit if needed"

Which action best addresses the issue shown in the exhibit?

Options:

• A. Submit the rule change through version control linked to CHG-1842

• B. Rename the backup file after the change succeeds

• C. Take a screenshot of the approved CAB record

• D. Increase the maintenance window before editing the file

Best answer: A

Explanation: Version-control reasoning is important when security configurations, procedures, or policies must be auditable and reversible. The exhibit shows direct editing on a production device, a local backup on the same device, no repository link, and vague rollback steps. A controlled change should be captured in a repository or equivalent version-control system, linked to the change ticket, reviewed as appropriate, and able to restore a known prior version. This preserves who changed what, when it changed, why it changed, and how to revert it. Local copies and informal notes can help during operations, but they do not provide reliable traceability or a durable rollback path.

• Screenshot evidence may show approval, but it does not track the exact configuration delta or enable rollback.
• Longer window addresses scheduling risk, not traceability or reversibility of the change.
• Local backup rename still depends on an unmanaged file on the same device and lacks review history.

Question 8

Topic: General Security Concepts

A company runs a public customer portal that stores PII. A vulnerability scan finds a high-risk framework flaw, but the vendor patch cannot be deployed until testing finishes next week. The portal must remain available, and the current WAF blocks only known attack patterns. Which action is the BEST professional decision to reduce risk during the gap?

Options:

• A. Rely on the WAF because it blocks known attack patterns

• B. Take the portal offline until the normal change window

• C. Layer temporary controls around the portal until the patch is deployed

• D. Delay all action until patch testing is complete

Best answer: C

Explanation: Defense in depth uses multiple complementary controls so that one weak or bypassed control does not leave the system exposed. In this scenario, the WAF helps, but it only blocks known patterns and does not fully address an unpatched high-risk flaw on a public portal containing PII. A good temporary response would add compensating layers, such as tighter WAF rules, least-privilege access checks, segmentation, enhanced monitoring, alerting, and a tested patch plan. This reduces risk while preserving required availability and avoiding an untested emergency change.

• Single-control reliance fails because the WAF has limited coverage and cannot be the only risk reduction measure.
• Full outage overreacts because the business requirement says the portal must remain available.
• No interim action ignores the current exposure and the sensitivity of the stored PII.

Question 9

Topic: General Security Concepts

A company must send large confidential design files to a business partner over an untrusted network. The solution must protect the file contents efficiently, avoid a pre-shared secret, and let the partner verify that the files came from the company. Which approach best meets these requirements?

Options:

• A. Hash the files and encrypt the hash with a shared symmetric key

• B. Encrypt files with the partner’s private key and sign them with the company’s public key

• C. Encrypt files with the company’s private key and send the public key to the partner

• D. Encrypt files with a symmetric key, encrypt that key with the partner’s public key, and sign with the company’s private key

Best answer: D

Explanation: Hybrid encryption maps each requirement to the right cryptographic use. Symmetric encryption is efficient for large data, but both parties need the same secret key. Asymmetric encryption solves the key-distribution problem by letting the sender encrypt the symmetric key with the recipient’s public key, so only the recipient’s private key can recover it. A digital signature uses the sender’s private key so the recipient can verify the sender with the sender’s public key and detect tampering. Encrypting bulk files directly with asymmetric keys is inefficient and using a private key for encryption is not how confidentiality is normally provided.

• Private-key encryption confusion fails because using the company’s private key would support signature-like verification, not confidentiality from anyone with the public key.
• Reversed key ownership fails because the sender should not have or use the partner’s private key, and public keys do not create signatures.
• Hash-only protection fails because hashing supports integrity checking, not confidentiality for the file contents or public-key key exchange.

Question 10

Topic: General Security Concepts

A security team plans to deploy a new access-control policy during tonight’s maintenance window. The change record shows successful lab testing, but the impact analysis says a legacy billing job may fail if the policy is enabled. The backout plan says “restore the previous policy,” but it has not been tested and the billing system owner has not approved downtime. What should the change manager do next?

Options:

• A. Defer the change until impact approval and backout validation are complete

• B. Deploy the policy and update documentation afterward

• C. Implement the change with extra monitoring

• D. Approve the change because lab testing succeeded

Best answer: A

Explanation: Change readiness depends on more than technical test success. A production change should have acceptable test results, a reviewed impact analysis, required stakeholder approval for affected services, and a workable backout plan before implementation. In this scenario, testing passed, but the impact analysis identified a possible billing failure, the affected owner has not approved downtime, and the rollback approach has not been tested. Those gaps create operational risk that should be resolved before the maintenance window is used. Monitoring helps detect problems, but it does not replace approval or a validated recovery path.

• Testing-only approval misses the unresolved impact analysis and unapproved billing downtime.
• Extra monitoring may improve detection, but it does not prove the change can be safely reversed.
• Post-change documentation is too late because readiness artifacts must support the implementation decision before deployment.

Continue with full practice

Use the CompTIA Security+ SY0-801 Practice Test page for the full IT Mastery practice bank, mixed-topic practice, timed mock exams, explanations, and web/mobile app access.

Try CompTIA Security+ SY0-801 on Web View CompTIA Security+ SY0-801 Practice Test

Related focused pages

• Free CompTIA Security+ SY0-801 Full-Length Practice Exam
• Threats, Vulnerabilities, and Attacks
• Security Architecture
• Security Operations
• Security Program Oversight

Free review resource

Use the full IT Mastery practice page above for the latest review links and practice page.