Try 10 focused CompTIA Security+ SY0-801 questions on Security Architecture, with explanations, then continue with IT Mastery.
Open the matching IT Mastery practice page for timed mocks, topic drills, progress tracking, explanations, and full practice.
Try CompTIA Security+ SY0-801 on Web View full CompTIA Security+ SY0-801 practice page
| Field | Detail |
|---|---|
| Exam route | CompTIA Security+ SY0-801 |
| Topic area | Security Architecture |
| Blueprint weight | 19% |
| Page purpose | Focused sample questions before returning to mixed practice |
Use this page to isolate Security Architecture for CompTIA Security+ SY0-801. Work through the 10 questions first, then review the explanations and return to mixed practice in IT Mastery.
| Pass | What to do | What to record |
|---|---|---|
| First attempt | Answer without checking the explanation first. | The fact, rule, calculation, or judgment point that controlled your answer. |
| Review | Read the explanation even when you were correct. | Why the best answer is stronger than the closest distractor. |
| Repair | Repeat only missed or uncertain items after a short break. | The pattern behind misses, not the answer letter. |
| Transfer | Return to mixed practice once the topic feels stable. | Whether the same skill holds up when the topic is no longer obvious. |
Blueprint context: 19% of the practice outline. A focused topic score can overstate readiness if you recognize the pattern too quickly, so use it as repair work before timed mixed sets.
These original IT Mastery practice questions are aligned to this topic area. Use them for self-assessment, scope review, and deciding what to drill next.
Topic: Security Architecture
A company is piloting Zero Trust access for an internal payroll application. The goal is to allow access only after verifying the user, confirming the device is known and healthy, and enforcing access at the application rather than the network. Which architecture change best addresses the gap shown?
Exhibit: Pilot access event
| Check | Result |
|---|---|
| User authentication | SSO password only; no MFA challenge |
| Device inventory | Device ID not found in MDM/CMDB |
| Device health | EDR agent missing; encryption unknown |
| Access path | Full subnet allowed after VPN login |
Options:
A. Use MFA, device posture inventory, and per-app ZTNA policies
B. Place a WAF in front of the payroll application
C. Allow access by MAC address from approved office networks
D. Add firewall logging to the existing VPN subnet access
Best answer: A
Explanation: Zero Trust architecture does not assume trust from network location or a successful VPN login. The exhibit shows missing user assurance, an unmanaged device, unknown device health, and broad subnet access. A Zero Trust design should combine identity verification such as MFA, device inventory and posture checks from tools like MDM and EDR, and application-level access policies through ZTNA or a similar access broker.
The key takeaway is that Zero Trust decisions should be continuous and context-aware, not based only on being connected to a trusted network.
Topic: Security Architecture
A group of regional banks wants to run a shared fraud analytics platform. The platform must use common security controls and governance agreed on by the banks, support strict data-handling requirements for the financial sector, and avoid placing the workload in a general-purpose environment open to unrelated tenants. Which deployment model best fits these requirements?
Options:
A. Community cloud
B. Multicloud
C. Public cloud
D. Private cloud
Best answer: A
Explanation: A community cloud fits when multiple organizations with similar compliance, security, or mission needs share an environment and governance model. In this scenario, the banks are separate organizations, but they need common controls and data-handling expectations tailored to the financial sector. That points to a shared community environment rather than a general public cloud or a single-organization private cloud. Multicloud describes using services from more than one cloud provider; it does not by itself create shared governance or a sector-specific trust boundary.
Topic: Security Architecture
A retail company is documenting roles for a customer profile dataset that contains personal data. Use the exhibit to select the role mapping best supported by the visible responsibilities.
| Party | Visible responsibility |
|---|---|
| RetailCo privacy office | Defines collection purpose and retention in the privacy notice |
| Marketing VP | Approves classification and access to CustomerProfiles |
| Data governance analyst | Maintains field definitions and quality rules |
| Cloud platform team | Manages database encryption, backups, and restores |
| Campaign operations team | Runs approved exports on schedule |
| Email SaaS logging vendor | Stores logs for the contracted email SaaS provider |
Options:
A. Controller: RetailCo; owner: Marketing VP; steward: analyst; custodian: platform team; operator: campaign operations; subprocessor: logging vendor
B. Controller: platform team; owner: logging vendor; steward: campaign operations; custodian: RetailCo; operator: analyst; subprocessor: Marketing VP
C. Controller: logging vendor; owner: RetailCo; steward: platform team; custodian: campaign operations; operator: Marketing VP; subprocessor: analyst
D. Controller: Marketing VP; owner: platform team; steward: RetailCo; custodian: analyst; operator: logging vendor; subprocessor: campaign operations
Best answer: A
Explanation: Data role assignments depend on what each party controls or performs. A controller determines the purpose and means of personal data processing, so RetailCo is the controller through its privacy office. A data owner is accountable for a dataset’s classification and access decisions, matching the Marketing VP. A steward maintains data definitions and quality rules. A custodian implements and operates technical safeguards such as encryption, backups, and restores. An operator performs approved processing tasks without setting policy. A subprocessor is a third party used by a processor or service provider to process data, which fits the logging vendor used by the email SaaS provider. The key distinction is decision authority versus operational execution.
Topic: Security Architecture
A retail company is updating a customer-support portal. Based on the data-protection note, which method best meets the stated goal?
Exhibit: Data-protection note
| Field | Support need | Restriction |
|---|---|---|
| Payment card number | Verify last 4 digits | Agents must not see full value |
| SSN | Verify last 4 digits | Agents must not see full value |
| Backend records | Continue normal processing | Original values remain available to authorized systems |
Options:
A. Tokenization
B. Masking
C. Encryption
D. Hashing
Best answer: B
Explanation: Masking is the best fit when users need limited visibility into sensitive data, such as only the last four digits of a payment card or SSN. The exhibit says support agents need partial verification, but full values must remain unavailable in the portal while backend systems continue to use the original data. That is a display-time or presentation-layer protection goal. Hashing would not preserve visible last digits, tokenization replaces values with tokens and usually requires a token vault or lookup process, and encryption protects stored or transmitted data rather than selectively showing part of a value to a user. The key distinction is that masking reduces what the user can see without changing the authorized backend use of the data.
Topic: Security Architecture
A manufacturer is deploying a tablet-based design viewer for field engineers. The design files are classified as restricted, may be opened only on company-managed encrypted tablets, must not be accessible outside approved plant locations, and must retain a visible classification notice when exported to the manufacturing workflow. Which approach is the BEST professional decision?
Options:
A. Allow access through the corporate VPN from any tablet
B. Store the files only in an approved regional cloud location
C. Use MDM compliance, app geofencing, and persistent data labels
D. Apply visible watermarks to all exported design files
Best answer: C
Explanation: The requirements call for multiple data-handling controls that match the data sensitivity and usage conditions. Company-managed encrypted tablets address the endpoint control requirement. App geofencing enforces the location requirement by limiting access to approved plant areas. Persistent labels or markings keep the classification notice with the data when it moves into the manufacturing workflow. This is a proportional control set because it protects the restricted files without blocking the business process. A VPN, cloud placement, or watermark alone covers only one part of the requirement and leaves other stated constraints unenforced.
Topic: Security Architecture
An analyst reviews a proposed upload to an external design vendor using a public file-sharing link. The vendor has an NDA on file. Based on the classification note, which handling decision is best?
Classification note
Public: approved for external release
Confidential: NDA required; use approved encrypted transfer
Restricted: data owner approval; minimum necessary only
Critical: protect availability; do not treat as public
Files requested
press_kit.zip: Public
roadmap.pdf: Confidential
customer_export.csv: Restricted
recovery_runbook.pdf: Critical, Confidential
Options:
A. Upload only press_kit.zip to the public link.
B. Block the public file until encrypted transfer is arranged.
C. Upload the confidential files and exclude only the restricted file.
D. Upload all files because the vendor has an NDA.
Best answer: A
Explanation: Data classification drives handling requirements. A public file can be shared externally because it is approved for release. Confidential data may be shared with an authorized party, but the note requires an approved encrypted transfer, so the public link is not acceptable. Restricted data has stronger handling requirements, including data owner approval and minimum necessary use. Critical data is about service importance and availability; it does not make the recovery runbook public, especially because it is also confidential.
The key takeaway is that an NDA alone does not override classification-based transfer controls.
Topic: Security Architecture
A regional group of credit unions plans to host a shared fraud-analysis platform. The platform will process member transaction metadata classified as sensitive, must be governed by common security and compliance requirements, and should be accessible only to participating credit unions and approved auditors. The group wants shared operating costs without placing the workload in a general-purpose environment open to unrelated tenants. Which deployment model is the BEST fit?
Options:
A. Multicloud
B. Community cloud
C. Private cloud
D. Public cloud
Best answer: B
Explanation: A community cloud is designed for multiple organizations that share common requirements, such as industry regulations, security policies, governance, or mission needs. In this scenario, the participating credit unions need shared cost and operations, but they also need stronger community-specific control than a general public cloud tenant model provides. A private cloud would give one organization dedicated control, but it does not match the shared consortium requirement as well. Multicloud describes using services from more than one cloud provider; it does not define who may participate or how governance is shared. The key security implication is matching the trust boundary and governance model to the sensitivity and stakeholder group.
Topic: Security Architecture
A retail company finds that point-of-sale (POS) terminals, employee workstations, and guest Wi-Fi clients share the same internal network. The security team must reduce lateral movement to the POS systems, keep centralized patching and logging reachable, avoid new cabling, and complete the change during a short maintenance window. Which segmentation approach is the BEST professional decision?
Options:
A. Keep one LAN and rely on endpoint EDR
B. Disable guest Wi-Fi until new switches arrive
C. Move POS systems to a separate cabled network
D. Create POS VLANs with firewall ACLs
Best answer: D
Explanation: Logical segmentation is the best fit when systems must be isolated but still share infrastructure or controlled services. VLANs, security zones, firewall rules, and ACLs can separate POS terminals from workstations and guest clients while allowing only approved management traffic for patching and logging. This reduces attack surface and lateral movement without requiring new cabling or a long outage. Physical segmentation is stronger when strict isolation is required, such as highly sensitive OT or air-gapped environments, but it conflicts with the stated time and cabling constraints here. The key is to match the segmentation type to the isolation goal and operational limits.
Topic: Security Architecture
A manufacturing company is redesigning access to an OT monitoring network. Requirements are to reduce internet-originated exposure, allow safety engineers to provide remote support during critical incidents within 5 minutes, and record all administrative activity. Which design best maps to these requirements?
Options:
A. Manual approval board before every remote session
B. Fully air-gapped OT network with no remote access
C. Direct VPN access from engineer laptops to OT devices
D. Segmented OT zone with a monitored jump host and MFA
Best answer: D
Explanation: Architecture trade-offs require meeting the most important business and technical requirements together, not maximizing one constraint in isolation. Here, the company needs reduced internet exposure, rapid incident support, and recorded administrative activity. A segmented OT zone limits exposure, a monitored jump host provides a controlled access path, and MFA plus session recording supports authentication and accountability. A full air gap may improve isolation, but it fails the stated 5-minute remote support requirement. The best design uses layered controls to reduce risk while preserving the operational capability the business explicitly requires.
Topic: Security Architecture
A security architect is reviewing a proposed design for an online customer portal. Which issue is best supported by the exhibit?
Exhibit: Design review note
| Item | Stated requirement | Proposed design |
|---|---|---|
| Cost | Reduce monthly spend by 20% | Lowest-cost storage tier |
| Recovery | RTO 1 hour, RPO 15 minutes | Nightly backup, manual rebuild estimated at 8 hours |
| Resilience | Continue service after a single site failure | Single region, no tested failover |
| Data protection | Encrypt customer PII | Encryption enabled |
Options:
A. Encryption is prioritized over data minimization needs
B. Automation is prioritized over change approval needs
C. Cost savings are prioritized over recovery and resilience needs
D. Availability is prioritized over data sovereignty needs
Best answer: C
Explanation: Architecture trade-offs must be evaluated against the most important business and technical requirements, not only against one constraint such as cost. The exhibit shows a design that achieves lower spending and enables encryption, but it cannot meet the stated recovery objectives: an 8-hour manual rebuild exceeds the 1-hour RTO, nightly backups exceed the 15-minute RPO, and a single-region design without tested failover does not support service continuity after a site failure. The main issue is not that cost matters, but that the design lets cost reduction override required resilience and recovery outcomes.
Use the CompTIA Security+ SY0-801 Practice Test page for the full IT Mastery practice bank, mixed-topic practice, timed mock exams, explanations, and web/mobile app access.
Try CompTIA Security+ SY0-801 on Web View CompTIA Security+ SY0-801 Practice Test
Use the full IT Mastery practice page above for the latest review links and practice page.