CompTIA Security+ Practice Test (SY0-701)

Validating the security of the server's firmware at the time of delivery is critical, as firmware vulnerabilities can compromise the entire system. Ensuring that the hardware provider has a secure firmware delivery and update process helps protect against supply chain attacks. While obtaining documentation, checking for government connections, and working with familiar brands provide different levels of assurance, they do not offer the same direct mitigation against hardware-based vulnerabilities and firmware integrity as validating the server's firmware security.

The correct answer is Mandatory Access Control (MAC). MAC is a centralized access control model where the system enforces access based on security labels assigned to subjects (users) and objects (data). This model is common in high-security environments like government and military agencies, as described in the scenario. In a MAC system, users cannot change permissions, which aligns with the requirement. Discretionary Access Control (DAC) is incorrect because it allows resource owners to set permissions at their discretion. Role-Based Access Control (RBAC) bases access on a user's job function or role, not directly on data classification labels. Attribute-Based Access Control (ABAC) is a dynamic model that uses multiple attributes for access decisions, but MAC is the specific model defined by the use of centrally-enforced security clearance labels.

The correct document for outlining the specific tasks, deliverables, and timeline in a vendor agreement is the Statement of Work. This document plays a crucial role in setting clear expectations and project details before work commences, ensuring that both parties are aligned on what is to be delivered, when, and in what manner. An agreement for services, on the other hand, defines the level of service performance and quality assurances rather than detailing the project specifics. A confidentiality agreement focuses on the protection of proprietary and sensitive information shared during the engagement and does not detail project specifics. A partnership agreement outlines the general terms of the partnership and cooperation between two entities, which again does not focus on the provision of services for a particular project like a Statement of Work does.

Geolocation restrictions are security controls that limit access to data based on the geographical location from where the data access attempt is made or where the data processing takes place. This ensures that data remains within legal or regulatory boundaries and that an organization maintains compliance with local laws.

Syslog is a vendor-neutral standard for message logging. It includes a standard format for log messages and a network protocol for sending that data to a central logging server. It is widely used by network devices like routers, switches, and firewalls, and on Unix and Linux operating systems. The other options are incorrect. A Security Information and Event Management (SIEM) system collects and analyzes logs but is not the logging standard itself. Simple Network Management Protocol (SNMP) is a protocol for network management, not a logging standard. 'Event manager' refers to proprietary systems like the Windows Event Viewer, not a vendor-neutral standard.

The most effective initial reporting mechanism for security incidents is the establishment of a dedicated hotline and an accessible email address. This approach provides employees with a clear and direct path to report issues quickly. A hotline allows for immediate communication, which is valuable in time-sensitive situations, while an accessible email address gives employees who are hesitant to speak up a way to report concerns discretely. Social media channels, while popular for customer outreach, are not private and could inadvertently expose sensitive information to the public, disqualifying it as a secure initial reporting mechanism. The use of physical drop boxes is not recommended for immediate issues as it may lead to delays in reporting, rendering them less effective. While having a web portal for reporting can be useful as part of a comprehensive reporting framework, it often requires training and access not all employees may have from the onset, especially in a finance firm's context where security policies may restrict access to certain web applications.

Automation helps improve efficiency and saves time by performing repetitive tasks quickly and with consistency, which is a significant benefit in security operations. It allows security teams to focus on more strategic tasks that require human intervention. Incorrect answers may seem like plausible benefits but do not capture the fundamental advantage of automation which is efficiency and time saving.

An independent third-party audit is the correct response because it involves an external entity reviewing the organization's compliance with required standards, regulations, and controls, thereby providing an unbiased assessment of the company's security posture. This type of audit is specifically useful for meeting regulatory compliance that mandates external validation of security practices. A right-to-audit clause is commonly included in contracts and would allow the company to audit third-parties, but is not the appropriate tool for an external review of the company itself. Internal compliance reporting, while necessary, does not fulfill the requirement for an independent review. Similarly, self-assessments are conducted internally and lack the independent aspect required by the regulation.

Chain of custody is a legal concept that refers to the chronological documentation or paper trail, showing the seizure, custody, control, transfer, analysis, and disposition of physical or electronic evidence. Maintaining the chain of custody is vital to ensure that the evidence can be trusted and is admissible in a court of law. If the chain of custody is broken or cannot be proven, the integrity of the evidence may be questioned, potentially rendering it inadmissible. Legal hold is a process that preserves all forms of relevant information when litigation is reasonably anticipated, which differs from ensuring the evidence admissibility. Both acquisition and reporting are steps within the digital forensics process, but they do not serve to maintain the integrity of the evidence through documentation like chain of custody does.

Regression testing the new feature against the patched software in a non-production environment verifies that the patch does not break existing functionality. Once tests pass, the combined update can be deployed to production with confidence. Deploying the patch immediately could disrupt the new feature, ignoring the patch leaves the system vulnerable, and rolling back the feature sacrifices business value without addressing security.

Containment is the correct answer because the immediate priority in incident response, following detection and analysis, is to contain the incident to prevent further damage or spread of the threat. Eradication and Recovery are subsequent steps that cannot be effectively performed unless the threat is first contained.

A risk owner is the individual ultimately accountable for a specific risk. The owner must ensure the risk is identified, assessed, and that suitable treatment plans are in place, but the hands-on implementation of controls is typically carried out by control or treatment owners (e.g., IT or security staff). Therefore, the correct option is the one that highlights accountability and coordination rather than direct execution of every mitigation task. The distractors either overstate personal execution duties, understate authority, or limit involvement to periodic review.

The Zero Trust Model focuses on continuously verifying users and devices before granting access, thereby reducing the attack surface by eliminating implicit trust. It enforces strict access policies based on identity, context, and risk assessment. Role-Based Access Control (RBAC) assigns permissions based on predefined roles without necessarily verifying each access request or reducing implicit trust. Discretionary Access Control (DAC) allows resource owners to grant access at their discretion, which may not enforce strict identity verification. Mandatory Access Control (MAC) enforces access based on classifications and clearances, not adaptively on identity and context.

A vendor assessment, particularly a due diligence review, is the most appropriate type of assessment when evaluating a company during an acquisition. This review ensures that the company to be acquired is compliant with necessary security standards and that there are no hidden security liabilities. Penetration testing focuses on finding vulnerabilities in systems and networks and may not cover the broad scope of security measures in place. Self-assessments are internal evaluations and might not provide an objective view needed during an acquisition. Risk analysis is part of the overall risk management process but does not serve as a comprehensive review of a company's security measures during an acquisition scenario.

A detailed and current asset inventory is a foundational component of an effective disaster recovery plan. Without it, an organization cannot accurately prioritize which systems to restore first, understand dependencies between assets, or ensure that all necessary components are recovered. This leads to inefficient and delayed recovery efforts, potentially preventing the organization from meeting its Recovery Time Objectives (RTOs). The inventory is essential for knowing what needs to be restored to bring critical business functions back online.