CompTIA Security+ Practice Test (SY0-701)

Policies that outline employee responsibilities and expected behaviors are examples of directive controls. Directive controls are designed to guide or instruct individuals or systems to ensure compliance with security requirements. They establish guidelines and expectations to influence behavior. Detective controls are intended to identify and detect unwanted events or incidents after they occur. Corrective controls focus on minimizing the impact of a security incident after it has occurred. Preventive controls aim to stop unwanted events from happening in the first place.

Adaptive Policy-driven access control, also known as risk-adaptive access control, is correct because it incorporates real-time risk assessments based on context, such as user behavior, device security status, and data sensitivity, to adapt access permissions dynamically, thereby limiting the scope of threats by granting access based on policies that respond to perceived risk levels. While Role-based access control (RBAC) is statically designed based on predefined roles and Discretionary access control (DAC) is based on the resource owner's discretion, neither adapts dynamically to changing threat landscapes. Mandatory access control (MAC) is policy-based but not adaptive to real-time risks.

The IT staff member in this scenario is fulfilling the role of a Data Custodian. Data Custodians are responsible for the technical management and operations of data assets, ensuring that data is properly backed up, secured, and maintained. They implement the policies and controls specified by Data Owners but do not set or decide on those policies themselves.

A Data Owner is typically a senior individual who has authority over and accountability for a specific set of data, making decisions about data classification, access permissions, and policy decisions.

A Data Controller is an entity or individual that determines the purposes and means of processing personal data, often in the context of privacy laws, which is not directly relevant to the described duties.

A Data Processor is an entity that processes data on behalf of a Data Controller, but again, this role is more about processing activities rather than managing and maintaining data assets.

Once a company determines their acceptable risk level, any deviation from that is called the company’s risk tolerance.

A next-generation firewall (NGFW) provides the advanced functionality needed for logical network segmentation, augmenting classic firewall capabilities with features such as application awareness and intrusion prevention. NGFWs ensure that strict security policies can be enforced and managed between segmented zones, which is perfect for an environment handling sensitive health records. This technology provides the required granularity for compliance with healthcare regulations, making it the optimal choice over other options that either lack the sophistication in policy management or are not primarily designed for inter-segment traffic control within the same network.

Preventative controls are security controls who’s purpose is to prevent an incident from occurring. One of the main goals of security awareness training is to train your employees to prevent them from commenting security incidents

A playbook is indeed a set of predefined rules, actions, and recommendations designed to standardize the approach to handling security incidents. It often includes automated responses to streamline the remediation process and ensure a consistent and efficient reaction to common incidents across the organization.

The correct answer involves updating the Incident Response Plan with improvements identified during the review of a recent incident. This is the best choice because it directly applies feedback from actual incidents to enhance procedures and readiness for future events. Simply reviewing historical trends or concluding that the existing plan is sufficient does not provide the iterative improvement needed for effective incident response. Updating training materials without specific reference to the improvements identified may not address the issues encountered during the incident.

Creating a digital hash of the hard drive image is critical to maintain the integrity of the investigation. Hashing the image ensures that an investigator can verify that the evidence has not been altered from the time of acquisition. This process establishes a unique digital fingerprint for the data at the moment of capture, which can be compared against the data at any point afterward to confirm that it remains unaltered. Physically securing the server and limiting access to the server are important, but they do not address the integrity of the digital evidence after its acquisition. Documenting the process is also essential but secondary to securing the image's integrity through hashing.

Static code analysis is the analysis of software code without executing the software. Reviewing the lines of a program’s/software’s source code is a type of static code analysis. Dynamic code analysis is performed while it is being executed.

A nation-state actor is typically motivated by political, military, or economic advantage on a national scale and may engage in espionage, but selling corporate secrets for a direct competitive advantage is less common. An unskilled attacker generally does not have the capability to carry out sophisticated breaches involving trade secrets. A hacktivist is generally motivated by political or social beliefs rather than financial gain. Organized crime, however, is primarily motivated by financial gain and is well-equipped to carry out such sophisticated attacks with the intent of selling stolen information for profit, making them the most likely threat actor in this scenario.

The protocol central to automating the assessment, monitoring, and evaluation of system vulnerabilities and security configurations is designed to provide standardized methods for security assessment, vulnerability management, and policy compliance checks across various systems. Its function is not primarily to enable secure communications, coordinate network protocols, or log and analyze network traffic, but rather to streamline and enforce security standards in an automated fashion.

Conducting third-party security audits is the most effective way to assess vendors' adherence to security standards. These audits often include an in-depth analysis of the vendors' security policies, practices, and controls. This can provide an objective and comprehensive overview of the vendors' security posture and compliance with relevant standards. Reviewing the vendors' privacy policies is important but may not offer a complete picture of their security practices. Examining product data sheets only provides information about the products and not the vendors' security standards. Comparing SLAs can showcase the guaranteed performance and availability, but it does not directly address security compliance.

HIPAA is the correct answer because it is a specific regulatory requirement in the healthcare industry in the United States that provides guidelines on protecting the privacy and security of health information. GDPR is focused on data protection for EU citizens, although it can apply to organizations outside the EU that handle such data, it is not specific to the healthcare industry. Sarbanes-Oxley Act relates to financial reporting and is not healthcare-specific. The NIST framework provides excellent guidance on cybersecurity practices but is not a healthcare industry-specific regulation.

A Hardware Security Module (HSM) is a physical computing device that safeguards and manages digital keys, performs encryption and decryption functions for digital signatures, and provides strong authentication. HSMs are specifically designed for the secure generation, storage, and management of cryptographic keys, offering a higher level of security compared to software-based key management solutions. They are widely used in applications requiring high-level security, such as banking, government, and healthcare.