Loading page
10 free CompTIA Security+ SY0-701 practice questions for Domain 5, Security Program Management and Oversight, which is about 20% of the exam. Each question has the correct answer and a clear explanation. No account or signup needed.
Last updated June 2026
A single incident is expected to cost $10,000, and it is expected to occur twice per year. What is the annualized loss expectancy (ALE)?
Correct answer: A. $20,000
ALE equals the single loss expectancy (SLE) times the annual rate of occurrence (ARO): $10,000 x 2 = $20,000. The SLE is the cost of one event and the ARO is how many times it happens per year.
Which metric defines the maximum acceptable amount of data loss, measured in time, after an incident?
Correct answer: A. Recovery point objective (RPO)
RPO is how much data, expressed as a time window, the organization can afford to lose, which drives backup frequency. RTO is how quickly service must be restored, and MTTR and MTBF measure repair and failure intervals.
Which assessment identifies the critical functions of an organization and the impact of their disruption in order to set recovery priorities?
Correct answer: A. Business impact analysis (BIA)
A BIA determines which functions are critical and the consequences of downtime, feeding recovery objectives like RTO and RPO. The other options assess security weaknesses, not business impact.
Where does an organization formally record its identified risks along with the owner, severity, and treatment status of each one?
Correct answer: A. Risk register
A risk register is the central document tracking identified risks, owners, scores, and how each is being handled. An SLA defines service commitments, an AUP defines acceptable system use, and a log records events.
Which document is a non-binding agreement that expresses the general intent of two parties to cooperate?
Correct answer: A. Memorandum of understanding (MOU)
An MOU records a mutual, generally non-binding intent to work together. An SLA sets measurable service terms, an NDA enforces confidentiality, and an SOW details specific work to be performed.
Which agreement legally obligates the parties to keep shared sensitive information confidential?
Correct answer: A. Non-disclosure agreement (NDA)
An NDA legally binds parties to protect confidential information they exchange. An MOU is a statement of intent, an SLA sets service levels, and an AUP governs how employees use systems.
Which policy defines what employees are and are not permitted to do with company systems, networks, and Internet access?
Correct answer: A. Acceptable use policy (AUP)
An AUP sets the rules for proper use of company technology. A business continuity plan keeps operations running during a disruption, an NDA protects confidentiality, and an SLA defines service commitments.
Requiring that two different employees each complete part of a sensitive financial transaction, so no single person can commit fraud alone, is which principle?
Correct answer: A. Separation of duties
Separation of duties splits a sensitive task so no one person controls it end to end, reducing fraud. Least privilege limits permissions, while job rotation and mandatory vacation help expose fraud over time.
Which United States regulation specifically protects the privacy and security of personal health information?
Correct answer: A. HIPAA
HIPAA governs the protection of health information in the United States. PCI DSS covers payment card data, GDPR is the European Union privacy regulation, and SOX addresses financial reporting.
The incident response team gathers in a room and verbally walks through how they would handle a ransomware scenario, without touching live systems. This exercise is a?
Correct answer: A. Tabletop exercise
A tabletop exercise is a discussion-based walkthrough of a scenario to validate the plan and roles. A full-scale test actually fails over systems, while penetration tests and vulnerability scans assess technical weaknesses.
SecPlus Mastery covers all five SY0-701 domains with over 1,000 practice questions, timed mock exams, and spaced review that targets your weak spots so you walk in ready.
Original practice questions aligned to the CompTIA Security+ SY0-701 objectives. CompTIA and Security+ are trademarks of CompTIA, used here for identification only.