Free CAS-005 Practice Test Questions 2026

353 Questions


Last Updated On : 8-Jul-2026


Facing the CompTIA SecurityX Certification Exam exam in 2026 is challenging, but preparing with the right tools makes all the difference. Our CAS-005 practice test isn't just another set of questions. It's your strategic advantage for conquering the certification. Candidates who complete our CAS-005 practice questions are approximately 35% more likely to pass the exam on their first attempt compared to those who study without realistic CompTIA SecurityX Certification Exam practice exam. This isn't coincidence. It's the power of effective preparation.

A security engineer wants to improve the security of an application as part of the development pipeline. The engineer reviews the following component of an internally developed web application that allows employees to manipulate documents from a number of internal servers:

response = requests.get(url)

Users can specify the document to be parsed by passing the document URL to the application as a parameter.

Which of the following is the best solution?


A. Indexing


B. Output encoding


C. Code scanner


D. Penetration testing





C.
  Code scanner

Explanation:
The code takes a user‑supplied URL and fetches it without validation (requests.get(url)). This is a Server‑Side Request Forgery (SSRF) vulnerability. An attacker could specify internal server URLs to access sensitive documents or scan internal networks. The best solution in the development pipeline is a code scanner that detects SSRF patterns before deployment.

Correct Option:

C. Code scanner
A static application security testing (SAST) or code scanner integrated into the pipeline would flag requests.get(url) with user‑controlled input as an SSRF vulnerability. This allows the engineer to fix the issue before production. Code scanners are most effective for finding injection and request forgery flaws early in the development lifecycle.

Incorrect Option:

A. Indexing
Indexing refers to database optimization (creating indexes for faster queries) or document indexing for search. It has no relevance to preventing SSRF or validating user‑supplied URLs. Indexing does not block or detect the security issue in the code snippet.

B. Output encoding
Output encoding (e.g., HTML entity encoding) prevents cross‑site scripting (XSS) by neutralizing special characters in output. The vulnerability here is SSRF (server‑side request forgery), not XSS. Output encoding will not stop the application from making arbitrary HTTP requests to internal servers.

D. Penetration testing
Penetration testing is a manual or automated external assessment performed after deployment. It can confirm SSRF exists but does not prevent it from being introduced in the pipeline. A code scanner is better for shifting left (catching issues during development). Pen testing is reactive, not preventive.

Reference:
CompTIA CAS-005 Exam Objectives – Domain 2: Enterprise Security Architecture (Secure development, SAST, SSRF prevention). Also OWASP Top 10 – SSRF (A10:2021) and OWASP ASVS (5.3.5 – validate URLs). CWE-918 (Server‑Side Request Forgery).

An organization purchased a new manufacturing facility and the security administrator needs to:
• Implement security monitoring.
• Protect any non-traditional device(s)/network(s).
• Ensure no downtime for critical systems.
Which of the following strategies best meets these requirements?


A. Configuring honeypots in the internal network to capture malicious activity


B. Analyzing system behavior and responding to any increase in activity


C. Applying updates and patches soon after they have been released


D. Observing the environment and proactively addressing any malicious activity





D.
  Observing the environment and proactively addressing any malicious activity

Explanation:
The requirements are: implement security monitoring, protect non-traditional devices/networks (e.g., OT/IoT/ICS), and ensure zero downtime for critical systems. Observing the environment and proactively addressing malicious activity aligns with passive monitoring (no downtime) and proactive threat hunting. Behavioral observation (e.g., network traffic baselining, anomaly detection) works for non-traditional devices where agents cannot be installed.

Correct Option:

D. Observing the environment and proactively addressing any malicious activity. –
Passive observation (e.g., NetFlow, mirrored ports, passive sensors) does not disrupt critical systems. Proactive hunting (e.g., threat intelligence, anomaly detection) identifies malicious activity before it causes damage. This works for non-traditional OT/ICS devices where active scanning or patching may cause downtime.

Incorrect Option:

A. Configuring honeypots in the internal network to capture malicious activity. –
Honeypots are decoys; they do not monitor real production systems nor protect the actual non-traditional devices. Attackers may avoid honeypots. Honeypots add detection but do not ensure "protection" across all devices.

B. Analyzing system behavior and responding to any increase in activity. –
"Responding to any increase" implies automated response, which risks false positives and may cause unnecessary downtime for critical systems. Zero downtime requires careful response orchestration. Also, this does not specify how to observe non-traditional devices.

C. Applying updates and patches soon after they have been released. –
Patching causes downtime (reboots, service restarts), which violates "ensure no downtime for critical systems." Additionally, OT/ICS devices often cannot be patched frequently. Patching is preventive, not monitoring, and does not protect non-traditional devices that may not receive patches.

Reference:
CompTIA CAS-005 Exam Objectives – Domain 3.0 (Security Engineering) – OT/ICS security, passive monitoring, and zero downtime constraints. NIST SP 800-82 (Guide to Industrial Control Systems Security) – passive monitoring, no intrusive scanning. Zero downtime for critical systems (manufacturing, healthcare, energy). Non-traditional devices (OT, IoT, ICS, medical devices). Honeypot limitations for OT. Patching downtime conflict. Proactive threat hunting using passive observation (Zeek/Bro, RITA, network baselining). Behavior analysis with no active response causing downtime. CASP+ domain 3 – critical infrastructure protection, continuous monitoring without disruption. Manufacturing facility security monitoring.

A security analyst is reviewing the following vulnerability assessment report:
192.168.1.5, Host = Server1, CVSS 7.5, Web Server, Remotely Executable = Yes, Exploit
= Yes
205.1.3.5, Host = Server2, CVSS 6.5, Bind Server, Remotely Executable = Yes, Exploit =
POC
207.1.5.7, Host = Server3, CVSS 5.5, Email Server, Remotely Executable = Yes, Exploit =
Yes 192.168.1.6, Host = Server4, CVSS 9.8, Domain Controller, Remotely Executable = Yes,
Exploit = Yes
Which of the following should be patched first to minimize attacks against internet-facing hosts?


A. Server1


B. Server2


C. Server3


D. Server4





B.
  Server2

Explanation:
The question specifies "minimize attacks against internet-facing hosts." Public IPs 205.1.3.5 (Server2 - Bind DNS, CVSS 6.5) and 207.1.5.7 (Server3 - Email, CVSS 5.5) are internet-facing. Server2 has a higher CVSS score (6.5 > 5.5) and should be patched first among internet-facing hosts. Server1 and Server4 are on private IPs (192.168.x.x) and are not directly internet-facing, so they are lower priority despite higher CVSS.

Correct Option:

B. Server2 –
Server2 (205.1.3.5) is internet-facing (public IP). CVSS 6.5 (Medium/High) with "Remotely Executable = Yes" and "Exploit = POC" (proof-of-concept available). Patching this first reduces the attack surface for external attackers targeting the DNS server. Publicly exposed Bind vulnerabilities can lead to remote compromise.

Incorrect Option:

A. Server1 –
Private IP (192.168.1.5) — not directly internet-facing. Although CVSS 7.5 is higher and exploit exists, internal hosts are lower priority than public-facing ones when minimizing external attacks. Attackers must first breach the perimeter to reach Server1.

C. Server3 –
Internet-facing (207.1.5.7) but CVSS 5.5 (Medium) is lower than Server2's 6.5. While still a priority, Server2 has higher severity and should come first. Server3 is an email server, typically protected by additional layers (spam filters, edge gateways).

D. Server4 –
Private IP (192.168.1.6) — not internet-facing. CVSS 9.8 (Critical) and exploit exists, but it is internal (Domain Controller). Patching internal hosts is critical, but the question specifically asks to minimize attacks against internet-facing hosts. Server4 is not internet-facing.

Reference:
CompTIA CAS-005 Exam Objectives – Domain 6.0 (Risk Management) – Vulnerability prioritization based on asset exposure. CVSS scoring and prioritization for internet-facing vs internal assets. Public IP addresses indicate external exposure (e.g., 205.x.x.x, 207.x.x.x). Private IP ranges (192.168.x.x, 10.x.x.x, 172.16.x.x) are internal. Patch prioritization: external first, then critical internal. NIST SP 800-40 (Vulnerability Management). Bind DNS server vulnerabilities (remote code execution). Exploit = POC vs Exploit = Yes. Minimizing external attack surface. CASP+ risk management. Server role importance: Domain Controller (9.8) but internal → patch after external DNS.

A company has the following requirements for a cloud-based web application:

• Must authenticate customers

• Must prevent data exposure

• Must allow customer access to data throughout the cloud environment

• Must restrict access by specific regions

Which of the following solutions best addresses these security requirements?


A. Applying role-based access controls and configuring geolocation policies


B. Replicating the data in each customer environment


C. Hosting the data regionally and providing each customer with a unique link


D. Moving to a cloud provider that operates only in one specific region





A.
  Applying role-based access controls and configuring geolocation policies

Explanation:
The requirements include customer authentication, data exposure prevention, global data access, and regional access restrictions. RBAC controls who can access what data (preventing exposure), while geolocation policies restrict access by specific regions. Together, these meet all four requirements without forcing data replication or limiting the cloud provider's regional footprint.

Correct Option:

A. Applying role-based access controls and configuring geolocation policies
RBAC ensures authenticated customers only see authorized data, directly preventing unauthorized exposure. Geolocation policies (e.g., using AWS WAF geolocation or Azure Front Door) restrict access based on customer region, satisfying the "restrict by specific regions" requirement. Both controls work together without changing data storage locations or customer access methods.

Incorrect Option:

B. Replicating the data in each customer environment
Data replication would dramatically increase cost, complexity, and security risk (more attack surfaces). It also does not inherently prevent data exposure—each customer environment would need its own access controls. This solution is overengineered and fails to address regional restriction requirements efficiently.

C. Hosting the data regionally and providing each customer with a unique link
Unique links (pre-signed URLs or shareable links) are difficult to manage at scale, do not provide strong authentication, and offer minimal data exposure prevention. Links can be shared accidentally or intercepted. This solution does not address regional restrictions and introduces significant security and usability problems.

D. Moving to a cloud provider that operates only in one specific region
Single-region hosting violates the requirement to "allow customer access to data throughout the cloud environment" and makes regional restriction irrelevant. It also creates availability risks and may violate data residency laws if customers are in other regions. This option directly contradicts the stated requirements.

Reference:
CompTIA CAS-005 Exam Objectives – Domain 2: Enterprise Security Architecture (Cloud security, identity and access management, geolocation controls). Also NIST SP 800-210 (General Access Control Guidance for Cloud Systems) and OWASP RBAC guidelines.

A security analyst is reviewing a SIEM and generates the following report:

Later, the incident response team notices an attack was executed on the VM001 host.
Which of the following should the security analyst do to enhance the alerting process on the SIEM platform?


A. Include the EDR solution on the SIEM as a new log source.


B. Perform a log correlation on the SIEM solution.


C. Improve parsing of data on the SIEM.


D. Create a new rule set to detect malware.





B.
  Perform a log correlation on the SIEM solution.

Explanation:
The SIEM report shows individual events (deny connection, IPS alert, malware detection, allow connection) but no single event triggered a meaningful alert about the attack on VM001. Log correlation combines events across time, sources, and types (e.g., IPS alert + malware detection + allow connection) into a single, higher-fidelity alert. The analyst should perform (or enable) correlation to detect the attack pattern.

Correct Option:

B. Perform a log correlation on the SIEM solution. –
Correlation rules link seemingly disparate events (e.g., IPS alert followed by malware detection then allow connection to a suspicious IP). SIEM correlation reduces false positives and identifies multi-step attack patterns. This would have alerted the team to the attack on VM001 rather than requiring post-incident discovery.

Incorrect Option:

A. Include the EDR solution on the SIEM as a new log source. –
Adding EDR provides additional data but does not automatically enhance alerting unless correlation rules are applied. The existing logs (IPS, malware detection, connection events) already contained evidence; the missing piece is correlation, not more sources.

C. Improve parsing of data on the SIEM. –
Parsing extracts fields from raw logs (e.g., timestamp, IP, event ID). The data in the report appears already parsed. Improving parsing without correlation does not connect events into an attack narrative. Parsing is a prerequisite, not the solution for missed attacks.

D. Create a new rule set to detect malware. –
The SIEM already detected malware (8:11:12 event). Individual rules for malware detection exist. The issue is that no alert combined that detection with surrounding events. A new malware rule alone would not change the outcome; correlation across events is needed.

Reference:
CompTIA CAS-005 Exam Objectives – Domain 4.0 (Security Operations) – SIEM correlation. NIST SP 800-92 (Log Management) – Correlation for attack detection. SIEM rule types: single-event rules vs correlation rules (e.g., join, sequence, time window). Example: IPS alert → malware detection → outbound allow within 1 hour. Correlation reduces alert fatigue and detects multi-step attacks. Parsing vs normalization vs correlation. EDR integration as complementary, not replacement. VM001 attack timeline reconstruction.

A security analyst notices a number of SIEM events that show the following activity:
10/30/2020 - 8:01 UTC - 192.168.1.1 - sc stop HinDctend
10/30/2020 - 8:05 UTC - 192.168.1.2 - c:\program files\games\comptidcasp.exe
10/30/2020 - 8:07 UTC - 192.168.1.1 - c:\windows\system32\cmd.exe /c powershell
10/30/2020 - 8:07 UTC - 192.168.1.1 - powershell —> 40.90.23.154:443
Which of the following response actions should the analyst take first?


A. Disable powershell.exe on all Microsoft Windows endpoints


B. Restart Microsoft Windows Defender


C. Configure the forward proxy to block 40.90.23.154


D. Disable local administrator privileges on the endpoints





C.
  Configure the forward proxy to block 40.90.23.154

Explanation:
The logs show an outbound PowerShell connection from 192.168.1.1 to external IP 40.90.23.154:443 at 8:07 UTC, immediately after executing cmd.exe /c powershell. This indicates command-and-control (C2) beaconing or malware callback. The first response action should be containment: blocking the malicious external IP at the proxy or firewall to sever the C2 channel and prevent further data exfiltration or commands.

Correct Option:

C. Configure the forward proxy to block 40.90.23.154 –
Blocking the destination IP cuts the active C2 communication. This contains the threat immediately, preventing additional malicious commands from reaching the compromised host and stopping potential data exfiltration. It is a network-level containment action that does not require endpoint access.

Incorrect Option:

A. Disable powershell.exe on all Microsoft Windows endpoints –
Disabling PowerShell globally is a heavy-handed, disruptive change that breaks legitimate administrative scripts and workflows. While PowerShell abuse is common, this action is not first response; it is a long-term hardening control. Immediate containment requires blocking the C2 IP.

B. Restart Microsoft Windows Defender –
Restarting Defender addresses a potential AV issue, but the logs show no Defender failure. The host is already compromised with an active C2 session; restarting Defender does not terminate the existing PowerShell connection or block the external IP. This does not contain the incident.

D. Disable local administrator privileges on the endpoints –
Privilege reduction is a preventive control, not an active incident response action. The compromise has already occurred; disabling admin rights now does not stop the running PowerShell process or the established C2 tunnel. First response must be containment (block IP).

Reference:
CompTIA CAS-005 Exam Objectives – Domain 5.0 (Incident Response) – Containment (blocking C2 infrastructure). NIST SP 800-61 (Incident Handling) – Containment phase: blocking IPs, domains. MITRE ATT&CK T1059.001 (Command and Scripting Interpreter: PowerShell) and TA0011 (C2). First response priority: Stop the active compromise before further damage. SIEM event correlation for C2 beaconing.

A global organization is reviewing potential vendors to outsource a critical payroll function. Each vendor ' s plan includes using local resources in multiple regions to ensure compliance with all regulations. The organization ' s Chief Information Security Officer is conducting a risk assessment on the potential outsourcing vendors ' subprocessors. Which of the following best explains the need for this risk assessment?


A. Risk mitigations must be more comprehensive than the existing payroll provider.


B. Due care must be exercised during all procurement activities.


C. The responsibility of protecting PII remains with the organization.


D. Specific regulatory requirements must be met in each jurisdiction.





C.
  The responsibility of protecting PII remains with the organization.

Explanation:
When outsourcing critical functions like payroll, the organization remains legally accountable for protecting personally identifiable information (PII). Even if a vendor or subprocessor handles the data, the original organization cannot transfer liability. Assessing subprocessor risks ensures that PII safeguards meet regulatory and contractual obligations, preserving the organization’s ultimate responsibility.

Correct Option:

C. The responsibility of protecting PII remains with the organization.
Data privacy laws (e.g., GDPR, CCPA) hold the data controller (the organization) fully accountable for PII protection, regardless of outsourcing. Subprocessor risk assessment verifies that vendors uphold equivalent security and privacy controls. Failure to assess subprocessors does not absolve the organization—it increases breach liability and regulatory penalties.

Incorrect Option:

A. Risk mitigations must be more comprehensive than the existing payroll provider.
Outsourcing does not automatically require more comprehensive mitigations than the current in-house or previous provider. The standard is adequacy and compliance, not necessarily superiority. This option introduces an arbitrary comparison not supported by legal or risk management principles for subprocessor assessment.

B. Due care must be exercised during all procurement activities.
While due care is always necessary in procurement, this is too generic. The question specifically asks why the subprocessor risk assessment is needed. Due care applies broadly to vendor selection but does not explain the unique legal and accountability focus on subprocessors versus the primary vendor.

D. Specific regulatory requirements must be met in each jurisdiction.
Although regulatory requirements vary by jurisdiction, this explains what must be achieved, not why the organization must assess subprocessors specifically. The core reason is retained accountability for PII. Jurisdictional rules are a subset of that accountability, not the fundamental driver.

Reference:
CompTIA CAS-005 Exam Objectives – Domain 1: Risk Management (Third-party risk, data privacy, legal liability). Also GDPR Article 28 (Processor obligations) and NIST SP 800-53 (CA-9: Internal system connections).

A security engineer receives an alert from the SIEM platform indicating a possible malicious action on the internal network. The engineer generates a report that outputs the logs associated with the incident:

Which of the following actions best enables the engineer to investigate further?


A. Consulting logs from the enterprise password manager


B. Searching dark web monitoring resources for exposure


C. Reviewing audit logs from privileged actions


D. Querying user behavior analytics data





D.
  Querying user behavior analytics data

Explanation:
The alert indicates a possible malicious action on the internal network. To investigate further, the engineer needs to understand what normal behavior looks like for that user or system. User behavior analytics (UBA) establishes baselines and highlights anomalous activities (e.g., unusual login times, abnormal data access, atypical command execution). Querying UBA data provides context to determine if the alert is a true positive.

Correct Option:

D. Querying user behavior analytics data –
UBA platforms aggregate logs and apply machine learning to model normal user and entity behavior. When a SIEM alerts on a possible malicious action, UBA can show whether the associated user has deviated from their typical pattern (e.g., first-time access to a sensitive share, unusual volume of data transfer). This context validates or refutes the alert.

Incorrect Option:

A. Consulting logs from the enterprise password manager –
Password manager logs track credential access and changes, but are not directly relevant to a generic "possible malicious action" alert unless the action specifically involved password manager use. This is too narrow and unlikely to provide initial investigation context.

B. Searching dark web monitoring resources for exposure –
Dark web monitoring identifies whether credentials or data have been posted online. This is useful for post-breach or credential stuffing investigations, but not as an immediate next step for an internal network alert. It is reactive and outside-focused, while the alert is inside the network.

C. Reviewing audit logs from privileged actions –
Privileged action logs are valuable if the malicious action involved an admin account. However, the alert does not specify privilege level. Reviewing only privileged logs would miss actions by non-privileged users. UBA covers all users and entities, making it broader and more appropriate initially.

Reference:
CompTIA CAS-005 Exam Objectives – Domain 4.0 (Security Operations) – User and entity behavior analytics (UEBA). NIST SP 800-53 (AU-6: Audit Record Correlation). SIEM and UBA integration for alert triage. Insider threat detection using behavioral baselines. Incident investigation workflows.


An administrator needs to craft a single certificate-signing request for a web-server certificate. The server should be able to use the following identities to mutually authenticate other resources over TLS:
• wwwJnt.comptia.org
• webserver01.int.comptia.org
•10.5.100.10
Which of the following certificate fields must be set properly to support this objective?


A. Subject alternative name


B. Organizational unit


C. Extended key usage


D. Certificate extension





A.
  Subject alternative name

Explanation:
A single certificate must support multiple identities: two DNS names (www.int.comptia.org, webserver01.int.comptia.org) and one IP address (10.5.100.10). The Subject Alternative Name (SAN) extension allows a certificate to specify multiple DNS names, IP addresses, or other identifiers. Browsers and TLS clients require SAN for multi-domain certificates; the Common Name (CN) is deprecated for this purpose.

Correct Option:

A. Subject alternative name

SAN extension (RFC 5280) allows multiple identities: DNS, IP, email, URI.

The CSR must include all three identifiers as SAN entries.

TLS clients validate against SANs, not the CN field.

This enables mutual authentication using any of the three identities.

Incorrect Options:

B. Organizational unit

OU is an X.500 attribute within the Distinguished Name (DN), used for organizational structure.

Not used for identity validation in TLS.

Irrelevant for specifying DNS or IP addresses.

C. Extended key usage

EKU defines the purpose of the certificate (e.g., server authentication, client authentication, code signing).

Does not list acceptable DNS names or IP addresses.

Required for proper TLS usage but does not solve multi-identity requirement.

D. Certificate extension

Too broad; SAN is one type of certificate extension.

Answer is vague; SAN is the specific extension needed.

Exam expects precise identification of SAN.

Reference:
CompTIA CAS-005 Exam Objectives — Domain 1: Security Architecture (PKI, Certificates). RFC 5280 (Internet X.509 PKI) — Section 4.2.1.6: Subject Alternative Name. “SAN allows binding multiple names and IP addresses to a single certificate.”

A company plans to deploy a new online application that provides video training for its customers. As part of the design, the application must be:
• Fast for all users
• Available for users worldwide
• Protected against attacks
Which of the following are the best components the company should use to meet these requirements? (Select two).


A. WAF


B. IPS


C. CDN


D. SASE


E. VPN


F. CASB





A.
  WAF

C.
  CDN

Explanation:
The requirements: fast for all users (speed), available worldwide (global reach), and protected against attacks. A CDN (Content Delivery Network) caches content at edge locations worldwide, improving speed and availability. A WAF (Web Application Firewall) protects the application from web attacks (SQLi, XSS, DDoS). Together, CDN provides performance/availability, WAF provides security.

Correct Option:

A. WAF –
Web Application Firewall sits in front of the web application to filter, monitor, and block malicious HTTP/S traffic (e.g., SQL injection, cross-site scripting, OWASP Top 10). It protects the application from attacks while CDN handles distribution.

C. CDN –
Content Delivery Network (e.g., CloudFront, Akamai, Fastly) caches video content at globally distributed edge servers, reducing latency for users worldwide, improving speed, and providing availability / DDoS mitigation. It also helps with geographic load balancing.

Incorrect Option:

B. IPS –
Intrusion Prevention System operates at the network layer inspecting traffic for known signatures, but for a web video application, WAF is more targeted and effective for application-layer attacks. IPS can complement but is not the best primary choice vs WAF.

D. SASE –
Secure Access Service Edge combines networking (SD-WAN) with security (SWG, CASB, ZTNA). It is more relevant for remote workforce access than for a customer-facing video application. Overkill and less focused on web app protection.

E. VPN –
Virtual Private Network encrypts traffic for a single user/device, but does not scale for thousands of customers, adds latency (opposite of "fast"), and does not protect the application itself. VPN is for private access, not public video delivery.

F. CASB –
Cloud Access Security Broker monitors and secures cloud app usage (often employee access to SaaS). Not designed for protecting a customer-facing video training application or improving global speed.

Reference:
CompTIA CAS-005 Exam Objectives – Domain 1.0 (Security Architecture) – CDN and WAF. CDN for global performance and availability (NIST SP 800-95 – Web services). WAF for application-layer attack protection (OWASP, NIST SP 800-95). IPS differences from WAF (network vs application layer). SASE for remote workforces. VPN not for public CDN use case. CASB for cloud app governance. Global video training application requirements. CDN + WAF as standard cloud architecture pair. CDN provides edge DDoS protection. WAF provides web attack filtering. CASP+ domain 1 – selecting security and performance components for global web applications. Fast, worldwide, protected → CDN + WAF.

Which of the following best explains the business requirement a healthcare provider fulfills by encrypting patient data at rest?


A. Securing data transfer between hospitals


B. Providing for non-repudiation data


C. Reducing liability from identity theft


D. Protecting privacy while supporting portability.





D.
  Protecting privacy while supporting portability.

Explanation:

Why D is Correct:
This option most accurately and completely captures the core business and regulatory requirements for a healthcare provider.

Protecting Privacy:
This is the primary driver. Regulations like HIPAA (Health Insurance Portability and Accountability Act) in the United States mandate the protection of patient Protected Health Information (PHI). Encryption of data at rest is a key safeguard to ensure confidentiality and privacy, preventing unauthorized access if devices are lost, stolen, or improperly accessed. It directly addresses the fundamental ethical and legal duty to keep patient information private.

Supporting Portability:
This is a critical business enabler. Healthcare data needs to be portable—it must be stored on laptops, mobile devices, USB drives, and in cloud data centers to facilitate modern healthcare delivery, backups, and research. Encryption is the technology that makes this portability secure. It allows data to be moved and stored flexibly without incurring the high risk of a data breach. The "portability" in HIPAA's name hints at this need for data movement in a secure manner.

Why A is Incorrect:
Encrypting data at rest protects data while it is stored on a device (e.g., a database, hard drive). Securing data transfer between hospitals is the role of encrypting data in transit (e.g., using TLS for network transmission). This is an important requirement, but it is not the one fulfilled by encryption at rest.

Why B is Incorrect:
Non-repudiation provides proof of the origin of data and prevents a sender from denying having sent it. This is a security service achieved through digital signatures and cryptographic hashing, not through encryption at rest. Encryption ensures confidentiality, not non-repudiation.

Why C is Incorrect:
While reducing liability from identity theft is a positive outcome of encrypting data, it is not the best explanation of the direct business requirement. The requirement is driven by proactive compliance with privacy laws (like HIPAA) and the duty of care to protect patients. Reducing liability is a beneficial consequence of meeting that primary requirement, not the requirement itself. Option D is a more precise and comprehensive description of the core business and regulatory need.

Reference:
This question falls under Domain 4.0: Governance, Risk, and Compliance. It tests the ability to map a technical control (encryption at rest) back to the fundamental business and legal requirements that mandate its use, particularly in a heavily regulated industry like healthcare. Understanding the "why" behind a control is crucial for a CASP+.

The material finding from a recent compliance audit indicate a company has an issue with excessive permissions. The findings show that employees changing roles or departments results in privilege creep. Which of the following solutions are the best ways to mitigate this issue? (Select two).
Setting different access controls defined by business area


A. Implementing a role-based access policy


B. Designing a least-needed privilege policy


C. Establishing a mandatory vacation policy


D. Performing periodic access reviews


E. Requiring periodic job rotation





A.
  Implementing a role-based access policy

D.
  Performing periodic access reviews

Explanation:
The core problem identified is privilege creep due to employees changing roles. This means users accumulate permissions over time because old access rights are not removed when they are no longer needed for their new position. The solutions must directly address this accumulation and ensure permissions align with current job functions.

Why A is Correct (Implementing a role-based access policy):
Role-Based Access Control (RBAC) is a fundamental solution to this exact problem. Instead of assigning permissions directly to users, permissions are assigned to roles (e.g., "Accountant," "Marketing Manager"). Users are then assigned to these roles. When an employee changes departments, their old role is simply removed, and their new role is assigned. This automatically revokes the old permissions and grants the new, appropriate ones, effectively preventing privilege creep by design.

Why D is Correct (Performing periodic access reviews):
Even with RBAC in place, processes can break down. Periodic user access reviews (also known as recertification) are a critical administrative control to catch and correct privilege creep. In these reviews, managers or system owners periodically attest to whether their employees' current access levels are still appropriate for their job functions. This process proactively identifies and removes excessive permissions that may have been missed during a role transition.

Why the Other Options Are Incorrect:

B. Designing a least-needed privilege policy:
While the principle of least privilege is the ultimate goal, this option describes a concept or principle, not an actionable solution to the problem of privilege creep. Implementing RBAC (Option A) is how you operationalize and enforce a least privilege policy. Therefore, A is a more direct and specific solution.

C. Establishing a mandatory vacation policy:
This is a detective control primarily used to uncover fraud (e.g., requiring an employee to take vacation forces someone else to perform their duties, potentially revealing fraudulent activity). It does not directly address the procedural issue of permissions not being removed during role changes.

E. Requiring periodic job rotation:
Job rotation is a security practice used to reduce the risk of fraud and collusion and to cross-train employees. It would actually exacerbate the problem of privilege creep, as more employees changing roles would lead to even more accumulated permissions if a proper process (like RBAC and access reviews) is not in place to manage the transitions.

Reference:
This question falls under Domain 4.0: Governance, Risk, and Compliance. It tests knowledge of identity and access management (IAM) best practices, specifically the controls used to implement and maintain the principle of least privilege and prevent authorization vulnerabilities like privilege creep. RBAC and access recertification are cornerstone practices for any mature IAM program.


Page 1 out of 30 Pages
Next
123456789

What Makes Our CompTIA SecurityX Certification Exam Practice Test So Effective?

Real-World Scenario Mastery: Our CAS-005 practice exam don't just test definitions. They present you with the same complex, scenario-based problems you'll encounter on the actual exam.

Strategic Weakness Identification: Each practice session reveals exactly where you stand. Discover which domains need more attention, before CompTIA SecurityX Certification Exam exam day arrives.

Confidence Through Familiarity: There's no substitute for knowing what to expect. When you've worked through our comprehensive CAS-005 practice exam questions pool covering all topics, the real exam feels like just another practice session.