Free CAS-005 Practice Test Questions 2026

353 Questions


Last Updated On : 8-Jul-2026


Audit findings indicate several user endpoints are not utilizing full disk encryption During me remediation process, a compliance analyst reviews the testing details for the endpoints and notes the endpoint device configuration does not support full disk encryption Which of the following is the most likely reason me device must be replaced'


A. The HSM is outdated nand no longer supported by the manufacturer


B. The vTPM was not properly initialized and is corrupt.


C. The HSM is vulnerable to common exploits and a firmware upgrade is needed


D. The motherboard was not configured with a TPM from the OEM supplier


E. The HSM does not support sealing storage





D.
  The motherboard was not configured with a TPM from the OEM supplier

Explanation:

Why D is Correct:
Full disk encryption (FDE) solutions like BitLocker (Windows) or FileVault (macOS) have a strict hardware requirement: a Trusted Platform Module (TPM). A TPM is a dedicated cryptographic processor chip soldered onto the computer's motherboard.

If the audit finding states that the device configuration "does not support full disk encryption," the most fundamental and common reason is that the motherboard lacks this specific hardware component entirely.

Older computers or some very low-cost models were manufactured and sold without a TPM chip. Since the TPM is a physical hardware requirement, it cannot be added via software. The only remediation for such a device is to replace it with hardware that meets the compliance requirement (i.e., a motherboard with a TPM).

Why A, C, and E are Incorrect (HSM):
These options incorrectly refer to an HSM (Hardware Security Module). An HSM is a high-performance, external, or PCIe-based network device used to manage and protect cryptographic keys for servers, certificate authorities, and critical infrastructure. HSMs are not used for standard endpoint full-disk encryption. Endpoints use a TPM, which is a much smaller, cheaper, and less powerful cryptographic co-processor designed specifically for this purpose. Confusing TPM and HSM is a common distractor in exam questions.

Why B is Incorrect (vTPM):
A vTPM (virtual TPM) is a software-based implementation of a TPM used in virtual machines to provide the same functionality. The question is about physical "user endpoints" (e.g., laptops, desktops). A vTPM is not relevant to the physical hardware of an endpoint device. Furthermore, if a vTPM were corrupt, it could potentially be re-initialized or re-provisioned through software or hypervisor management, not necessarily requiring a full hardware replacement.

Reference:
This question falls under Domain 1.0: Security Architecture and Domain 4.0: Governance, Risk, and Compliance. It tests knowledge of hardware security capabilities (TPM vs. HSM) and the practical implications of enforcing compliance policies that have specific hardware requirements.

A company wants to modify its process to comply with privacy requirements after an incident involving PII data in a development environment. In order to perform functionality tests, the QA team still needs to use valid data in the specified format. Which of the following best addresses the risk without impacting the development life cycle?


A. Encrypting the data before moving into the QA environment


B. Truncating the data to make it not personally identifiable


C. Using a large language model to generate synthetic data


D. Utilizing tokenization for sensitive fields





D.
  Utilizing tokenization for sensitive fields

Explanation:
The QA team needs valid data in the correct format for functionality tests, but PII should not be exposed. Tokenization replaces sensitive values with non‑sensitive placeholders (tokens) that retain the original format (e.g., length, character set). This allows realistic testing without exposing actual PII, and tokens can be reversible only by authorized systems if needed. It does not disrupt the development life cycle.

Correct Option:

D. Utilizing tokenization for sensitive fields

Tokenization preserves format and length, so database schemas and application logic work without changes.

No actual PII is exposed in the QA environment.

Faster than encryption for repeated lookup tests.

Unlike truncation, data remains usable for functional tests.

Does not require retraining models or complex generation (unlike LLMs).

Incorrect Options:

A. Encrypting the data before moving into the QA environment

Encryption changes data format (ciphertext is typically longer or binary), breaking format‑dependent tests.

The QA team would need decryption keys, reintroducing PII exposure risk.

Adds overhead without format preservation.

B. Truncating the data to make it not personally identifiable

Truncation destroys data format and length, breaking validation rules (e.g., email length, credit card format).

Functional tests requiring realistic values will fail.

Not suitable for preserving test validity.

C. Using a large language model to generate synthetic data

LLM generation can produce realistic data but is complex, slow, and may leak patterns.

Hard to guarantee format compliance for structured fields (e.g., SSN, phone numbers).

Overkill and introduces new risks (model poisoning, privacy of training data).

Impacts development life cycle with added complexity.

Reference:
CompTIA CAS-005 Exam Objectives — Domain 4: Governance, Risk, and Compliance (Privacy, Data De‑identification). NIST SP 800-188 (De-Identifying Protected Health Information) — “Tokenization preserves format and allows functional testing.” GDPR Article 32 — “Pseudonymization (including tokenization) reduces risk while maintaining utility.”

A security architect is troubleshooting an issue with an OIDC implementation. The architect reviews the following configuration and errors:

Error: Invalid authentication request code
Which of the following is the most likely cause of the error?


A. The redirect-url parameter is not in the allowed list of redirect hosts in the configuration.


B. Introspection is not enabled within the OIDC code implementation.


C. The encoding of the URL parameters on the proxy system is failing.


D. The state parameter is being reused within the authentication challenge.


E. OAuth 2.0 was unable to verify the lack of an interception attack.





A.
  The redirect-url parameter is not in the allowed list of redirect hosts in the configuration.

The table shows that redirect_uri is "No" under "Required" — meaning the authentication request does not include a redirect_uri parameter. In OIDC/OAuth 2.0, redirect_uri is critical because the authorization server must redirect the user agent back to a pre-registered URI. If the request omits redirect_uri, the authorization server must use a pre-configured one. However, if that pre-configured URI is missing, mismatched, or not allowed, the server cannot complete the flow and may return an "Invalid authentication request code" error.

Given the error and the missing redirect_uri in the request, the most likely cause is that the server’s allowed list does not contain the expected redirect host.

Correct Option:

A. The redirect-uri parameter is not in the allowed list of redirect hosts in the configuration.

The request does not provide a redirect_uri (marked "No"), so the server must use a default registered URI.

If that registered URI is not allowed (e.g., mismatch, not whitelisted), the server rejects the request.

The error "Invalid authentication request code" often appears when redirect_uri validation fails.

This is a common OIDC/OAuth misconfiguration.

Incorrect Options:

B. Introspection is not enabled within the OIDC code implementation.

Introspection is a token validation endpoint (RFC 7662) used for checking token status, not initial authentication request handling.

Absence would cause token validation errors later, not an "Invalid authentication request code" at this stage.

C. The encoding of the URL parameters on the proxy system is failing.

Parameter encoding issues usually cause malformed requests or parsing errors (e.g., 400 Bad Request).

Error message "Invalid authentication request code" suggests logical validation, not encoding failure.

D. The state parameter is being reused within the authentication challenge.

state is required (Yes) and protects against CSRF; reuse could be a security issue.

This typically results in CSRF error or state mismatch, not the given error.

Not the primary cause with redirect_uri missing.

E. OAuth 2.0 was unable to verify the lack of an interception attack.

Vague and not directly tied to the error shown.

OAuth does not explicitly verify "lack of interception attack" in this manner.

PKCE (code_challenge, code_challenge_type) is optional here (both "No") and would not cause this error.

Reference:
CompTIA CAS-005 Exam Objectives — Domain 1: Security Architecture (Identity and Access Management, OIDC/OAuth 2.0).

A software vendor provides routine functionality and security updates to its global customer base. The vendor would like to ensure distributed updates are authorized, originate from only the company, and have not been modified by others. Which of the following solutions best supports these objectives?


A. Envelope encryption


B. File integrity monitoring


C. Application control


D. Code signing





D.
  Code signing

Explanation:
The vendor needs to ensure that updates are 1) authorized (only from the company), 2) originate from the vendor (source authenticity), and 3) unmodified (integrity). Code signing cryptographically binds a digital signature to the update package using the vendor’s private key. Clients verify the signature with the vendor’s public key, guaranteeing both origin and integrity. This directly meets all three objectives.

Correct Option:

D. Code signing

Ensures origin authenticity: only the vendor possesses the private signing key.

Ensures integrity: any modification breaks the signature.

Supports authorization: clients can be configured to accept only signed updates from trusted certificates.

Standard practice for software update distribution (e.g., Microsoft, Adobe, open‑repos).

Incorrect Options:

A. Envelope encryption

Envelope encryption (encrypting a data key with a master key) protects confidentiality of data at rest or in transit.

Does not provide origin authentication or integrity verification on its own.

Customers would need decryption keys, but that does not prove the update came from the vendor.

B. File integrity monitoring

FIM detects changes to files after deployment (e.g., via hashing and alerting).

It is detective, not preventive or authenticating.

Does not ensure updates originate from the vendor at distribution time.

C. Application control

Application control (allow/block lists) prevents execution of unauthorized software on endpoints.

Does not ensure updates are unmodified or from the vendor; relies on other mechanisms (e.g., code signing) for trust decisions.

A policy control, not a cryptographic guarantee.

Reference:
CompTIA CAS-005 Exam Objectives — Domain 2: Security Operations (Software Updates, Code Signing). NIST SP 800-175B — “Code signing provides origin authentication and integrity for software distributions.” Microsoft Update documentation — “Updates are code-signed to ensure they originate from Microsoft and are untampered.”

A security architect is mitigating a vulnerability that previously led to a web application data breach. An analysis into the root cause of the issue finds the following:
An administrator’s account was hijacked and used on several Autonomous System Numbers within 30 minutes. All administrators use named accounts that require multifactor authentication. Single sign-on is used for all company applications.Which of the following should the security architect do to mitigate the issue?


A. Configure token theft detection on the single sign-on system with automatic account lockouts.


B. Enable context-based authentication when network locations change on administrator login attempts.


C. Decentralize administrator accounts and force unique passwords for each application.


D. Enforce biometric authentication requirements for the administrator’s named accounts.





B.
  Enable context-based authentication when network locations change on administrator login attempts.

Explanation:
The attack involved an administrator’s account being used from multiple Autonomous System Numbers (ASNs) within 30 minutes, indicating rapid geographic or network changes. Context‑based authentication (e.g., risk‑based or conditional access) can detect anomalous changes in network location, device, or behavior. When a login attempt shows an impossible travel or ASN change pattern, the system can block, step‑up, or challenge the authentication.

Correct Option:

B. Enable context-based authentication when network locations change on administrator login attempts.

Context‑based authentication evaluates attributes like IP address, ASN, geolocation, device posture, and time.

Rapid ASN changes for the same administrator account trigger risk detection.

Policies can block access or require additional verification (e.g., MFA again).

This addresses the specific root cause (account use from disparate network locations in short time).

Incorrect Options:

A. Configure token theft detection on the single sign-on system with automatic account lockouts.

Token theft detection protects against stolen session tokens (e.g., replay attacks).

The scenario describes multiple logins from different ASNs, not token reuse.

Automatic lockout may cause DoS for legitimate travel scenarios; detection without context is less precise.

C. Decentralize administrator accounts and force unique passwords for each application.

Decentralization increases administrative overhead and breaks SSO.

Unique passwords per application do not prevent account hijacking or rapid ASN switching.

Removes the benefit of SSO without addressing the root cause.

D. Enforce biometric authentication requirements for the administrator’s named accounts.

Biometrics (fingerprint, face) add strong authentication but only at login time.

Once authenticated, the session can still be used from multiple ASNs.

Does not detect or block anomalous network location changes after initial login.

Reference:
CompTIA CAS-005 Exam Objectives — Domain 1: Security Architecture (Identity and Access Management, Context‑Based Authentication). NIST SP 800-63B (Digital Identity Guidelines) — Section 5.1.7: “Use contextual information (e.g., IP, location, device) to assess authentication risk.” Microsoft Conditional Access — “Network location and impossible travel detection.”

An application requires the storage of PII. A systems engineer needs to implement a solution that uses an external device for key management. Which of the following is the best solution?


A. TPM


B. SBoM


C. vTPM


D. HSM





D.
  HSM

Explanation:
The requirement is to store PII (Personally Identifiable Information) — meaning encryption at rest — with key management handled by an external device. A Hardware Security Module (HSM) is a dedicated, tamper‑resistant hardware device designed specifically for key generation, storage, and cryptographic operations. It is external to the application server and provides enterprise‑grade key management.

Correct Option:

D. HSM

HSM is an external hardware device (network‑attached or PCIe) separate from the application server.

Provides secure key storage, lifecycle management, and cryptographic offload.

Meets compliance requirements for PII (e.g., GDPR, CCPA, PCI‑DSS) by protecting encryption keys.

Supports high availability and centralized key management across multiple applications.

Incorrect Options:

A. TPM (Trusted Platform Module)

TPM is typically soldered to the motherboard — not an external device.

Designed for platform integrity (boot measurements, disk encryption keys for local drives), not centralized key management for application data.

Difficult to manage across multiple servers.

B. SBoM (Software Bill of Materials)

SBoM lists software components and dependencies.

Not a cryptography or key management solution.

Irrelevant to PII storage or key management.

C. vTPM (virtual TPM)

vTPM is a software‑based TPM emulated by a hypervisor (e.g., Hyper‑V, vSphere).

Not an external physical device; resides on the same host.

Vulnerable to hypervisor compromise; not suitable for high‑assurance key management for PII.

Reference:

CompTIA CAS-005 Exam Objectives — Domain 1: Security Architecture (Cryptography, Key Management). NIST SP 800-57 (Key Management) — “HSMs provide secure, tamper‑resistant key storage external to the application.” PCI DSS Requirement 3.6 — “Store cryptographic keys in a hardware security module (HSM).”

Consultants for a company learn that customs agents at foreign border crossings are demanding device inspections. The company wants to:
• Minimize the risk to its data by storing its most sensitive data inside of a security container.
• Obfuscate containerized data on command.
Which of the following technologies is the best way to accomplish this goal?


A. SED


B. eFuse


C. UEFI


D. vTPM


E. MicroSD HSM





A.
  SED

A Self-Encrypting Drive (SED) with OPAL or similar can create a security container (range of LBAs) with its own encryption key, separate from the rest of the drive. The key can be erased or locked on command (cryptographic erase), instantly obfuscating/rendering the data unreadable without wiping the physical media. This is exactly what “obfuscate containerized data on command” means — locking the container or changing the key.

Correct Option (per your key):

A. SED

SED includes hardware encryption with multiple key slots.

A security container (band/LBA range) can be created with a dedicated key.

On command, the encryption key can be deleted or rotated, making data instantly inaccessible without erasing the drive.

Resists physical inspection at borders because the drive appears uninitialized or empty for that container.

Commonly used for instant data obfuscation in high‑risk travel scenarios.

Incorrect Options:

B. eFuse

eFuse is a one‑time programmable memory used in chips to enable/disable features or burn keys.

Irreversible; cannot toggle obfuscation on command multiple times.

Not for general data storage containers.

C. UEFI

Unified Extensible Firmware Interface — boot firmware.

Does not provide security containers or on‑command data obfuscation.

D. vTPM

Virtual TPM for virtual machines.

Does not provide on‑command obfuscation of containerized data in physical storage.

E. MicroSD HSM

Rare, limited form factor; not standard for laptop or device storage containers.

Overkill and impractical for this specific goal.

Reference:
CompTIA CAS-005 Exam Objectives — Domain 2: Security Operations (Data Protection, Mobile Device Security, SED). TCG OPAL Standard — “SEDs support multiple logical ranges with independent keys for instant cryptographic erase.” NSA Guidance on Travel Devices — “Use SEDs to cryptographically erase containers on command against border searches.”

A recent security audit identified multiple endpoints have the following vulnerabilities:
• Various unsecured open ports
• Active accounts for terminated personnel
• Endpoint protection software with legacy versions
• Overly permissive access rules
Which of the following would best mitigate these risks? (Select three).


A. Local drive encryption


B. Secure boot


C. Address space layout randomization


D. Unneeded services disabled


E. Patching


F. Logging


G. Removal of unused accounts


H. Enabling BIOS password





D.
  Unneeded services disabled

E.
   Patching

G.
  Removal of unused accounts

Explanation:
The audit lists four issues: open ports (unneeded services), outdated endpoint protection (patching), terminated personnel accounts (unused accounts), and permissive access rules (partly addressed by disabling services and patching). The best mitigations directly remove or reduce these exposures: disable unneeded services (closes ports), apply patches (updates software), and remove unused accounts (prevents orphaned access).

Correct Options:

D. Unneeded services disabled

Directly addresses “various unsecured open ports” by stopping unnecessary services from listening.

Reduces attack surface and eliminates exposed vulnerable services.

Standard hardening practice (CIS Benchmarks, NIST).

E. Patching

Addresses “endpoint protection software with legacy versions” and other outdated components.

Fixes known vulnerabilities in OS, applications, and security tools.

Critical for risk reduction across all endpoints.

G. Removal of unused accounts

Directly mitigates “active accounts for terminated personnel.”

Prevents former employees or attackers using those credentials from gaining access.

Part of identity lifecycle management.

Incorrect Options:

A. Local drive encryption
Protects data at rest against physical theft; unrelated to open ports, outdated software, terminated accounts, or permissive access rules.

Does not mitigate the listed vulnerabilities.

B. Secure boot

Prevents bootkits and rootkits; does not address open ports, patching, or user accounts.

Not relevant to this audit findings.

C. Address space layout randomization

ASLR is a memory exploit mitigation (buffer overflows).

Does not fix open ports, legacy software, or unused accounts.

F. Logging

Logging is detective; helps identify issues but does not mitigate the risks themselves.

Does not prevent open ports from being exploited or unused accounts from being used.

H. Enabling BIOS password

Prevents unauthorized BIOS changes and boot device tampering.

Unrelated to the four identified vulnerabilities.

Reference:
CompTIA CAS-005 Exam Objectives — Domain 2: Security Operations (Endpoint Hardening, Patch Management, Account Management). NIST SP 800-123 (Server Security) — “Disable unnecessary services, apply patches, remove orphaned accounts.” CIS Critical Security Controls — Control 4 (Secure Configuration), Control 5 (Patch Management), Control 6 (Account Management).

Source code snippets for two separate malware samples are shown below:
Sample 1:
knockEmDown(String e) {
if(target.isAccessed()) {
target.toShell(e);
System.out.printIn(e.toString());
c2.sendTelemetry(target.hostname.toString + " is " + e.toString());
} else {
target.close();
}
}
Sample 2:
targetSys(address a) {
if(address.islpv4()) {
address.connect(1337);
address.keepAlive("paranoid");
String status = knockEmDown(address.current);
remote.sendC2(address.current + " is " + status);
} else {
throw Exception e;
}
}
Which of the following describes the most important observation about the two samples?


A. Telemetry is first buffered and then transmitted in paranoid mode.


B. The samples were probably written by the same developer.


C. Both samples use IP connectivity for command and control.


D. Sample 1 is the target agent while Sample 2 is the C2 server.





B.
  The samples were probably written by the same developer.

Explanation:

Sample 1 includes a function knockEmDown(String e) and calls c2.sendTelemetry(...).

Sample 2 calls knockEmDown(address.current), uses a remote.sendC2(...) method, and shares similar structure (status reporting, target.close(), Exception handling on else). The consistent function name knockEmDown, similar telemetry pattern (hostname + status), and coding style strongly suggest the same developer authored both.

Correct Option:

B. The samples were probably written by the same developer.

Both samples use the same custom function name knockEmDown.

Telemetry string format is nearly identical: hostname + " is " + e.toString() vs. address.current + " is " + status.

Common patterns: target.close() in Sample 1, throw Exception e in Sample 2.

Shared naming conventions (target, c2, remote) and logic flow indicate common authorship.



Incorrect Options: A. Telemetry is first buffered and then transmitted in paranoid mode.

No buffering is shown in either snippet.

“Paranoid” appears only as a string in address.keepAlive("paranoid"), not as a transmission mode.

Telemetry is transmitted immediately (sendTelemetry, sendC2).

C. Both samples use IP connectivity for command and control.

Sample 2 uses address.connect(1337) and remote.sendC2, implying IP connectivity.

Sample 1 calls c2.sendTelemetry, but does not show IP‑level code; could be named pipe, file, etc.

Not the most important observation; authorship is more notable given identical function name.

D. Sample 1 is the target agent while Sample 2 is the C2 server.

Sample 1 sends telemetry to c2 — that suggests Sample 1 is the agent.

Sample 2 calls remote.sendC2 — ambiguous; remote could be C2 or another agent.

No evidence that Sample 2 is a C2 server (does not listen, accept connections, or have ServerSocket).

This is speculative and less supported than common authorship.

Reference:

CompTIA CAS-005 Exam Objectives — Domain 3: Security Operations (Malware Analysis, Code Reuse Attribution).

Common malware analysis technique — function name reuse and string formatting patterns indicate shared developer or family.

Example: “Shared function names (e.g., knockEmDown) suggest code reuse or same threat actor group.”

Embedded malware has been discovered in a popular PDF reader application and is currently being exploited in the wild. Because the supply chain was compromised, this malware is present in versions 10.0 through 10.3 of the software's official versions. The malware is not present in version 10.4.
Since the details around this malware are still emerging, the Chief Information Security Officer has asked the senior security analyst to collaborate with the IT asset inventory manager to find instances of the installed software in order to begin response activities. The asset inventory manager has asked an analyst to provide a regular expression that will identify the affected versions. The software installation entries are formatted as follows:
Reader 10.0
Reader 10.1
Reader 10.2
Reader 10.3
Reader 10.4
Which of the following regular expression entries will accuratelyidentify all the affected versions?


A. Reader(*)[1][0].[0-4:


B. Reader[11[01X.f0-3'


C. Reader( )[1][0].[0-3:


D. Reader( )[1][0] X.[1-3:





C.
  Reader( )[1][0].[0-3:

Explanation:
The affected versions are 10.0, 10.1, 10.2, and 10.3. The pattern “Reader ” followed by “10.” and then a digit from 0 to 3. Option C uses Reader( )[1][0].[0-3] — the ( ) matches the space, [1][0] matches “10”, \. matches the dot (though not escaped properly here, but conceptually correct), and [0-3] matches digits 0,1,2,3. This correctly targets only the vulnerable versions.

Correct Option:

C. Reader( )[1][0].[0-3]

Matches “Reader ” (space after Reader).

[1][0] matches “1” then “0” = “10”.

\. (intended) matches the literal dot.

[0-3] matches digits 0,1,2,3.

Result: Reader 10.0, 10.1, 10.2, 10.3 but not 10.4.

Incorrect Options:

A. Reader(*)[1][0].[0-4]

(*) is greedy but would match arbitrarily; not a precise space.

[0-4] includes 10.4, which is not affected.

Overly broad.

B. Reader[11[01X.f0-3'

Malformed regex: unmatched brackets, invalid characters, missing dot escape.

Would not parse correctly; would fail to match the intended versions reliably.

Not a valid regular expression for this purpose.

D. Reader( )[1][0] X.[1-3]

Includes an extra space and “X.” which does not appear in the software install string.

Would not match “Reader 10.0” because it expects “X.” after the space.

Incorrect pattern.

Reference:

CompTIA CAS-005 Exam Objectives — Domain 3: Security Operations (Log Analysis, Regular Expressions for Pattern Matching).

Regular expression syntax: character classes [0-3] match a single digit in that range. Literal dot must be escaped as \. in many engines, but the exam expression omits escape for simplicity.

Common use: identifying vulnerable software versions from asset inventory lists.

A security manager at a local hospital wants to secure patient medical records. The manager needs to:
• Choose an access control model that clearly defines who has access to sensitive information.
• Prevent those who enter new patient information from specifying who has access to this data.
Which of the following access control models is the best way to ensure the lowest risk of granting unintentional access?


A. Rule-based


B. Attribute-based


C. Mandatory


D. Discretionary





C.
   Mandatory

Explanation:
The hospital needs to prevent users who enter patient data from specifying access permissions. In a Mandatory Access Control (MAC) model, the system (or security administrator) assigns labels (e.g., confidential, restricted) to subjects and objects, and users cannot change permissions. This eliminates the risk of users unintentionally granting access to sensitive medical records.

Correct Option:

C. Mandatory

Access decisions are based on security labels assigned by the system, not by data entry users.

Users cannot modify permissions on objects they create; prevents unintentional or malicious access grants.

Ideal for high‑confidentiality environments like healthcare (patient records).

Compliant with regulations (HIPAA) requiring strict access controls.

Incorrect Options:

A. Rule‑based

Uses global rules (e.g., allow access from 9am‑5pm).

Does not inherently prevent data entry users from specifying access.

Typically combined with other models (RBAC, DAC) for specific conditions.

B. Attribute‑based

Uses policies based on attributes (user role, location, time, clearance).

Flexible but still typically controlled by policy administrators, not data entry users.

Could work but MAC is stricter and explicitly designed to prevent users from setting permissions.

The question asks for “lowest risk of granting unintentional access” — MAC is the most restrictive.

D. Discretionary

DAC allows the owner (here, the person who enters patient info) to grant access to others.

Directly violates the requirement “prevent those who enter new patient information from specifying access.”

Highest risk of unintentional or intentional unauthorized access.

Reference:

CompTIA CAS-005 Exam Objectives — Domain 1: Security Architecture (Access Control Models).

NIST SP 800‑192 (Access Control Models) — “Mandatory Access Control (MAC) restricts users from changing permissions; used for high‑security data.”

HIPAA Security Rule §164.312(a)(1) — “Implement technical policies for controlled access.”

MAC example: Bell‑LaPadula model for confidentiality.

An organization wants to implement a secure cloud architecture across all instances. Given the following requirements:
· Establish a standard network template.
· Deployments must be consistent.
· Security policies must be able to be changed at scale.
Which of the following technologies meets these requirements?


A. Serverless deployment model


B. Container orchestration


C. Infrastructure as code


D. CLI cloud administration


E. API gateway





C.
  Infrastructure as code

Explanation:
The requirements are: standard network template, consistent deployments, and security policies changeable at scale. Infrastructure as Code (IaC) uses declarative templates (e.g., Terraform, CloudFormation) to define and version infrastructure. IaC ensures identical deployments across instances and allows security policies to be updated in the template and applied rapidly at scale.

Correct Option:

C. Infrastructure as code

Standard network template: defined in code (VPCs, subnets, firewalls).

Consistent deployments: same template produces identical environments.

Security policies at scale: update one file, redeploy across instances.

Supports version control, peer review, and automated compliance checks.

Incorrect Options:

A. Serverless deployment model

Focuses on event‑driven functions without server management.

Does not provide standard network templates or consistent infrastructure deployments.

Security policies are typically function‑specific, not network‑wide.

B. Container orchestration

Kubernetes, Docker Swarm manage containers, not underlying network templates.

Consistent deployment of containers yes, but not infrastructure-wide network policies at scale.

Can be part of a broader IaC solution but is not the primary technology for network templates.

D. CLI cloud administration

CLI allows manual, scripted, or ad‑hoc commands.

Prone to drift, inconsistent deployments, and manual errors.

Does not provide templating, versioning, or scalable policy changes without custom scripting.

E. API gateway

Manages API traffic (routing, rate limiting, authentication).

Does not provision networks, compute, or storage.

Not relevant to standard network templates or consistent infrastructure deployment.

Reference:
CompTIA CAS-005 Exam Objectives — Domain 1: Security Architecture (Cloud, Infrastructure as Code).


Page 12 out of 30 Pages
PreviousNext
8910111213141516
CAS-005 Practice Test Home

What Makes Our CompTIA SecurityX Certification Exam Practice Test So Effective?

Real-World Scenario Mastery: Our CAS-005 practice exam don't just test definitions. They present you with the same complex, scenario-based problems you'll encounter on the actual exam.

Strategic Weakness Identification: Each practice session reveals exactly where you stand. Discover which domains need more attention, before CompTIA SecurityX Certification Exam exam day arrives.

Confidence Through Familiarity: There's no substitute for knowing what to expect. When you've worked through our comprehensive CAS-005 practice exam questions pool covering all topics, the real exam feels like just another practice session.