SFPC Security Fundamentals Professional
Certification Practice Exam 2026/2027 |
100% Pass Guarantee | Questions, Answers,
& Rationales | SANS GIAC
110 Questions, Answers, & Rationales | SANS GIAC – 100% Pass Guarantee
This practice exam covers key SFPC domains: physical security, access control, personnel
security, information security, incident response, risk management, and compliance. Questions
are scenario-based with detailed rationales.
Q1 A security professional is assessing a facility's perimeter protection. Which of the following
is the primary purpose of installing bollards around the building entrance?
A) To enhance aesthetic appeal B) To prevent vehicle ramming attacks C) To improve lighting
conditions D) To reduce noise pollution
B) To prevent vehicle ramming attacks
Rationale: Bollards are physical barriers designed to stop or redirect vehicles, serving as a key
anti-ram measure in perimeter security. This aligns with CPTED (Crime Prevention Through
Environmental Design) principles and DoD standards for vehicle-borne threats.
Q2 In accordance with NIST SP 800-53, which control family addresses the identification and
authentication of users in an information system?
A) Access Control (AC) B) Identification and Authentication (IA) C) Audit and Accountability
(AU) D) Physical and Environmental Protection (PE)
B) Identification and Authentication (IA)
Rationale: NIST SP 800-53 IA controls ensure users are uniquely identified and authenticated
before accessing systems, using passwords, biometrics, or tokens to prevent unauthorized access.
Q3 A facility manager notices that employees are propping open a secure door with a doorstop.
What is the most immediate corrective action?
,A) Install an alarm on the door B) Remove the doorstop and counsel the employees on security
protocols C) Replace the door with a higher-security model D) Increase CCTV monitoring in the
area
B) Remove the doorstop and counsel the employees on security protocols
Rationale: Propped doors violate access control principles and create vulnerabilities. Immediate
removal and education address the human factor, which is the weakest link in security per social
engineering principles.
Q4 According to DoD Manual 5200.01, what is the classification level for information that could
cause serious damage to national security if disclosed without authorization?
A) Confidential B) Secret C) Top Secret D) Unclassified
B) Secret
Rationale: DoD classification levels: Confidential (damage), Secret (serious damage), Top
Secret (exceptionally grave damage). This ensures proportionate protection.
Q5 A security officer is conducting a risk assessment. Which of the following is the first step in
the risk management process per NIST SP 800-30?
A) Determine risk response B) Identify threats and vulnerabilities C) Assess impact and
likelihood D) Establish risk context
D) Establish risk context
Rationale: NIST SP 800-30 starts with defining the scope, assumptions, and constraints to frame
the assessment before identifying risks.
Q6 In physical security, what is the primary purpose of mantraps?
A) To control pedestrian traffic flow B) To prevent tailgating and verify identity in a secure
vestibule C) To store emergency equipment D) To monitor environmental conditions
B) To prevent tailgating and verify identity in a secure vestibule
Rationale: Mantraps are two-door systems that ensure one person enters at a time, with
authentication in between, enhancing access control.
, Q7 A security professional is implementing badge access control. Which type of badge system
uses radio frequency for contactless entry?
A) Magnetic stripe B) Proximity (RFID) C) Bar code D) Smart card with chip
B) Proximity (RFID)
Rationale: Proximity badges use RFID technology for hands-free authentication within a short
range, improving convenience and throughput.
Q8 Per OSHA standards, what is the minimum illumination level required for general office
areas in a secure facility?
A) 5 foot-candles B) 10 foot-candles C) 30 foot-candles D) 50 foot-candles
C) 30 foot-candles
Rationale: OSHA 1910.305 requires at least 30 foot-candles for offices to ensure safety and
visibility.
Q9 A facility conducts background checks on all employees. This is an example of which
personnel security control?
A) Least privilege B) Need-to-know C) Employment screening D) Separation of duties
C) Employment screening
Rationale: Background checks verify trustworthiness before granting access, per DoD 5200.02
and similar standards.
Q10 In information security, what does the principle of "need-to-know" ensure?
A) All employees have access to all data B) Access is granted only to those who require it for
their job C) Data is encrypted at rest D) Firewalls are installed on all systems
B) Access is granted only to those who require it for their job
Certification Practice Exam 2026/2027 |
100% Pass Guarantee | Questions, Answers,
& Rationales | SANS GIAC
110 Questions, Answers, & Rationales | SANS GIAC – 100% Pass Guarantee
This practice exam covers key SFPC domains: physical security, access control, personnel
security, information security, incident response, risk management, and compliance. Questions
are scenario-based with detailed rationales.
Q1 A security professional is assessing a facility's perimeter protection. Which of the following
is the primary purpose of installing bollards around the building entrance?
A) To enhance aesthetic appeal B) To prevent vehicle ramming attacks C) To improve lighting
conditions D) To reduce noise pollution
B) To prevent vehicle ramming attacks
Rationale: Bollards are physical barriers designed to stop or redirect vehicles, serving as a key
anti-ram measure in perimeter security. This aligns with CPTED (Crime Prevention Through
Environmental Design) principles and DoD standards for vehicle-borne threats.
Q2 In accordance with NIST SP 800-53, which control family addresses the identification and
authentication of users in an information system?
A) Access Control (AC) B) Identification and Authentication (IA) C) Audit and Accountability
(AU) D) Physical and Environmental Protection (PE)
B) Identification and Authentication (IA)
Rationale: NIST SP 800-53 IA controls ensure users are uniquely identified and authenticated
before accessing systems, using passwords, biometrics, or tokens to prevent unauthorized access.
Q3 A facility manager notices that employees are propping open a secure door with a doorstop.
What is the most immediate corrective action?
,A) Install an alarm on the door B) Remove the doorstop and counsel the employees on security
protocols C) Replace the door with a higher-security model D) Increase CCTV monitoring in the
area
B) Remove the doorstop and counsel the employees on security protocols
Rationale: Propped doors violate access control principles and create vulnerabilities. Immediate
removal and education address the human factor, which is the weakest link in security per social
engineering principles.
Q4 According to DoD Manual 5200.01, what is the classification level for information that could
cause serious damage to national security if disclosed without authorization?
A) Confidential B) Secret C) Top Secret D) Unclassified
B) Secret
Rationale: DoD classification levels: Confidential (damage), Secret (serious damage), Top
Secret (exceptionally grave damage). This ensures proportionate protection.
Q5 A security officer is conducting a risk assessment. Which of the following is the first step in
the risk management process per NIST SP 800-30?
A) Determine risk response B) Identify threats and vulnerabilities C) Assess impact and
likelihood D) Establish risk context
D) Establish risk context
Rationale: NIST SP 800-30 starts with defining the scope, assumptions, and constraints to frame
the assessment before identifying risks.
Q6 In physical security, what is the primary purpose of mantraps?
A) To control pedestrian traffic flow B) To prevent tailgating and verify identity in a secure
vestibule C) To store emergency equipment D) To monitor environmental conditions
B) To prevent tailgating and verify identity in a secure vestibule
Rationale: Mantraps are two-door systems that ensure one person enters at a time, with
authentication in between, enhancing access control.
, Q7 A security professional is implementing badge access control. Which type of badge system
uses radio frequency for contactless entry?
A) Magnetic stripe B) Proximity (RFID) C) Bar code D) Smart card with chip
B) Proximity (RFID)
Rationale: Proximity badges use RFID technology for hands-free authentication within a short
range, improving convenience and throughput.
Q8 Per OSHA standards, what is the minimum illumination level required for general office
areas in a secure facility?
A) 5 foot-candles B) 10 foot-candles C) 30 foot-candles D) 50 foot-candles
C) 30 foot-candles
Rationale: OSHA 1910.305 requires at least 30 foot-candles for offices to ensure safety and
visibility.
Q9 A facility conducts background checks on all employees. This is an example of which
personnel security control?
A) Least privilege B) Need-to-know C) Employment screening D) Separation of duties
C) Employment screening
Rationale: Background checks verify trustworthiness before granting access, per DoD 5200.02
and similar standards.
Q10 In information security, what does the principle of "need-to-know" ensure?
A) All employees have access to all data B) Access is granted only to those who require it for
their job C) Data is encrypted at rest D) Firewalls are installed on all systems
B) Access is granted only to those who require it for their job
