SFPC SECURITY FUNDAMENTALS PROFESSIONAL CERTIFICATION EXAM |
QUESTIONS AND ANSWERS | VERIFIED ANSWERS PLUS RATIONALES | EXAM
ALREADY GRADED A+ | LATEST EXAM
1. Which of the following best defines the CIA triad in information security?
A. Confidentiality, Integrity, Availability
B. Control, Inspection, Authentication
C. Confidentiality, Identification, Access
D. Compliance, Integrity, Authorization
Answer: A. Confidentiality, Integrity, Availability – These are the three core principles of
information security ensuring that data is protected from unauthorized access, remains accurate,
and is accessible when needed.
2. A firewall primarily functions to:
A. Encrypt data in transit
B. Block unauthorized access while permitting legitimate traffic
C. Store user passwords securely
D. Detect viruses on endpoints
Answer: B. Block unauthorized access while permitting legitimate traffic – Firewalls monitor
incoming and outgoing network traffic and enforce security policies to prevent unauthorized
access.
3. Which type of attack involves intercepting and altering communication
between two parties without their knowledge?
A. Phishing
B. Man-in-the-Middle (MITM)
C. Denial of Service (DoS)
D. Brute Force
Answer: B. Man-in-the-Middle (MITM) – MITM attacks allow attackers to eavesdrop, intercept,
and modify communications between two parties.
4. Multi-factor authentication (MFA) improves security by requiring:
A. Only a password
B. At least two types of verification factors
C. A single biometric factor
D. IP address validation
,Answer: B. At least two types of verification factors – MFA requires something the user knows
(password), has (token), or is (biometric) to strengthen security.
5. Which encryption method uses the same key for both encryption and
decryption?
A. Symmetric encryption
B. Asymmetric encryption
C. Hashing
D. Digital signature
Answer: A. Symmetric encryption – Symmetric encryption relies on a shared secret key for both
encrypting and decrypting data.
6. The purpose of a digital certificate is to:
A. Verify a user’s password
B. Authenticate the identity of an entity and enable secure communication
C. Encrypt email messages
D. Monitor network traffic
Answer: B. Authenticate the identity of an entity and enable secure communication – Digital
certificates, issued by Certificate Authorities (CAs), confirm identities and enable encrypted
communication via SSL/TLS.
7. Which of the following is a physical security control?
A. Firewalls
B. CCTV cameras
C. Anti-malware software
D. VPN
Answer: B. CCTV cameras – Physical security controls protect assets from physical threats,
including surveillance cameras, locks, and security guards.
8. Risk assessment in cybersecurity primarily involves:
A. Installing firewalls
B. Identifying, analyzing, and evaluating risks
C. Enforcing password policies
D. Conducting penetration tests
Answer: B. Identifying, analyzing, and evaluating risks – Risk assessment helps organizations
understand potential threats, their impact, and likelihood to prioritize mitigation efforts.
,9. Which protocol is commonly used to securely access remote devices over a
network?
A. FTP
B. SSH
C. HTTP
D. Telnet
Answer: B. SSH – Secure Shell (SSH) provides encrypted access to remote systems, protecting
login credentials and data from interception.
10. Which of the following best describes “defense in depth”?
A. Using a single strong security control
B. Layering multiple security controls to protect assets
C. Encrypting all data at rest
D. Restricting access to administrators only
Answer: B. Layering multiple security controls to protect assets – Defense in depth ensures that
if one control fails, others provide protection.
11. What is the main purpose of a security policy?
A. To define security goals, rules, and responsibilities
B. To monitor network traffic
C. To encrypt sensitive data
D. To prevent phishing attacks
Answer: A. To define security goals, rules, and responsibilities – Security policies guide
organizational behavior and ensure compliance with security standards.
12. Which of the following is an example of a preventive control?
A. Security audit
B. Firewall
C. Incident response
D. Forensic analysis
Answer: B. Firewall – Preventive controls aim to stop security incidents before they occur, such
as firewalls and access restrictions.
13. Which type of malware can disguise itself as legitimate software?
A. Worm
B. Trojan
, C. Virus
D. Ransomware
Answer: B. Trojan – Trojans appear legitimate but perform malicious actions once executed.
14. Role-Based Access Control (RBAC) assigns permissions based on:
A. User location
B. Job roles and responsibilities
C. Device type
D. Time of access
Answer: B. Job roles and responsibilities – RBAC grants users access only to resources
necessary for their role, reducing the risk of unauthorized access.
15. What does hashing provide in data security?
A. Encryption that can be reversed
B. Data integrity verification
C. Network segmentation
D. Multi-factor authentication
Answer: B. Data integrity verification – Hashing generates a fixed-size output from input data,
allowing detection of modifications without storing reversible data.
16. Which law or standard focuses on personal data protection in the EU?
A. HIPAA
B. GDPR
C. ISO 27001
D. PCI DSS
Answer: B. GDPR – The General Data Protection Regulation enforces strict rules on how
organizations collect, store, and process personal data in the EU.
17. A Denial of Service (DoS) attack aims to:
A. Steal confidential information
B. Overwhelm systems to make them unavailable
C. Encrypt data for ransom
D. Trick users into clicking malicious links
Answer: B. Overwhelm systems to make them unavailable – DoS attacks flood systems with
traffic to disrupt legitimate service availability.
18. Which of the following is considered a detective control?
QUESTIONS AND ANSWERS | VERIFIED ANSWERS PLUS RATIONALES | EXAM
ALREADY GRADED A+ | LATEST EXAM
1. Which of the following best defines the CIA triad in information security?
A. Confidentiality, Integrity, Availability
B. Control, Inspection, Authentication
C. Confidentiality, Identification, Access
D. Compliance, Integrity, Authorization
Answer: A. Confidentiality, Integrity, Availability – These are the three core principles of
information security ensuring that data is protected from unauthorized access, remains accurate,
and is accessible when needed.
2. A firewall primarily functions to:
A. Encrypt data in transit
B. Block unauthorized access while permitting legitimate traffic
C. Store user passwords securely
D. Detect viruses on endpoints
Answer: B. Block unauthorized access while permitting legitimate traffic – Firewalls monitor
incoming and outgoing network traffic and enforce security policies to prevent unauthorized
access.
3. Which type of attack involves intercepting and altering communication
between two parties without their knowledge?
A. Phishing
B. Man-in-the-Middle (MITM)
C. Denial of Service (DoS)
D. Brute Force
Answer: B. Man-in-the-Middle (MITM) – MITM attacks allow attackers to eavesdrop, intercept,
and modify communications between two parties.
4. Multi-factor authentication (MFA) improves security by requiring:
A. Only a password
B. At least two types of verification factors
C. A single biometric factor
D. IP address validation
,Answer: B. At least two types of verification factors – MFA requires something the user knows
(password), has (token), or is (biometric) to strengthen security.
5. Which encryption method uses the same key for both encryption and
decryption?
A. Symmetric encryption
B. Asymmetric encryption
C. Hashing
D. Digital signature
Answer: A. Symmetric encryption – Symmetric encryption relies on a shared secret key for both
encrypting and decrypting data.
6. The purpose of a digital certificate is to:
A. Verify a user’s password
B. Authenticate the identity of an entity and enable secure communication
C. Encrypt email messages
D. Monitor network traffic
Answer: B. Authenticate the identity of an entity and enable secure communication – Digital
certificates, issued by Certificate Authorities (CAs), confirm identities and enable encrypted
communication via SSL/TLS.
7. Which of the following is a physical security control?
A. Firewalls
B. CCTV cameras
C. Anti-malware software
D. VPN
Answer: B. CCTV cameras – Physical security controls protect assets from physical threats,
including surveillance cameras, locks, and security guards.
8. Risk assessment in cybersecurity primarily involves:
A. Installing firewalls
B. Identifying, analyzing, and evaluating risks
C. Enforcing password policies
D. Conducting penetration tests
Answer: B. Identifying, analyzing, and evaluating risks – Risk assessment helps organizations
understand potential threats, their impact, and likelihood to prioritize mitigation efforts.
,9. Which protocol is commonly used to securely access remote devices over a
network?
A. FTP
B. SSH
C. HTTP
D. Telnet
Answer: B. SSH – Secure Shell (SSH) provides encrypted access to remote systems, protecting
login credentials and data from interception.
10. Which of the following best describes “defense in depth”?
A. Using a single strong security control
B. Layering multiple security controls to protect assets
C. Encrypting all data at rest
D. Restricting access to administrators only
Answer: B. Layering multiple security controls to protect assets – Defense in depth ensures that
if one control fails, others provide protection.
11. What is the main purpose of a security policy?
A. To define security goals, rules, and responsibilities
B. To monitor network traffic
C. To encrypt sensitive data
D. To prevent phishing attacks
Answer: A. To define security goals, rules, and responsibilities – Security policies guide
organizational behavior and ensure compliance with security standards.
12. Which of the following is an example of a preventive control?
A. Security audit
B. Firewall
C. Incident response
D. Forensic analysis
Answer: B. Firewall – Preventive controls aim to stop security incidents before they occur, such
as firewalls and access restrictions.
13. Which type of malware can disguise itself as legitimate software?
A. Worm
B. Trojan
, C. Virus
D. Ransomware
Answer: B. Trojan – Trojans appear legitimate but perform malicious actions once executed.
14. Role-Based Access Control (RBAC) assigns permissions based on:
A. User location
B. Job roles and responsibilities
C. Device type
D. Time of access
Answer: B. Job roles and responsibilities – RBAC grants users access only to resources
necessary for their role, reducing the risk of unauthorized access.
15. What does hashing provide in data security?
A. Encryption that can be reversed
B. Data integrity verification
C. Network segmentation
D. Multi-factor authentication
Answer: B. Data integrity verification – Hashing generates a fixed-size output from input data,
allowing detection of modifications without storing reversible data.
16. Which law or standard focuses on personal data protection in the EU?
A. HIPAA
B. GDPR
C. ISO 27001
D. PCI DSS
Answer: B. GDPR – The General Data Protection Regulation enforces strict rules on how
organizations collect, store, and process personal data in the EU.
17. A Denial of Service (DoS) attack aims to:
A. Steal confidential information
B. Overwhelm systems to make them unavailable
C. Encrypt data for ransom
D. Trick users into clicking malicious links
Answer: B. Overwhelm systems to make them unavailable – DoS attacks flood systems with
traffic to disrupt legitimate service availability.
18. Which of the following is considered a detective control?
