SFPC 2026/2027 - SECURITY FUNDAMENTALS PROFESSIONAL CERTIFICATION
VERIFIED EXAM QUESTIONS AND WELL-EXPLAINED ANSWERS - LATEST
VERSION PASS GUARANTEE
Q1. What does the CIA triad stand for in information security?
A) Confidentiality, Integrity, Availability
B) Control, Integrity, Authentication
C) Confidentiality, Identification, Access
D) Compliance, Integrity, Availability
Answer: A | The CIA triad is the foundational model: Confidentiality
(only authorized access), Integrity (data accuracy), Availability
(systems accessible when needed).
────────────────────────────────────────────────
──────────────────────
Q2. Which principle ensures that data has not been altered in an
unauthorized manner?
A) Confidentiality
B) Non-repudiation
C) Integrity
D) Availability
Answer: C | Integrity ensures data remains accurate and unmodified
except through authorized processes.
────────────────────────────────────────────────
──────────────────────
Q3. A security policy that grants users only the minimum access
necessary to perform their job is an example of which principle?
A) Separation of duties
, B) Least privilege
C) Need to know
D) Defense in depth
Answer: B | Least privilege limits user rights to only those required
for their job function, minimizing attack surface.
────────────────────────────────────────────────
──────────────────────
Q4. Which term describes the potential for a threat to exploit a
vulnerability?
A) Impact
B) Risk
C) Exposure
D) Hazard
Answer: B | Risk = Threat × Vulnerability × Impact. It represents the
potential for loss when a threat exploits a weakness.
────────────────────────────────────────────────
──────────────────────
Q5. What is a vulnerability?
A) A malicious actor seeking to cause harm
B) A weakness that can be exploited by a threat
C) The probability of a threat occurring
D) A control that mitigates risk
Answer: B | A vulnerability is a flaw or weakness in a system, process,
or control that could be exploited by a threat agent.
────────────────────────────────────────────────
──────────────────────
Q6. Non-repudiation ensures that:
A) Data is encrypted during transmission
B) A sender cannot deny sending a message
C) Only authorized users can access data
D) Systems remain available 24/7
, Answer: B | Non-repudiation provides proof of origin so the sender
cannot deny having sent a message or performed an action.
────────────────────────────────────────────────
──────────────────────
Q7. Which of the following best describes defense in depth?
A) Using one strong security control
B) Layering multiple security controls
C) Encrypting all data at rest
D) Performing regular vulnerability scans
Answer: B | Defense in depth uses multiple overlapping layers of
security so that if one fails, others still provide protection.
────────────────────────────────────────────────
──────────────────────
Q8. What is the primary purpose of a security baseline?
A) To document all known vulnerabilities
B) To define minimum security requirements
C) To log all user activity
D) To encrypt sensitive data
Answer: B | A security baseline establishes the minimum set of
security controls an organization must implement.
────────────────────────────────────────────────
──────────────────────
Q9. Which of the following is an example of a physical security
control?
A) Firewall
B) Antivirus software
C) Biometric door lock
D) Intrusion detection system
Answer: C | Physical controls protect physical assets. A biometric door
lock controls physical access to facilities.
, ────────────────────────────────────────────────
──────────────────────
Q10. The concept of 'separation of duties' is designed to prevent:
A) Data breaches
B) Fraud and errors by requiring multiple people for sensitive
tasks
C) Unauthorized physical access
D) Denial of service attacks
Answer: B | Separation of duties divides critical tasks among multiple
people so no single individual can commit fraud undetected.
────────────────────────────────────────────────
──────────────────────
Q11. Which security concept involves ensuring systems and data are
accessible to authorized users when needed?
A) Confidentiality
B) Integrity
C) Availability
D) Authentication
Answer: C | Availability ensures that systems, applications, and data
are accessible to authorized users whenever required.
────────────────────────────────────────────────
──────────────────────
Q12. What is a threat agent?
A) A software vulnerability
B) An entity that can exploit a vulnerability
C) A security control
D) A risk assessment tool
Answer: B | A threat agent (or actor) is any entity — person, group,
or system — capable of exploiting a vulnerability.
────────────────────────────────────────────────
──────────────────────
VERIFIED EXAM QUESTIONS AND WELL-EXPLAINED ANSWERS - LATEST
VERSION PASS GUARANTEE
Q1. What does the CIA triad stand for in information security?
A) Confidentiality, Integrity, Availability
B) Control, Integrity, Authentication
C) Confidentiality, Identification, Access
D) Compliance, Integrity, Availability
Answer: A | The CIA triad is the foundational model: Confidentiality
(only authorized access), Integrity (data accuracy), Availability
(systems accessible when needed).
────────────────────────────────────────────────
──────────────────────
Q2. Which principle ensures that data has not been altered in an
unauthorized manner?
A) Confidentiality
B) Non-repudiation
C) Integrity
D) Availability
Answer: C | Integrity ensures data remains accurate and unmodified
except through authorized processes.
────────────────────────────────────────────────
──────────────────────
Q3. A security policy that grants users only the minimum access
necessary to perform their job is an example of which principle?
A) Separation of duties
, B) Least privilege
C) Need to know
D) Defense in depth
Answer: B | Least privilege limits user rights to only those required
for their job function, minimizing attack surface.
────────────────────────────────────────────────
──────────────────────
Q4. Which term describes the potential for a threat to exploit a
vulnerability?
A) Impact
B) Risk
C) Exposure
D) Hazard
Answer: B | Risk = Threat × Vulnerability × Impact. It represents the
potential for loss when a threat exploits a weakness.
────────────────────────────────────────────────
──────────────────────
Q5. What is a vulnerability?
A) A malicious actor seeking to cause harm
B) A weakness that can be exploited by a threat
C) The probability of a threat occurring
D) A control that mitigates risk
Answer: B | A vulnerability is a flaw or weakness in a system, process,
or control that could be exploited by a threat agent.
────────────────────────────────────────────────
──────────────────────
Q6. Non-repudiation ensures that:
A) Data is encrypted during transmission
B) A sender cannot deny sending a message
C) Only authorized users can access data
D) Systems remain available 24/7
, Answer: B | Non-repudiation provides proof of origin so the sender
cannot deny having sent a message or performed an action.
────────────────────────────────────────────────
──────────────────────
Q7. Which of the following best describes defense in depth?
A) Using one strong security control
B) Layering multiple security controls
C) Encrypting all data at rest
D) Performing regular vulnerability scans
Answer: B | Defense in depth uses multiple overlapping layers of
security so that if one fails, others still provide protection.
────────────────────────────────────────────────
──────────────────────
Q8. What is the primary purpose of a security baseline?
A) To document all known vulnerabilities
B) To define minimum security requirements
C) To log all user activity
D) To encrypt sensitive data
Answer: B | A security baseline establishes the minimum set of
security controls an organization must implement.
────────────────────────────────────────────────
──────────────────────
Q9. Which of the following is an example of a physical security
control?
A) Firewall
B) Antivirus software
C) Biometric door lock
D) Intrusion detection system
Answer: C | Physical controls protect physical assets. A biometric door
lock controls physical access to facilities.
, ────────────────────────────────────────────────
──────────────────────
Q10. The concept of 'separation of duties' is designed to prevent:
A) Data breaches
B) Fraud and errors by requiring multiple people for sensitive
tasks
C) Unauthorized physical access
D) Denial of service attacks
Answer: B | Separation of duties divides critical tasks among multiple
people so no single individual can commit fraud undetected.
────────────────────────────────────────────────
──────────────────────
Q11. Which security concept involves ensuring systems and data are
accessible to authorized users when needed?
A) Confidentiality
B) Integrity
C) Availability
D) Authentication
Answer: C | Availability ensures that systems, applications, and data
are accessible to authorized users whenever required.
────────────────────────────────────────────────
──────────────────────
Q12. What is a threat agent?
A) A software vulnerability
B) An entity that can exploit a vulnerability
C) A security control
D) A risk assessment tool
Answer: B | A threat agent (or actor) is any entity — person, group,
or system — capable of exploiting a vulnerability.
────────────────────────────────────────────────
──────────────────────
