The latest changes and updates from the administration for this exam.
Latest Update: Jun 22 2026
All questions are working fine.
Correct AnswerC
A is incorrect: Intrusion Detection Systems (IDS) monitor network traffic to identify suspicious activity, known attack signatures, or anomalous patterns that may indicate intrusions. IDS tools generate alerts that security teams can investigate, but they typically do not automate incident response workflows or execute containment actions. Because the requirement involves automating tasks such as alert enrichment and response actions, IDS alone does not provide the orchestration and automation capabilities needed.
B is incorrect: Security Information and Event Management (SIEM) platforms aggregate logs and security events from multiple sources and perform correlation to identify potential threats. SIEM solutions provide centralized visibility and alert generation, which helps analysts detect incidents more efficiently. However, traditional SIEM platforms primarily focus on monitoring and alerting rather than orchestrating automated response actions. While SIEM may integrate with other tools, it does not inherently provide full automation capabilities for incident response workflows.
C is correct: Security Orchestration, Automation, and Response (SOAR) is the correct answer because it automates and coordinates incident response processes across multiple security tools. SOAR platforms use playbooks to perform tasks such as alert enrichment, threat intelligence lookups, ticket creation, and automated containment actions. By integrating with various security technologies, SOAR enables SOC teams to standardize response procedures and reduce manual effort in incident handling. Security operations guidance identifies SOAR as the primary platform for automating response activities and orchestrating actions across security systems.
D is incorrect: Firewalls enforce network access control by allowing or blocking traffic based on predefined policies. While firewalls can be used as enforcement points during incident response—such as blocking malicious IP addresses—they do not orchestrate workflows or automate investigation processes. Since the requirement is to automate response activities across multiple systems, firewall technology alone does not meet the objective.
Correct AnswerD
A is incorrect: VPN tunneling provides encrypted communication between endpoints across untrusted networks. It protects data in transit by creating a secure tunnel between the client and the destination system. However, once the data reaches the processing environment, it must typically be decrypted so the application can process it. This means administrators or compromised systems within the cloud environment could potentially access the plaintext data during processing. Since the requirement is to prevent administrators from accessing sensitive data while it is being processed, VPN tunneling does not address this risk.
B is incorrect: Disk encryptionprotects data at rest by encrypting information stored on disks or storage systems. While it prevents unauthorized access if storage media is stolen or accessed outside the system, the data must be decrypted when the system reads it into memory for processing. During this processing stage, privileged users or administrators could potentially access the plaintext data. Because the requirement specifically involves protecting data during processing, disk encryption alone does not satisfy the objective.
C is incorrect: TLS terminationprotects data in transit between systems by encrypting communications using TLS. However, TLS termination occurs when encrypted traffic is decrypted at an endpoint such as a load balancer or application server so the system can process the data. Once the traffic is decrypted, the data becomes accessible to the processing environment. Therefore, TLS termination protects network communication but does not prevent administrators or system operators from accessing sensitive data during processing.
D is correct: Confidential computing is the correct answer because it protects data while it is being processed in memory by using hardware-based trusted execution environments (TEEs). In confidential computing, sensitive workloads run inside secure enclaves that isolate the data from the operating system, hypervisor, and cloud administrators. The data remains encrypted or otherwise protected even during computation, preventing privileged users or compromised infrastructure components from accessing it. Security architecture guidance highlights confidential computing as a key technology for protecting highly sensitive workloads processed in cloud environments.
Correct AnswerB
A is incorrect: A. Performing routine tabletop exercises. Tabletop exercises are discussion-based activities where participants walk through disaster scenarios and review roles, responsibilities, and response procedures. While these exercises improve coordination and awareness of disaster recovery procedures, they do not actually test technical components such as replication mechanisms or system failover functionality. In this scenario, the issue occurred because data replication had not been successfully occurring for six months, which would not be detected during a purely theoretical exercise. Therefore, tabletop exercises would not effectively prevent this issue.
B is correct: B. Implementing scheduled, full interruption tests. This is the correct answer because full interruption testing involves shutting down the primary production environment and running operations entirely from the disaster recovery site. This type of testing validates the complete failover process, including data replication, application functionality, and operational readiness. Because the scenario highlights that replication had silently failed for six months, performing regular full interruption tests would have exposed the replication failure well before a real disaster occurred. Disaster recovery best practices emphasize periodic operational testing to ensure systems, data synchronization, and recovery procedures function as expected.
C is incorrect: C. Backing up system log reviews. Reviewing or backing up system logs may help identify operational issues or provide historical records of system behavior, but it does not actively test the disaster recovery process or confirm that replication mechanisms are functioning correctly. While log monitoring could potentially reveal replication errors, it relies on administrators proactively detecting and interpreting alerts. This approach is not as reliable as performing a full operational test that validates the entire recovery process end-to-end.
D is incorrect: D. Performing department disaster recovery walk-throughs. Walk-throughs involve reviewing procedures and ensuring departments understand their responsibilities during disaster recovery events. Similar to tabletop exercises, they are primarily procedural and administrative in nature. They do not test the actual technical systems, infrastructure failover, or data replication processes. Since the outage resulted from a technical failure in replication, a procedural walk-through would not detect or prevent this issue.
Correct AnswerC
A is incorrect: IDEA-CBC is an older symmetric encryption algorithm operating in Cipher Block Chaining mode. While historically important, IDEA is not commonly used in modern TLS implementations and is not optimized for modern streaming or mobile workloads. CBC-mode ciphers are also more vulnerable to certain attack classes and are less efficient in modern secure communication protocols. Additionally, IDEA does not align well with the performance and efficiency improvements required by TLS 1.3 implementations. Therefore, it does not meet the requirements for improved CPU and memory efficiency.
B is incorrect: AES-GCM is a widely adopted authenticated encryption cipher used in many TLS implementations. It performs very efficiently when hardware acceleration (such as AES-NI) is available. However, on systems without hardware acceleration—such as mobile devices or lightweight platforms—AES-GCM can consume more CPU resources and may not perform as efficiently. Since the scenario emphasizes lower RAM usage and higher CPU efficiency, particularly for large-scale media broadcasting environments, another cipher suite may be better optimized for these conditions.
C is correct: ChaCha20-Poly1305 is an authenticated encryption algorithm designed to provide strong security while being highly efficient on systems without specialized cryptographic hardware. It requires relatively low memory usage and performs well on general-purpose CPUs, making it particularly suitable for mobile devices, streaming platforms, and high-performance web services. TLS 1.3 supports ChaCha20-Poly1305 as a modern cipher suite, and it is commonly used in environments where CPU efficiency and reduced resource consumption are important. Because the scenario requires improved CPU efficiency, lower RAM usage, and compatibility with TLS 1.3 for streaming workloads, ChaCha20-Poly1305 is the best choice.
D is incorrect: Camellia-CBC is a symmetric encryption algorithm similar to AES in strength but less widely adopted in modern TLS deployments. Like other CBC-mode ciphers, it lacks the performance and security advantages of modern authenticated encryption modes used in TLS 1.3. CBC-based ciphers are generally being phased out in favor of AEAD ciphers that provide integrated authentication and encryption. As a result, Camellia-CBC would not meet the efficiency and modern protocol requirements described in the scenario.
Correct AnswerB
A is incorrect: Rebooting all domain controllers would be a disruptive action that affects the entire authentication infrastructure of the organization. This response does not directly address the compromised endpoint performing data exfiltration and could introduce additional operational instability. Incident response guidance emphasizes targeted containment measures rather than broad disruptive actions that impact critical infrastructure unnecessarily.
B is correct: Isolating the endpoint from the network is a containment action designed to immediately stop malicious communication between the compromised system and external destinations. By removing the endpoint’s network connectivity or placing it in a quarantine VLAN, the SOC can halt ongoing data exfiltration while preserving the system for forensic investigation. CASP incident response guidance identifies isolation as a key containment step used to prevent further damage while analysts investigate the compromise.
C is incorrect: Deleting old backupswould reduce the organization’s ability to recover from incidents such as ransomware or data corruption. This action provides no benefit in stopping active exfiltration and could significantly worsen the organization’s resilience posture. Proper incident response procedures emphasize preserving recovery capabilities rather than removing them.
D is incorrect: Disabling SIEM parsing would reduce visibility into security events by preventing logs from being processed and analyzed by monitoring systems. This would hinder detection and investigation capabilities rather than help contain the incident. Effective incident response requires maintaining or enhancing monitoring capabilities, not disabling them.
Select all that apply
Correct AnswersA, C
A is correct: Security Assertion Markup Language (SAML) is a widely adopted authentication and federation standard that enables a web application (service provider) to rely on a trusted third-party identity provider for user authentication. This directly satisfies the requirement that the initial login should rely on an external trusted entity. SAML is commonly used in enterprise single sign-on (SSO) environments and is supported by many identity providers and web services. Because it allows authentication to be delegated to a trusted third party while maintaining strong interoperability, SAML satisfies the requirement for using well-supported standards and external authentication.
B is incorrect: Kerberos is a network authentication protocol primarily used within internal enterprise environments, especially in Active Directory domains. It relies on a trusted ticket-granting system but is generally designed for internal network authentication rather than web-based third-party identity federation. Additionally, Kerberos tickets typically have short lifetimes and require frequent renewal. Because the scenario requires integration with an external trusted third party and long-term authentication maintenance, Kerberos is not the best option.
C is correct: JSON Web Tokens (JWT) are compact, digitally signed tokens used to transmit authentication and authorization information securely between systems. JWTs are widely used in modern web authentication frameworks because they allow session information to be stored in a token that can be validated without maintaining server-side session state. JWT tokens can be configured with extended expiration times, enabling authentication sessions to persist for long durations such as several months. When used alongside identity federation systems like SAML or OAuth providers, JWTs allow the application to maintain login sessions efficiently. Therefore, JWT satisfies the requirement for maintaining authentication for extended periods.
D is incorrect: RADIUS is a protocol commonly used for centralized authentication, authorization, and accounting (AAA) in network access control scenarios such as VPN or wireless network authentication. While RADIUS supports centralized authentication, it is not typically used as a web authentication federation standard for web applications. Additionally, it is not designed to support long-lived web application sessions. Therefore, it does not best meet the requirements described.
E is incorrect: Extensible Authentication Protocol (EAP) is a framework used primarily for network authentication, especially in wireless networks and network access control environments. EAP allows multiple authentication mechanisms to operate within network protocols such as 802.1X. However, it is not typically used as a web application authentication method relying on external identity providers. As a result, it does not satisfy the requirements of the scenario.
F is incorrect: Remote attestation is a security technique used to verify the integrity and trustworthiness of a remote system or device, often through trusted platform modules or hardware security features. While it can confirm that a system has not been tampered with, it is not designed to provide user authentication or web login functionality. Therefore, remote attestation does not meet the authentication requirements described in the scenario.
Correct AnswerA
A is correct: FIDO2 security keys implement phishing-resistant authentication using public key cryptography and origin binding. The private key remains securely stored on the hardware authenticator and authentication is tied to the legitimate domain, preventing attackers from successfully replaying credentials on malicious websites. Because authentication requires both possession of the hardware key and user verification (such as PIN or biometrics), it satisfies strong multifactor authentication requirements while significantly reducing the effectiveness of phishing attacks. CASP identity and authentication guidance highlights hardware-backed authentication methods as stronger alternatives to traditional OTP-based MFA.
B is incorrect: SMS OTP delivers one-time passcodes through text messages to a registered phone number. Although this is technically a second authentication factor, it is vulnerable to phishing, SIM-swapping attacks, and interception. Attackers can trick users into revealing the code through phishing pages or social engineering, making SMS-based MFA significantly weaker than modern phishing-resistant methods.
C is incorrect: Knowledge questions (security questions) rely on something the user knows, such as personal information. These answers are often easily discoverable through social media, data breaches, or public records. Because they are knowledge-based and static, they do not provide strong multifactor protection and are not resistant to phishing or credential harvesting.
D is incorrect: Shared email codesinvolve sending authentication codes to an email account. This approach is weak because email accounts themselves may already be compromised, and users can be tricked into entering the code on phishing pages. Additionally, shared email access removes accountability and weakens identity assurance. CASP identity management principles emphasize stronger authentication mechanisms that resist interception and social engineering.
Correct AnswerA
A is correct: Digital signatures provide both integrity verification and sender authentication, which directly satisfies the requirement described. A digital signature uses asymmetric cryptography where the sender signs a file using a private key, and the receiver verifies the signature using the sender’s public key. This process ensures that the file has not been altered (integrity) and confirms the identity of the sender (authentication and nonrepudiation). CASP+ materials emphasize digital signatures as a mechanism for verifying both the origin and integrity of transmitted files.
B is incorrect: A message hash is a one-way cryptographic function that produces a fixed-length value representing the contents of a file. Hashing ensures integrity by allowing a recipient to recompute the hash and compare it with the original value. However, hashing alone does not verify the identity of the sender because anyone can generate the same hash value from the same file. Therefore, it does not meet the requirement to validate both the file integrity and the sender.
C is incorrect: Message digest is essentially another term for the output of a cryptographic hash function. Like a hash, it can be used to detect modifications to data but does not authenticate the sender of the file. Without a mechanism tying the digest to the sender’s identity, the receiver cannot confirm who created the file. Thus, it fails to satisfy the sender verification requirement.
D is incorrect: Message authentication codes (MACs) combine a hash function with a shared secret key to provide integrity and authentication. However, MACs rely on symmetric keys shared between the sender and receiver. In environments where multiple parties exchange files, this approach becomes difficult to manage and does not provide nonrepudiation because both parties possess the same key. Digital signatures are preferred in such scenarios because they allow verification using public keys without sharing secret keys.
Select all that apply
Correct AnswersB, C
A is incorrect: Document interpolation refers to reconstructing or approximating document structure when partial data is available. While interpolation techniques can sometimes assist with document analysis, they are not a standard capability required for identifying sensitive text in documents that contain both textual and image-based information. Therefore, it does not directly address the requirement to fully read and analyze the document contents for sensitive text.
B is correct: Regular expression (regex) pattern matching enables a DLP solution to identify structured sensitive data within text, such as credit card numbers, Social Security numbers, account identifiers, and other formatted patterns. CASP+ data protection guidance highlights regex as a common technique used by DLP systems to detect sensitive information within documents, emails, and data repositories. Regex allows the system to scan textual content for specific patterns that match defined sensitive data formats.
C is correct: Optical Character Recognition (OCR)is necessary to extract readable text from images embedded in documents. Since the documents contain both text and images, sensitive information may appear within scanned images or image-based documents. OCR converts image-based text into machine-readable text so that the DLP engine can analyze it for sensitive data patterns. CASP+ materials identify OCR as a key capability when scanning image-based content for data loss prevention purposes.
D is incorrect: Baseline image matching compares images against known image signatures or previously stored image baselines. This functionality can detect identical or similar images but does not convert images into text that can be analyzed for sensitive information. Therefore, it does not enable the DLP system to read textual content embedded within images.
E is incorrect: Advanced rasterization converts documents into image-like formats for rendering or secure viewing. While rasterization can help prevent editing or copying content in certain scenarios, it does not assist with extracting text from images or identifying sensitive data patterns within documents. As such, it is not required for scanning documents containing both text and images.
F is incorrect: Watermarking embeds visible or invisible identifiers into documents to track ownership or distribution. While watermarking can help identify document origin or detect unauthorized sharing, it does not assist a DLP solution in reading or analyzing sensitive text within documents. Therefore, it is unrelated to the requirement described in the scenario.
Correct AnswerA
A is correct: Determining the scope of the risk assessment is the primary reason for defining the security boundary. The security boundary establishes the limits of the system, environment, or assets being evaluated, including the systems, data, processes, and interfaces that fall within the assessment. By clearly defining this boundary, the risk practitioner ensures that the assessment focuses only on relevant assets and interactions, preventing scope creep and enabling a structured evaluation of risks affecting that environment. Establishing the boundary is therefore a foundational step that determines exactly what will be analyzed during the risk assessment.
B is incorrect: Determining the business owner(s) of the system may occur during governance or asset management processes, but it is not the primary purpose of defining a security boundary. Ownership helps assign accountability for risk decisions and remediation, yet it does not define the technical or organizational limits of the environment being assessed. Therefore, while ownership may be documented during risk management activities, it is not the main reason for establishing the boundary.
C is incorrect: Deciding between conducting a quantitative or qualitative analysis relates to the risk assessment methodology chosen by the organization. This decision is typically influenced by factors such as available data, risk management maturity, and organizational policy rather than the technical boundary of the system being assessed. Defining the security boundary does not determine which analytical method will be used.
D is incorrect: Determining which laws and regulations apply may depend on the types of data, geographic location, and industry sector involved in the system. While defining the boundary could indirectly help identify applicable regulatory requirements, compliance analysis is not the primary reason the boundary is established. The main objective remains identifying the systems and assets included in the risk assessment scope.
