Pass the CompTIA CompTIA Security+ SY0-701 Questions and answers with CertsForce

The best answer is C. Isolation.

The question describes an application that can no longer be patched, meaning the organization must continue operating it while accepting some risk. To reduce exposure, the application should only be used by a limited number of network services. This points to isolation, which means restricting the application’s interaction with the rest of the environment to contain risk.

Isolation is commonly used for:

legacy systems

unsupported applications

unpatchable systems

high-risk services that must remain operational

By isolating the application, the organization limits the paths through which it can be attacked and reduces the chance that a compromise will spread to other systems.

Why the other options are incorrect:

A. PatchingThe question clearly states that no additional patches can be applied.

B. SegmentationSegmentation is related and often used as a method to isolate systems, but the question asks for the best description of the mitigation approach overall. Since the application is being restricted because it is risky and unpatchable, isolation is the stronger answer.

D. MonitoringMonitoring helps detect issues but does not directly reduce exposure in the way described.

From the SY0-701 perspective, when a vulnerable or unsupported application must remain in use, the preferred mitigation is often to isolate it from the broader environment. Therefore, C is the best answer.

A partially known environment is a type of penetration test where the tester has some information about the target, such as the IP address, the operating system, or the device type. This can help the tester focus on specific vulnerabilities and reduce the scope of the test. A partially known environment is also called a gray box test1.

Encrypting hard drives is a direct implementation of confidentiality, one of the three pillars of the CIA Triad emphasized in CompTIA Security+ SY0-701. Full disk encryption ensures that if a laptop, workstation, or server drive is stolen or accessed without authorization, the data remains unreadable without the decryption key.

This controls unauthorized disclosure and protects sensitive business, financial, and personal information. Drive encryption is widely required for compliance frameworks such as HIPAA, PCI-DSS, and GDPR.

Integrity (A) refers to preventing unauthorized modification of data, which encryption alone does not guarantee. Authentication (B) confirms user identity, such as passwords or biometrics, but is unrelated to data-at-rest protection. Zero Trust (C) is an architectural model requiring constant verification; it is not a control for hard drive encryption.

Since the sole purpose of encrypting storage is to ensure data confidentiality, the correct answer is D.

Detailed Explanation:The correct sequence is to first establish secure baselines by determining the required configurations, deploy those configurations across systems, and finally maintain the configurations through regular updates and auditing. Reference: CompTIA Security+ SY0-701 Study Guide, Domain 4: Security Operations, Section: " Secure Baseline Development " ​​.

The best solution is Mobile Device Management (MDM), which allows IT administrators to centrally configure, update, and push applications or settings to company-owned devices. When employees report missing features or misconfigurations, MDM platforms enable rapid remote remediation, policy enforcement, patch distribution, and application deployment—all of which can be completed within the 48-hour requirement.

Security+ SY0-701 emphasizes MDM as the primary tool for ensuring consistent configuration baselines, enforcing security restrictions, deploying apps, and preventing unauthorized changes on mobile devices.

EDR (A) provides threat detection, not configuration restoration.

COPE (B) is a device ownership model (Corporate Owned, Personally Enabled); it does not solve configuration issues.

FDE (D) encrypts storage, unrelated to missing features.

Therefore, C: MDM is the correct answer.

Full disk encryption (A)ensures that data stored on the device is protected even if the device is physically stolen. This is a fundamental security control for end-user devices, especially laptops and mobile devices, to prevent data breaches.

Endpoint protection (D)refers to anti-malware, antivirus, and host-based firewall solutions that safeguard end-user devices from malware, ransomware, and unauthorized access.

These measures are explicitly referenced in theCompTIA Security+ SY0-701exam objective2.2: Given a scenario, apply security concepts in support of organizational risk mitigationunderDevice hardening.

A statement of work (SOW) is a document that defines the scope, objectives, deliverables, timeline, and costs of a project or service. It typically includes an estimate of the number of hours required to complete the engagement, as well as the roles and responsibilities of the parties involved. A SOW is often used for penetration testing projects to ensure that both the client and the vendor have a clear and mutual understanding of what is expected and how the work will be performed. A business partnership agreement (BPA), a service level agreement (SLA), and a non-disclosure agreement (NDA) are different types of contracts that may be related to apenetration testing project, but they do not include an estimate of the number of hours required to complete the engagement. References: CompTIA Security+ Study Guide: Exam SY0-701, 9th Edition, page 492; What to Look For in a Penetration Testing Statement of Work?

Operations security (OPSEC) focuses on identifying and protecting sensitive information to prevent unauthorized disclosure. In this scenario, the HR employee failed to safeguard confidential company information, leading to its exposure on social media.

Training in OPSEC would reinforce the need to maintain security best practices, such as locking screens when away from a device and ensuring that sensitive data is not exposed in unsecured locations.

Hybrid work environmentpolicies relate to managing remote and in-office work but do not specifically cover security risks like unauthorized data exposure.

Data loss prevention (DLP)deals with technology-based solutions to prevent unauthorized data transfers but does not address physical security practices.

Social engineeringrefers to deceptive tactics used by attackers to manipulate individuals, which is not applicable to this situation.

The HR employee should reviewoperations securitypolicies to prevent similar incidents in the future.

Detailed Explanation:Privacy data includes information such as Personally Identifiable Information (PII), which relates to employees ' or customers ' personal data. Organizations often maintain policies and standards specifically addressing how such sensitive information should be handled. Reference: CompTIA Security+ SY0-701 Study Guide, Domain 5: Security Program Management, Section: " Data Types and Classifications " ​​.

" Typosquatting, also known as URL hijacking, is a form of cybersquatting where attackers register domain names that are intentionally similar to legitimate ones, often differing by a single character or a common typographical error. For example, an attacker might register ' wwww.company.com ' to mimic ' www.company.com, ' tricking users who mistype the URL into visiting a malicious site. This attack exploits human error and can be used to steal credentials, distribute malware, or impersonate the legitimate entity. "

A vulnerability scan is the most likely method to identify legacy systems. These scans assess an organization ' s network and systems for known vulnerabilities, including outdated or unsupportedsoftware (i.e., legacy systems) that may pose a security risk. The scan results can highlight systems that are no longer receiving updates, helping IT teams address these risks.

Bug bounty programs are used to incentivize external researchers to find security flaws, but they are less effective at identifying legacy systems.

Package monitoring tracks installed software packages for updates or issues but is not as comprehensive for identifying legacy systems.

Dynamic analysis is typically used for testing applications during runtime to find vulnerabilities, but not for identifying legacy systems​​.

Intellectual property is a type of data that consists of ideas, inventions, designs, or other creative works that have commercial value and are protected by law. Employees in the research and development business unit are most likely to use intellectual property data in their day-to-day work activities, as they are involved in creating new products or services for the company. Intellectual property data needs to be protected from unauthorized use, disclosure, or theft, as it can give the company a competitive advantage in the market. Therefore, these employees receive extensive training to ensure they understand how to best protect this type of data. References = CompTIA Security+ SY0-701 Certification Study Guide, page 90; Professor Messer’s CompTIA SY0-701 Security+ Training Course, video 1.2 - Security Concepts, 7:57 - 9:03.

Software as a Service (SaaS) is the cloud model that best meets the goal of outsourcing the management, including patching, of firmware, operating systems, and applications to the cloud vendor. In a SaaS environment, the cloud provider is responsible for maintaining and updating the entire software stack, allowing the organization to focus on using the software rather than managing its infrastructure.

References = CompTIA Security+ SY0-701 study materials, particularly the domains related to cloud security models​​.