IBM Security Foundations Practice Exam 2025: Latest Questions

A new security analyst is asked to explain the primary goal of the CIA triad to non-technical stakeholders. Which description BEST matches the CIA triad?

A company wants to reduce the risk of password reuse and phishing for a SaaS application. Which control MOST directly addresses this requirement?

A security team needs to protect data transmitted between a mobile app and a web API from interception on public Wi-Fi. Which technology should be used?

During an incident, the incident commander asks for actions that will preserve evidence for potential legal review. Which action is BEST aligned with evidence preservation?

A company is adopting least privilege for administrative access to cloud resources. Which approach BEST implements this principle?

A network engineer implemented a firewall rule to block inbound traffic to a database server, but the database is still reachable from the internet. Which is the MOST likely explanation?

A security analyst is tuning a SIEM and wants to prioritize detections that reduce false positives while still identifying real threats. Which strategy is MOST effective?

A security architect is designing a layered defense for a web application exposed to the internet. Which design BEST reflects defense-in-depth?

An organization suspects an attacker is using valid credentials to access resources. They want to reduce risk without disrupting normal user activity. Which control is MOST appropriate to detect and limit this behavior?

A security team is responding to a ransomware incident affecting several endpoints. They have isolated the devices and identified the initial infection vector. What should be the NEXT best step to support effective recovery while reducing reinfection risk?

A security team wants to quickly explain to non-technical stakeholders why a strong security program needs multiple layers (people, process, and technology) rather than a single tool. Which security principle best supports this message?

A new employee must access only the applications required for their role. The manager wants permissions to be granted based on job function to reduce administrative overhead. Which approach best meets this requirement?

A user reports that an internal web application loads, but their browser shows a certificate warning stating the certificate is not trusted. Other users do not see this warning. What is the MOST likely cause?

A company is implementing data classification and wants a control that ensures sensitive data cannot be read if a laptop is stolen, even if the attacker removes the disk. Which control BEST addresses this risk?

An organization wants to reduce password reuse risk by integrating its on-prem directory with multiple SaaS applications so users authenticate once and then access authorized apps. Which capability is being implemented?

A SOC receives an alert that a privileged account executed a large number of failed logins followed by a successful login from a new country within minutes. What is the BEST next step according to common incident handling practices?

A team needs to allow a vendor to access a specific internal application for 30 days. The security requirement is to minimize long-term risk and ensure access automatically expires. Which approach BEST meets the requirement?

A security architect is designing controls to prevent attackers from moving laterally if one workstation is compromised. Which network design choice BEST supports this goal?

During an incident, an analyst needs to build a reliable timeline of actions taken on a critical server. Which practice MOST helps ensure the collected logs are trustworthy and admissible for internal investigations?

A company is adopting a Zero Trust approach. A project team proposes allowing any device on the corporate network to access internal APIs without authentication because the network is "trusted." Which statement BEST reflects Zero Trust guidance?

A security analyst needs to ensure that if one internal system is compromised, an attacker cannot easily move laterally to critical databases. Which architectural approach best supports this goal?

A developer reports that an internal web application is "secure" because it uses HTTPS. A security engineer explains that encryption alone does not ensure that users are who they claim to be. Which control best addresses the engineer’s concern?

A company needs to share a quarterly report containing sensitive financial data with an external auditor. The auditor must be able to prove the document was not altered after it was sent. Which approach best provides this assurance?

An organization uses role-based access control (RBAC) for a finance application. A new employee is assigned multiple roles and can now both create vendors and approve payments, which violates policy. What is the best IAM control to prevent this situation?

A SOC is tuning alerting rules and notices many repeated alerts from the same endpoint over several hours. Analysts suspect it may be a slow, stealthy attack rather than isolated events. Which capability would MOST help correlate these events into a single incident for investigation?