COMPTIA · SECURITY+ · STUDY GUIDE · DOMAIN 5 · FINAL 20%
Domain 5: Security Program Management & Oversight
The last 20% of the exam — and the one Security+ rewards most. Governance sets direction, risk drives prioritization, vendors are risk, compliance is the floor, audits verify, and humans are the control that ships daily. Finish here and all five domains are in scope.
20%
Exam Weight
6
Objectives
~55m
Read Time
SY0-701
Exam Code
Domain 5 — 20% of exam (policy, risk, oversight)100%
All Domains
01Key Concepts at a Glance
Six Ideas That Drive Every Domain 5 Question
Program management is the layer that turns controls into governance. Master these six and you can reason through any Domain 5 scenario — policy, risk, vendors, compliance, audits, and awareness.
▾
G
Policy Is Direction, Standards Are Rules
Policy → Standard → Procedure → Guideline. One is mandatory and broad, one is mandatory and specific, one is step-by-step, one is advisory.
“If the document says ‘should’ instead of ‘shall,’ it’s a guideline — not enforceable. Exam questions use that language on purpose.”
GDPR, HIPAA, PCI DSS, SOX, GLBA. Controller vs processor, data subject rights, due care vs due diligence. Meeting the reg is not the same as being secure.
“Due diligence = investigate before you decide. Due care = act like a prudent person would. Doing one without the other is where lawsuits live.”
Internal vs external audits, attestation, black/gray/white box pen tests, red/blue/purple teams, passive vs active recon.
“Looking up LinkedIn profiles and DNS records is passive recon. Running a port scan is active. Any interaction with the target = active. Memorize the line.”
Policy Hierarchy — Four Documents, Four Jobs (5.1)
Document
What It Does
Language Signal
Policy
High-level management intent. Broad, mandatory, rarely changes. Approved by executives.
“Shall protect customer data.” Mandatory, not prescriptive.
Standard
Specific, mandatory implementation. Supports a policy. Measurable and auditable.
“AES-256 for data at rest. TLS 1.2 minimum.” Mandatory + specific.
Procedure
Step-by-step how-to. Makes standards executable for operators.
“1. Open console. 2. Click. 3. Verify.” Instructions, not intent.
Guideline
Advisory, recommended. Not enforceable; suggests best practice.
“Should prefer passwordless where available.” “Should,” not “shall.”
02Diagnostic Quiz
Find Out Where to Start
7 questions across Domain 5 — including the SLE/ARO/ALE math. See which objectives need the most work.
Focus on these objectives
You’ve got these
03Objective Navigator
6 Objectives — Pick Your Path
Each lesson teaches through real scenarios — concept, textbook, hard choice, exam signal. Start anywhere or go in order. Completed lessons show a checkmark.
Governance drills and adaptive quizzes — Coming Soon
TJS Platform will have risk-register simulators, policy-vs-standard puzzles, vendor SOC 2 scenarios, and AI-powered explanations for every Domain 5 objective.
Coming Soon
04Memory Aids
Learn It, Test It, Lock It In
Each card has 3 layers. Click to advance: mnemonic → scenario challenge → answer + exam tip.
0 / 6 mastered
Risk Response — TAAM
Transfer · Accept · Avoid · Mitigate
Four options, always. Insurance transfers; signing a risk acceptance accepts; killing the project avoids; a control mitigates.
Scenario
A rarely-used internal app has a known vuln. Patching breaks the app. The business buys a $5K annual cyber-insurance rider covering the data loss scenario. Which risk response is that?
Answer
Transfer. Insurance shifts the financial consequence to a third party. You still own the vulnerability; you’ve just moved the loss exposure.
Exam tip: “insurance,” “hand to vendor,” “contract it out” = Transfer. “Document and sign off” = Accept. “Decommission, stop doing it” = Avoid. “Patch, control, fix” = Mitigate.
SLE / ARO / ALE
SLE = AV × EF · ALE = SLE × ARO
Asset Value × Exposure Factor = Single Loss Expectancy. Times Annualized Rate of Occurrence = Annualized Loss Expectancy.
Scenario
Database server value $200,000. A ransomware event would destroy 60% of value. Historical rate: once every 4 years (ARO = 0.25). What is the ALE?
Answer
$30,000. SLE = $200,000 × 0.60 = $120,000. ALE = $120,000 × 0.25 = $30,000. Any control costing less than $30K per year has a positive ROI.
Exam tip: ARO is annualized, so “every 4 years” is 0.25. “Twice a year” is 2. Memorize that conversion cold.
Each contract exists for a specific legal purpose. Exam loves mixing MOU (soft) with MOA (firm).
Scenario
Two departments agree to share logging infrastructure. Legal needs a non-binding expression of intent before a formal deal is drafted. Which document fits?
Answer
MOU — Memorandum of Understanding. Non-binding statement of intent. If obligations become enforceable, it’s an MOA (Memorandum of Agreement).
Exam tip: MOU = intent, not binding. MOA = binding obligations. “No legal enforceability” is the language that signals MOU.
Controller vs Processor
Controller decides · Processor executes
GDPR vocabulary. The controller defines purpose and means; the processor handles data on the controller’s behalf under contract.
Scenario
Your employer uses a SaaS HR system to manage employee records. The SaaS vendor processes the records per your instructions. Under GDPR, what role is the SaaS vendor?
Answer
Processor. The employer decides why and how the data is used (controller). The vendor executes on those instructions under a Data Processing Agreement (processor).
Exam tip: “on behalf of” is the tell. Whoever decides purpose and means is the controller; whoever acts on instruction is the processor.
Pen Test Box Colors
Black = blind · Gray = partial · White = full
Box color = how much info the tester gets before starting. Not to be confused with hat color or team color.
Scenario
A pen tester is given domain credentials, network diagrams, and source code before starting the engagement. Which box color does that represent?
Answer
White box. Full knowledge. Black box = no info (mimics external attacker). Gray box = some credentials or docs (mimics insider or post-breach attacker).
Exam tip: box = information level. Team = exercise role (red attack, blue defense, purple collaborate). Hat = ethical stance (white / gray / black). Three different vocabularies.
Awareness programs classify anomalies by intent. Response depends on which bucket.
Scenario
An engineer disables EDR on their laptop because “it slows my build.” What category is that behavior?
Answer
Risky. It’s a deliberate policy violation — they knew the rule and chose to bypass it. Unintentional would be an accidental click; unexpected would be a novel pattern no one predicted.
Exam tip: risky = intent to bypass. Unexpected = no malice, just new. Unintentional = accident. Response differs: coaching, monitoring, retraining.
The Management-Hat Rule — Exam Strategy
Domain 5 is the think-like-a-manager domain. Technical fixes are rarely the right answer here — the right answer usually involves a document, a process, a signature, or a conversation. When a scenario mentions budget, legal, vendors, regulators, or culture, the correct choice is almost always governance-flavored: policy update, risk register entry, DPA amendment, awareness program change, or a formal risk response (TAAM). Reach for the contract before you reach for the firewall.
A server room in a coastal office building faces a flood risk. Asset value $100K. Exposure factor 40%. Historical flood frequency: once every 10 years. A vendor proposes a $50K raised-floor and drainage system with a 20-year lifespan. What is the risk-appropriate response?
×
Purchase the $50K mitigation — flood risk is realALE = $100K x 0.40 x 0.10 = $4K per year. Control cost amortized is $2.5K/year but total capex is $50K; cheaper controls likely exist.
✓
Document the $4K ALE in the risk register; evaluate cheaper options (insurance rider, moving to colo, raised-rack). Management signs acceptance if residual risk stays within tolerance.Quantified risk → cost-justified response. Don’t spend $50K to prevent $4K. Transfer via insurance, avoid by relocation, or mitigate cheaply — then accept the remainder with a signature.
×
Ignore the risk — it hasn’t happened in 8 yearsUndocumented, undefended risk is not acceptance — it’s negligence. Acceptance requires documentation and signature authority.
×
Escalate to the board — all risks need executive sign-offOnly risks above the defined tolerance threshold go to the board. A $4K ALE in a company with a $500K cyber budget typically does not.
Principle: Quantify first. Spend is justified by ALE vs control cost. Accept with documentation; don’t spend more than you save.
02
Scenario
The Vendor Nobody Audited
A marketing team signed up for a $200/mo SaaS email tool three years ago. No security review was done. The vendor just announced a breach exposing their customer databases — your customer email list is among them. Legal asks: “How did we not catch this?” What process failure is this, and what is the appropriate remediation?
×
Fire the marketing manager — they bypassed securityIndividual blame doesn’t scale and doesn’t fix the process. Many SaaS signups happen this way when there’s no guardrail.
✓
Root cause: missing vendor onboarding policy + SaaS discovery control. Implement a vendor-risk-management program (SIG/CAIQ questionnaire, SOC 2 review, DPA, right-to-audit); deploy CASB/SaaS discovery; update procurement to route all SaaS through security review.Third-party risk requires a documented process applied at acquisition, monitored in life, and re-reviewed at renewal. Tooling (CASB) + policy + procurement gate.
×
Block all SaaS from the network — too riskyBlanket blocks push users to shadow IT. The problem is unmanaged acquisition, not SaaS itself.
×
Rely on the vendor’s own security assertions going forwardSelf-attestation without evidence (SOC 2 Type II, pen test, audit rights) is the original failure. Repeat doesn’t fix.
Principle: Vendor breaches are owned by you. Program maturity = discovery + assessment + contract + ongoing monitoring.
03
Scenario
The “We Passed the Audit” Trap
A healthcare provider passed its annual HIPAA compliance audit. Six months later, a phishing campaign harvested 14,000 patient records. The CEO asks: “We just passed the audit — how can we have been breached?” What is the correct framing?
×
The audit was flawed — find a new auditorAudits sample controls against requirements. They aren’t guarantees against breach and aren’t designed to be.
✓
Compliance is the floor, not the ceiling. A passing HIPAA audit means controls met the minimum required at point-in-time. Security posture depends on continuous control effectiveness, threat-model coverage, and user behavior — all beyond audit scope.Due diligence at audit; due care every day. Many frameworks (SOC 2, HIPAA) explicitly state compliance ≠ security.
×
The auditor should have caught the phishing riskPhishing defense is a combination of technical (email security, MFA) + awareness program. An audit can test controls exist; it doesn’t guarantee user behavior.
×
HIPAA doesn’t apply if the data was exfiltrated via emailPHI is PHI regardless of exfiltration vector. HIPAA breach notification (to HHS, affected individuals, and possibly media) applies.
Principle: Compliance verifies; it doesn’t protect. Pair audit posture with continuous monitoring, phishing-resilient MFA, and a mature awareness program.
🎯
Adaptive Domain 5 drills — Coming Soon
TJS Platform will track your weak areas and generate focused Program Management drills. AI Study Buddy will explain why you got it wrong.
Coming Soon
06Common Traps
The Tempting Wrong Answer
1
Policy vs Standard vs Guideline
Policy = broad mandatory; Standard = specific mandatory; Procedure = step-by-step; Guideline = advisory. “Should” signals guideline; “shall” signals policy/standard.
2
Compliance = Secure
A passing audit means controls met the minimum at point in time. Security is continuous. Compliance is the floor, not the ceiling.
3
MOU vs MOA
MOU = non-binding intent. MOA = binding obligations. Exam loves using “memorandum” to blur the line — read for “intent” vs “obligations.”
4
ARO Is Annualized
“Every 4 years” → ARO = 0.25, not 4. “Twice a year” → ARO = 2. Forgetting the annualization is the most common ALE math mistake.
5
Controller vs Processor Swap
Employer sets purpose (controller). SaaS vendor acts on instruction (processor). GDPR applies to both with different obligations; misclassification tanks DPAs.
6
Box vs Team vs Hat
Box = information level (black/gray/white). Team = exercise role (red/blue/purple). Hat = ethical stance (white/gray/black hacker). Three vocabularies, zero overlap.
7
Passive vs Active Recon
Passive = zero interaction with target (LinkedIn, DNS, WHOIS, Shodan cache). Active = any probe (port scan, ping, banner grab). If the target could log it, it’s active.
8
Punish the Click
Click-and-report users are a win, not a failure. Punish the click and you kill the report — then every phish runs silently. Reinforce the report.
07Self-Check Quiz
7 Practice Questions
Select an answer, then click Check. Full adaptive quiz engine with 200+ questions coming soon on TJS Platform.
UnderstandBeginner5.1
Q1. A security document states: “All data at rest shall be encrypted using AES-256 or stronger.” Which governance artifact is this?
A Policy
B Standard
C Procedure
D Guideline
Correct: B
Specific + mandatory = standard. Policy would state intent (“shall protect data at rest”) without naming algorithms. Procedure is step-by-step. Guideline is advisory (“should”).
Source: CompTIA SY0-701 Objectives v5.0 — 5.1
ApplyIntermediate5.2
Q2. A database server is valued at $400,000. A successful attack would cause 75% loss of value. Historical rate is once every 5 years. What is the Annualized Loss Expectancy (ALE)?
A $30,000
B $60,000 per year ($400K × 0.75 × 0.2)
C $300,000
D $1,500,000
Correct: B
SLE = AV × EF = $400,000 × 0.75 = $300,000. ARO = 1/5 = 0.2 per year. ALE = SLE × ARO = $300,000 × 0.2 = $60,000 per year.
Source: CompTIA SY0-701 Objectives v5.0 — 5.2
UnderstandBeginner5.2
Q3. A company cannot patch a legacy app without breaking it, so they buy cyber-insurance covering losses from that specific vulnerability. Which risk response is this?
A Mitigate
B Accept
C Avoid
D Transfer
Correct: D
Insurance shifts financial consequence to a third party — classic transfer. Mitigation would be a technical control; acceptance would be documented sign-off with no action; avoidance would be decommissioning the app.
Source: CompTIA SY0-701 Objectives v5.0 — 5.2
AnalyzeAdvanced5.3
Q4. A procurement team wants the highest-confidence evidence that a cloud vendor’s controls operated effectively over the past year. Which artifact should they request?
A SOC 2 Type I report
B SOC 2 Type II report
C Vendor-authored security white paper
D Signed NDA alone
Correct: B
SOC 2 Type II = operating effectiveness over a period (typically 6–12 months). Type I = design at a point in time. White papers are marketing. NDAs protect secrecy, not prove controls.
Q5. An EU customer requests deletion of all their personal data from a US company’s CRM. What GDPR right are they exercising, and what must happen?
A Right to access — provide a data export and keep the records
B Right to erasure (“right to be forgotten”, Article 17) — delete where legally permitted, propagate to processors
C Right to rectification — correct inaccuracies only
D No obligation — the customer is outside the US
Correct: B
GDPR Article 17 applies to any data subject in the EU regardless of processor location. Controllers must delete unless a legal-basis exception applies (tax records, litigation hold) and must propagate the request to all processors holding copies.
Q6. A pen tester uses Shodan, LinkedIn, and public DNS records to build a target profile before engagement start. Which activity is this?
A Active reconnaissance
B Passive reconnaissance
C Exploitation
D Post-exploitation
Correct: B
Passive recon = no direct interaction with target systems. Shodan caches and OSINT sources don’t touch the target. Active recon = port scans, banner grabs, any probe the target can log.
Source: CompTIA SY0-701 Objectives v5.0 — 5.5
AnalyzeAdvanced5.6
Q7. A simulated phishing campaign shows a 4% click rate and a 62% report rate among employees who saw the email. What does this pattern indicate, and how should the program respond?
A Failing program — 4% is too high; issue remediation training to clickers
B Healthy program — high report rate indicates a strong awareness culture. Reinforce reporters, coach (don’t punish) clickers, and increase scenario difficulty.
C Data is meaningless without industry benchmarks
D Raise report rate by penalizing non-reporters
Correct: B
Clicks happen on any human population; what matters is whether users report. 62% reporting is high — culture is working. Punishing clickers suppresses reporting and makes future phishing invisible. Reinforce the desired behavior.
Source: CompTIA SY0-701 Objectives v5.0 — 5.6
All 5 Domains Complete
You’ve Covered the Full SY0-701 Exam Blueprint
Domains 1 through 5 — 100% of the objectives. Time to drill. Choose how you want to finish your prep.
Recommended
TJS Platform
All 5 domains, 200+ adaptive questions, AI Study Buddy, timed exams, and certificate of completion.
Coming Soon
Coming Soon
Pocket Reference PDF
Printable desk reference with key concepts, mnemonics, and quick-reference tables for all 5 domains.
This content is provided for educational and exam preparation purposes only. It is designed to supplement your study efforts with additional context, scenarios, and practice material. This is not official CompTIA content, is not endorsed by CompTIA, and does not guarantee exam success. All practice questions are original and based on published exam objectives — they are not actual exam questions. Exam content, format, and policies are determined solely by CompTIA. Always refer to the official CompTIA Security+ SY0-701 Exam Objectives as your primary reference. Tech Jacks Solutions is not responsible for exam outcomes.
Stay Current on Certifications
Get updates when salary data, exam changes, or new cert guides are published.
No spam. Unsubscribe anytime. We respect your data.
Cert guides, study strategies, and update alertsGet Cert Updates
