CompTIA Security Plus SY0-701 Exam Questions (2025)

A. Data in use: This refers to data being actively processed in memory or by the CPU.

VPNs secure data moving between networks, not typically data actively being

processed on an endpoint.

C. Geographic restrictions: While VPNs can be used to circumvent geographic

restrictions by masking a user's location, this is a functional application, not the primary

protective security function a VPN provides for the data itself in a site-to-site connection.

D. Data sovereignty: This concerns the legal and regulatory requirements for data

based on its physical location and the laws applicable there. A VPN's primary

technical role is securing data transmission, not directly enforcing data sovereignty

policies, though it might be part of a larger strategy.

National Institute of Standards and Technology (NIST). (2005). Guide to IPsec VPNs

(NIST Special Publication 800-77). Section 2.1, "VPN Overview," p. 2-1.

URL: https://csrc.nist.gov/publications/detail/sp/800-77/rev-1/final (Note: Original link

was for rev 0, latest is rev 1, content is similar. For SP 800-77 Rev 1, see PDF page 13,

section 2.1)

Specifically: "Virtual Private Networks (VPNs) provide protection of data transmitted

between VPN gateways (e.g., routers, firewalls) and/or VPN clients (e.g., end user

devices)."

Cisco. (n.d.). What Is a VPN? How It Works, Types of VPN, and More.

URL: https://www.cisco.com/c/en/us/products/security/vpn/what-is-vpn.html

Specifically: "by encrypting traffic, VPNs provide confidentiality for data in transit." and

"VPNs are used to securely connect geographically separated offices of an

organization, creating one cohesive virtual network."

Internet Engineering Task Force (IETF). (2005). Security Architecture for the Internet

Protocol (RFC 4301). Section 1.1, "Introduction," p. 5.

URL: https://www.rfc-editor.org/rfc/rfc4301.html

Specifically: Describes how IPsec (a common VPN protocol) provides security services

like confidentiality for IP datagrams, which implies protection of data in transit.

Microsoft Azure. (2023, October 10). What is VPN Gateway?.

URL: https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-aboutvpngateways

Specifically: "A VPN gateway is a specific type of virtual network gateway that is used to

send encrypted traffic between an Azure virtual network and an on-premises location

over the public Internet." This directly refers to securing data in transit.

B. Insider threat: An insider threat typically involves a current or former employee,

contractor, or business partner who has or had authorized access to an organization's

network, system, or data and intentionally misuses that access to negatively affect the

confidentiality, integrity, or availability of the organization's information or information

systems. The scenario doesn't inherently imply malicious intent, a necessary component

for it to be primarily classified as an insider threat, though shadow IT can create

vulnerabilities that insiders might exploit.

C. Data exfiltration: This refers to the unauthorized copying, transfer, or retrieval of

data from a computer or server. While shadow IT could lead to data exfiltration, the

scenario itself describes the unapproved system setup, not the act of data theft.

D. Service disruption: This is an interruption to the normal operation of a service. While

shadow IT could potentially cause a service disruption (e.g., due to network conflicts or

resource consumption), the scenario describes the unauthorized implementation, not an

actual disruption event.

Shadow IT:

Microsoft Learn. "What is shadow IT?". "Shadow IT is the use of IT-related hardware or

software by a department or individual without the knowledge of the IT or security

group within the organization. It can encompass cloud services, software, hardware,

and other solutions."

URL: https://learn.microsoft.com/en-us/defender-cloud-apps/shadow-it-solution

(Accessed: June 2, 2025)

NIST Special Publication 800-145, "The NIST Definition of Cloud Computing." While not

defining Shadow IT directly, it lays the groundwork for understanding how easily cloud

services (often part of shadow IT) can be provisioned. The "On-demand self- service"

characteristic means "A consumer can unilaterally provision computing capabilities...

without requiring human interaction with each service provider." This ease of

provisioning contributes to shadow IT.

URL: https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-145.pdf (Page

2, Section 2) (Accessed: June 2, 2025)

Gartner (often cited by academic and vendor sources; original glossary definition is a

strong conceptual source). While Gartner itself is not on the approved list, its definitions

are widely adopted and can be found referenced in approved types of sources. For

instance, academic papers often build upon Gartner's definition. A search within IEEE

Xplore or ACM Digital Library for "shadow IT" and "Gartner definition"

would yield such uses. For example, research in IEEE Xplore discussing cloud

adoption often refers to the phenomenon of Shadow IT as the unsanctioned use of IT.

Insider Threat:

NIST Computer Security Resource Center. "Insider Threat". "An insider threat is

generally defined as a current or former employee, contractor, or other business

partner who has or had authorized access to an organization’s network, system, or data

and intentionally misused that access to negatively affect the confidentiality, integrity, or

availability of the organization’s information or information systems."

URL: https://csrc.nist.gov/glossary/term/insider_threat (Accessed: June 2, 2025)

Data Exfiltration:

NIST Computer Security Resource Center. "Data exfiltration". "The unauthorized transfer

of information from an information system."

URL: https://csrc.nist.gov/glossary/term/data_exfiltration (Accessed: June 2, 2025)

Service Disruption:

IETF RFC 4084 "Terminology for Describing Internet Network Security Services". While

focused on network security, it discusses availability services, the lack of which is a

disruption. "Availability Service: A security service that ensures the timely and reliable

access to and use of information and information systems. This includes addressing

issues such as denial of service." A disruption is the failure of such availability.

URL: https://www.rfc-editor.org/rfc/rfc4084.txt (Section 2.2.5) (Accessed: June 2, 2025)

The goal is to allow outbound DNS (port 53) traffic only from the internal IP address 10.50.10.25 and block all other outbound DNS traffic. Firewall Access Control Lists (ACLs) are processed sequentially, with the first matching rule being applied. Option D correctly implements this: Access list outbound permit 10.50.10.25/32 0.0.0.0/0 port 53: This rule specifically permits traffic originating from the source IP 10.50.10.25/32 (the designated internal device) to any destination IP (0.0.0.0/0) on destination port 53 (DNS). Access list outbound deny 0.0.0.0/0 0.0.0.0/0 port 53: This rule, placed after the specific permit rule, denies all other outbound traffic from any source IP (0.0.0.0/0) to any destination IP (0.0.0.0/0) on destination port 53. This configuration adheres to the principle of least privilege by explicitly permitting required traffic and then denying all other similar traffic.

A: The first rule permit 0.0.0.0/0 0.0.0.0/0 port 53 allows all outbound DNS traffic from any internal source, making the subsequent deny rule for 10.50.10.25/32 either ineffective (if the first rule is matched and processing stops) or illogical as it would block the intended server if evaluated. B: The permit rule permit 0.0.0.0/0 10.50.10.25/32 port 53 incorrectly defines the traffic flow. It allows traffic from any source to the IP 10.50.10.25 as the destination, which would be an inbound rule, not outbound DNS requests from 10.50.10.25. C: The first rule permit 0.0.0.0/0 0.0.0.0/0 port 53 allows all outbound DNS. The second rule, deny 0.0.0.0/0 10.50.10.25/32 port 53, is also for traffic to 10.50.10.25, not outbound from other hosts. The broad permit rule negates the objective.

Cisco Systems, Inc. (Date varies by specific document version). Configuring IP Access

Lists.

This type of documentation typically explains that ACLs are processed sequentially, and

the first rule that matches the traffic pattern is applied. The syntax used in the question

(source IP/mask, destination IP/mask, port) is common in extended IP ACLs.

Example general principle page: https://www.cisco.com/c/en/us/td/docs/iosxml/ios/sec_data_acl/configuration/15-mt/sec-data-acl-15-mt-book/sec-cfg-ip-

acls.html (See sections on "How IP Access Lists Work" detailing sequential

processing).

National Institute of Standards and Technology (NIST). (September 2009). Special

Publication 800-41 Revision 1: Guidelines on Firewalls and Firewall Policy.

Section 3.2 "Policy Granularity" (Page 11 of PDF, page 17 of document): "Most

organizations use an “allow only what is explicitly permitted” approach to firewall policy.

That is, they deny all traffic by default and then explicitly permit only the services that are

needed. This approach, which is known as a default deny policy, is recommended

because it is more secure than a default permit policy (allowing all

traffic except for what is explicitly denied)." This supports the "permit specific, deny

general" strategy in Option D.

DOI: https://doi.org/10.6028/NIST.SP.800-41r1

MIT OpenCourseWare. (Spring 2018). 6.033 Computer System Engineering - Lecture 19:

Network Security & Firewalls.

Slide 26: "Best practice: default deny." This principle underpins effective firewall rule

design, where specific allowances are made against a general background of denial.

URL: https://ocw.mit.edu/courses/6-033-computer-system-engineering-spring2018/resources/lecture-19-network-security-firewalls/

Internet Engineering Task Force (IETF). (November 1987). RFC 1035: Domain Names

- Implementation and Specification.

Section 4.2.1 "UDP usage": Specifies UDP as the primary transport for DNS queries

and responses. Port 53 is the standard port for DNS. This confirms the port number

used in the ACL.

URL: https://datatracker.ietf.org/doc/html/rfc1035#section-4.2.1

A. Bluetooth: While Bluetooth is a wireless communication protocol and presents an

attack surface on devices, NAC platforms are generally focused on controlling access

to the broader enterprise network (wired LAN, WLAN, VPN) rather than primarily

managing Bluetooth connections as a network entry point. Bluetooth security is often

handled by endpoint security measures.

C. NFC: Near Field Communication (NFC) is a very short-range wireless technology.

Enterprise NAC solutions are not typically designed to directly police NFC

interactions as a primary means of network access control; NFC security is usually

managed at the device or application level.

D. SCADA: Supervisory Control and Data Acquisition (SCADA) systems are industrial

control systems. NAC can be used to protect the networks these SCADA systems

reside on by controlling which devices can access those network segments (often via

wired connections). However, SCADA itself is an environment or system type, not the

direct attack surface (like a port or connection method) that NAC polices. NAC protects

the network ingress points to such environments.

Microsoft Learn. "802.1X Authenticated Wired Access Overview." This document

describes how 802.1X, a common component of NAC solutions, is used to provide

authenticated access to wired networks.

URL: https://learn.microsoft.com/en-us/windowsserver/networking/technologies/nps/nps-8021x-wired-overview

Specific Section: Overview section.

IEEE Standards Association. IEEE Std 802.1X-2020 - IEEE Standard for Local and

metropolitan area networks Port-Based Network Access Control. The standard itself

defines port-based NAC for IEEE 802 LANs, which includes wired Ethernet.

DOI: https://doi.org/10.1109/IEEESTD.2020.9018186

Specific Section: Abstract and Clause 1 (Overview). "This standard specifies port-based

network access control, which provides an authenticated network access service that is

applicable to IEEE 802® LANs."

Cisco. "What Is Network Access Control (NAC)?" Cisco, a major NAC vendor, states

that "NAC solutions help organizations control access to their networks. Wired,

wireless, and VPN users are subject to NAC."

URL: https://www.cisco.com/c/en/us/products/security/network-access-control.html

(General product information page, content may vary).

For a more stable reference, see also: Bhaiji, Y. (2008). Network Security Technologies

and Solutions (CCIE Professional Development Series). Cisco Press. Chapter 10,

"Network Access Control," states: "NAC is a concept and a solution that is applicable to

all types of network access, including LAN (wired and wireless), remote access (VPN),

and WAN."

NIST Special Publication 800-82 Revision 3 (Draft). "Guide to Operational

Technology (OT) Security." While discussing SCADA security, this document would

frame NAC as a control for network segments (e.g., wired or wireless connections to

the OT network) rather than SCADA being the direct surface NAC acts upon. For

instance, Section 5.2.4 "Network Segmentation" and 5.2.7 "Remote Access" discuss

controls that could involve NAC for network access.

URL: https://csrc.nist.gov/publications/detail/sp/800-82/rev-3/draft

Specific Section: Discussion of network access controls for OT environments.

A. Channels by which the organization communicates with customers: This

focuses on external communication strategy, not the core content or planning of an

internal security awareness curriculum for employees.

B. The reporting mechanisms for ethics violations: While important for corporate

governance, this is a distinct compliance area and not a primary driver for designing

the breadth of a security awareness training curriculum, which covers a wider range of

cyber threats.

D. Secure software development training for all personnel: This is too specific and

misdirected. Secure development is for technical staff, while security awareness is for

all employees, covering broader topics beyond coding.

F. Retraining requirements for individuals who fail phishing simulations: This is a

reactive, operational aspect of an ongoing program (maintenance/improvement) rather

than a foundational factor for the initial formulation of the core training curriculum.

NIST Special Publication 800-50, "Building an Information Technology

Security Awareness and Training Program."

Supporting C: Section 3.3.1 ("Developing Awareness and Training Material") states,

"Material should be developed based on the identified awareness and training needs of

the organization. The specific risk assessment for the organization can be a source for

determining needs." Industry-specific threat vectors are a key component of this risk

assessment and needs identification. (Page 11)

Supporting E: Section 4.1 ("Implementing the Program - Training") discusses that

"Training can be provided in many ways..." and implies planning for delivery. More

broadly, Section 3.2 ("Designing the Program") emphasizes that "An effective IT

security awareness and training program requires proper planning, implementation,

maintenance, and periodic evaluation." The plan would inherently include decisions on

cadence and duration. (Page 10 for Design, Page 17 for Implementation aspects

related to delivery).

URL: https://csrc.nist.gov/publications/detail/sp/800-50/final

NIST Special Publication 800-16, "Information Technology Security Training

Requirements: A Role-Based Model for Federal Information Technology Management

Reform Act (FITMSA)." (While older, its principles remain valid and are foundational to

later NIST guidance).

Supporting C: Section 2.2 ("Overview of Model") states, "This model provides a

framework for an organization to identify its IT security training needs by tying training

to what people must know to perform their IT-security related job functions...It is

important for training developers and implementers to consider the roles employees

perform, their current skill levels, and the organization’s specific technology."

Understanding industry-specific threats informs what people must know. (Page 5)

URL: https://csrc.nist.gov/publications/detail/sp/800-16/archive/1998-11-01

EDUCAUSE - "Information Security Program Assessment Tool" (University-related

best practices often align with such frameworks)

While not a direct curriculum guide, assessment tools for university information security

programs invariably review the relevance and comprehensiveness of security

awareness training. Effective programs, as highlighted by EDUCAUSE resources,

typically tailor their awareness initiatives to specific institutional risks (aligning with C)

and plan for regular, ongoing training sessions (aligning with E).

Example principle reflected in EDUCAUSE resources (e.g., "Higher Education CISO's

Top 10 List for Reducing Information Security Risk"): Risk #1 often involves awareness,

and effective awareness is contextual and ongoing.

Specific EDUCAUSE Library resource: "Building an Effective Security Awareness

Program" (various articles and presentations emphasize knowing your audience, risks,

and planning delivery). A general search within the EDUCAUSE library for "security

awareness training plan" reveals resources emphasizing risk-based content and

structured delivery. (e.g., a general search on https://library.educause.edu/)

A. Exception: An exception implies accepting a risk, typically after a formal

assessment, without implementing controls to reduce it. The organization is actively

implementing controls here.

B. Segmentation: While placing a firewall can contribute to network segmentation

(isolating the legacy system), "compensating controls" is a more precise description of the

purpose of these combined actions (including disabling services on the host) specifically

in the context of a "legacy system" which implies inherent weaknesses

requiring such compensation. Segmentation is a technique, while compensating control

describes the rationale here.

C. Risk transfer: This involves shifting the financial impact of a risk to a third party, such

as through insurance. The actions described are technical controls, not a risk transfer

mechanism.

Compensating Controls (Primary Justification for D):

Source: NIST Computer Security Resource Center (CSRC) Glossary

Reference: Definition of "Compensating Control"

Content: "A management, operational, or technical control (i.e., safeguard or

countermeasure) employed by an organization in lieu of a recommended security

control in low-risk situations or to supplement a recommended control in high-risk

situations. Compensating controls are security controls that are employed by an

organization to satisfy the requirements of a security control when the recommended

security control cannot be employed, for example, due to technical limitations or

business constraints."

URL: https://csrc.nist.gov/glossary/term/compensating_control (This link provides the

direct definition supporting the choice, highlighting "technical limitations" which is

common for legacy systems).

Additional Context: NIST Special Publication 800-53 Rev. 5, "Security and Privacy

Controls for Information Systems and Organizations," Appendix F, page F-6, also

discusses compensating controls.

Risk Exception/Acceptance (Justification for A being incorrect):

Source: NIST Special Publication 800-37 Rev. 2, "Risk Management Framework for

Information Systems and Organizations: A System Life Cycle Approach for Security

and Privacy"

Reference: Section 2.5 "Risk Response", specifically "ACCEPT: If the identified risk is

within organizational risk tolerance, organizations can accept the risk with no further

action." (The actions taken in the question are not "no further action").

URL: https://doi.org/10.6028/NIST.SP.800-37r2 (Page 21)

Segmentation (Justification for B being less precise):

Source: NIST Special Publication 800-41 Rev. 1, "Guidelines on Firewalls and Firewall

Policy"

Reference: Section 3.1 "Firewall Functions" states: "Firewalls are also used to partition

networks (segmentation) to support various security policies, for example, by creating a

DMZ or by preventing traffic between two subnets of an internal network."

Content: While a firewall segments, the overall strategy including host hardening

(disabling services) for a legacy system points to the compensatory nature of the

controls.

URL: https://doi.org/10.6028/NIST.SP.800-41r1 (Page 3-1)

Risk Transfer (Justification for C being incorrect):

Source: NIST Special Publication 800-37 Rev. 2, "Risk Management Framework for

Information Systems and Organizations: A System Life Cycle Approach for Security

and Privacy"

Reference: Section 2.5 "Risk Response", specifically "SHARE/TRANSFER: Shifting all

or part of the risk to another party (e.g., through the use of insurance, service level

agreements, contracts, or other agreements)."

URL: https://doi.org/10.6028/NIST.SP.800-37r2 (Page 21)

B. Organizational change: While organizational changes might trigger specific audits or

audit scope adjustments, the primary driver is often to ensure the transformed entity

remains compliant with regulations and effectively manages new risks, thus linking

back to regulatory imperatives.

C. Self-assessment requirement: Self-assessment is an internal control mechanism.

Formal audits, especially external audits, provide independent assurance that is often

required or expected by regulators to validate the internal controls and overall

compliance, making it distinct from a mere self-assessment.

D. Service-level requirement: Service-level requirements pertain to operational

performance metrics. Audits covering these are specific and do not represent the

primary, comprehensive motivation for conducting audits in a banking environment,

which broadly focuses on regulatory adherence and financial integrity.

Office of the Comptroller of the Currency (OCC). (2020, March). Comptroller's

Handbook: Internal and External Audits.

URL: https://www.occ.gov/publications-and-resources/publications/comptrollershandbook/files/internal-external-audits/pub-ch-internal-external-audits.pdf

Specifics: Page 1 states, "Banks need effective internal and external audit programs to

manage risks and operate in a safe and sound manner. Effective audit programs also

help banks comply with laws and regulations." Page 4 notes that the audit charter

should be "consistent with banking laws and regulations, supervisory guidance, and

industry best practices."

Basel Committee on Banking Supervision (BCBS). (2012, September). Core Principles

for Effective Banking Supervision.

URL: https://www.bis.org/publ/bcbs230.pdf

Specifics: Principle 26, "Internal control and audit" (pages 75-77), emphasizes that

supervisors (regulators) determine that banks have adequate internal control

frameworks, including an independent internal audit function. This underscores the

regulatory expectation and oversight of audit functions. For instance, "Supervisors

determine that the scope and frequency of internal audit reviews are appropriate...

Supervisors also determine that the internal audit function is accountable to the

board...and that management acts on its findings."

A. Block access to cloud storage websites: This is a specific control action that

might be part of a DLP strategy, but it's not the initial step. The decision to block such

sites would depend on the data classification and risk assessment.

B. Create a rule to block outgoing email attachments: Similar to option A, this is a

specific DLP policy. Such rules are configured after sensitive data has been identified and

classified, enabling the DLP to recognize what to block.

D. Remove all user permissions from shares on the file server: This is an extreme

access control measure that, while potentially preventing exfiltration, is not the

primary first step in deploying a DLP solution. DLP focuses on identifying and controlling

sensitive data movement, which requires classification first.

Microsoft Learn. (n.d.). Overview of data loss prevention. Microsoft Purview

documentation. "The first step in information protection is understanding your data

landscape. This means identifying and classifying sensitive data that is critical to your

organization."

URL: https://learn.microsoft.com/en-us/purview/dlp-learn-about-dlp

Reference: "Get started with information protection" section, first paragraph.

AWS Documentation. (n.d.). Data Loss Prevention. Amazon Web Services. "To

effectively protect your data, you first need to understand what data you have, where it's

stored, and its level of sensitivity. Data discovery and classification are critical first steps

in any data protection strategy."

URL: https://aws.amazon.com/comprehend/data-loss-prevention/

Reference: Introduction, second paragraph. (Note: While Comprehend is a service, this

page describes the general DLP approach). A more general AWS security best practice

for data identification would be found in broader security whitepapers if needed, but this

explicitly mentions data classification as a first step for DLP.

NIST. (2015). NIST Special Publication 800-53 Revision 4: Security and Privacy

Controls for Federal Information Systems and Organizations. National Institute of

Standards and Technology. Control SI-4 "Information System Monitoring" and its

enhancements often involve identifying types of information. While not explicitly "DLP

deployment first step," the entire framework implies data awareness. More directly, data

classification is a foundational element in identifying what needs protection. (For a more

explicit NIST tie to data identification for protection, see NIST CSF's "Identify" function). A

more targeted document is NIST SP 1800-27C "Securing Data Integrity Against

Ransomware Attacks" which, although for a different threat, states in Volume C, Section

3.1.1, "Identify and Classify Sensitive Data: Understand

what data is critical and sensitive. This is the first step to ensure it is adequately

protected."

URL for SP 1800-27C:

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1800-27C.pdf

Reference: Page 9 (PDF page 21), Section 3.1.1 "Identify and Classify Sensitive Data".

B. DLP (Data Loss Prevention): DLP tools focus on identifying and preventing the

unauthorized exfiltration or leakage of sensitive data. While they monitor and may log

certain activities, their primary purpose is not comprehensive, centralized log collection

from all system, application, and network sources for general security alerting, as

described in the question.

C. IDS (Intrusion Detection System): An IDS monitors network or system activities for

malicious signatures or anomalous behaviors to detect potential intrusions. It

generates alerts and logs specific to these detected events but is not primarily a

centralized aggregator of all types of logs from diverse sources for broader security

monitoring in the way a SIEM is. A SIEM often ingests data from an IDS.

D. SNMP (Simple Network Management Protocol): SNMP is a protocol used for

managing and monitoring network devices. It facilitates the collection of status and

performance data from network hardware but is not itself a security tool that centralizes

and analyzes system, application, and diverse network logs for security alerting. SNMP

data can be a feed into a SIEM.

SIEM:

NIST Glossary of Key Information Security Terms, Revision 2 (NISTIR 7298 Rev. 2),

Page 163: "Security Information and Event Management (SIEM): Application that

collects security-related data (e.g., important computer logs, network traffic data) from

various computer logs and network traffic data, analyzes that data for security policy

violations and/or anomalous activity, and generates alerts."

URL: https://csrc.nist.gov/publications/detail/nistir/7298/rev-2/final (Link is to the

publication page, direct PDF access might vary. The definition is widely cited from

this document).

NIST Special Publication 800-92, Guide to Computer Security Log Management,

Section 6.1: "Log management infrastructures range from very simple (e.g., a single

host that records log data in local flat files) to very complex (e.g., a sophisticated

security information and event management (SIEM) product that performs centralized

log collection, storage, and analysis for an entire enterprise)."

URL: https://csrc.nist.gov/publications/detail/sp/800-92/final

DLP:

NIST Special Publication 1800-27C, Securing Data Integrity Against Ransomware

Attacks: A Practice Guide, Section 2.3.4: "Data loss prevention (DLP) tools are another

means by which organizations can detect and stop exfiltration of data."

URL: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1800-27c.pdf (Page

11)

IDS:

NIST Special Publication 800-94, Guide to Intrusion Detection and Prevention Systems

(IDPS), Section 2.1: "IDPSs are primarily focused on identifying possible incidents,

logging information about them, attempting to stop them, and reporting them to security

administrators."

URL: https://csrc.nist.gov/publications/detail/sp/800-94/rev-1/final (This is Rev 1, original

SP 800-94 definitions align).

Tan, L., & Rountree, N. (2019). A Survey on Intrusion Detection Systems: A

Computational Intelligence Perspective. IEEE Access, 7, 121579-121603. (Defines IDS

in the context of security monitoring, but highlights its focus on intrusions).

DOI: https://doi.org/10.1109/ACCESS.2019.2937670 (Page 121580, Section II.A)

SNMP:

IETF RFC 3411, An Architecture for Describing Simple Network Management

Protocol (SNMP) Management Frameworks, Section 1 (Introduction): "SNMP is an

application-layer protocol, and is typically layered onto a connectionless transport-

layer protocol... It provides a message format for communication between managers

and agents."

URL: https://www.rfc-editor.org/rfc/rfc3411.txt (Page 6)

Case, J., Fedor, M., Schoffstall, M., & Davin, J. (1990). RFC 1157: A Simple Network

Management Protocol (SNMP). (This is the original SNMP RFC, which defines its

purpose for network management, not comprehensive security log analysis).

URL: https://datatracker.ietf.org/doc/html/rfc1157 (Section 1.1)

A. The device has been moved from a production environment to a test

environment. Moving a device to a test environment is repurposing, not a reason for

decommissioning. The device might still have a useful, albeit different, role.

B. The device is configured to use cleartext passwords. This is a critical security

misconfiguration that requires immediate remediation (e.g., reconfiguring for secure

authentication methods). Decommissioning is only considered if the device cannot be

configured to avoid cleartext passwords, making it unable to meet security standards

(similar to E).

C. The device is moved to an isolated segment on the enterprise network.

Isolating a device is often a risk mitigation strategy, particularly for legacy systems that

cannot be immediately decommissioned but still need to operate. It does not inherently

mean the device should be decommissioned.

D. The device is moved to a different location in the enterprise. The physical

relocation of a device within the enterprise does not, by itself, warrant

decommissioning. Functional and security capabilities are the primary concerns.

For Option F (Unable to receive authorized updates):

Source: NIST Special Publication 800-53 Revision 5, "Security and Privacy Controls for

Information Systems and Organizations."

Reference: Control SA-22, "Unsupported System Components." Paragraph a. states:

"Identify and manage system components that are not supported by the developer,

vendor, or manufacturer; and b. Provide a rationale for the continued use of

unsupported components and document the risk-based decision." While continued use

with rationale is possible, the guidance also includes "replacing" such components as a

primary action. Decommissioning is the process that includes replacement.

URL: https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final (See page 303, PDF

page 339)

Additional Source: NIST SP 1800-16B, "Securing Small-Business and Home Internet

of Things (IoT) Devices: Mitigating Network-Based Attacks Using Manufacturer Usage

Description (MUD)."

Reference: Section 3.4 "Device Cybersecurity Throughout the Lifecycle," discusses

end-of-life: "Devices that are no longer supported by the manufacturer with security

updates should be replaced."

URL: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1800-16b.pdf (Page

10)

For Option E (Encryption level cannot meet organizational standards):

Source: NIST Special Publication 800-53 Revision 5, "Security and Privacy Controls for

Information Systems and Organizations."

Reference: Control SC-13, "Cryptographic Protection." This control requires

organizations to implement and manage cryptographic keys and use FIPS-validated or

NSA-approved cryptography. If a device cannot support such required cryptographic

standards, it fails to comply, and remediation (which may include

replacement/decommissioning if upgrade is not possible) is necessary.

URL: https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final (See page 347, PDF

page 383)

Additional Source: IETF RFC 7525, "Recommendations for Secure Use of Transport

Layer Security (TLS) and Datagram Transport Layer Security (DTLS)."

Reference: This document outlines best practices for TLS/DTLS, deprecating older

versions (SSLv2, SSLv3, TLSv1.0, TLSv1.1) and weak cipher suites. If a device cannot

be configured to meet these (or similar organizational) standards, it's insecure. Section

4.1 discusses protocol versions.

URL: https://doi.org/10.17487/RFC7525 (Page 6-7)

For why Option B is less direct:

Source: NIST Special Publication 800-12 Rev. 1, "An Introduction to Information

Security."

Reference: Section 6.3 "Implementing Security Controls." It states: "After the controls

have been selected, they must be implemented, or put in place, and their operation

documented." A device using cleartext passwords implies a failure to implement proper

authentication controls. The first step is implementation/correction.

URL: https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-12r1.pdf

(Page 55)