CompTIA CY0-001 Exam Questions

Basic Concept: ISO develops international standards for management systems across various domains. For organizations seeking third-party certification demonstrating commitment to responsible AI governance practices, the appropriate ISO standard must specifically address AI management systems. CompTIA SecAI+ Exam Objectives cover ISO standards relevant to AI governance under Domain 4.

Why D is Correct: ISO 42001 is the International Standard for Artificial Intelligence Management Systems (AIMS). It provides a framework for establishing, implementing, maintaining, and continually improving an AI management system within organizations. ISO 42001 certification provides third-party assurance specifically for responsible AI practices including risk management, transparency, human oversight, and ethical AI governance --- directly answering the question.

Why A is Wrong: ISO 20000 is the standard for IT Service Management (ITSM). It provides requirements for establishing and maintaining a service management system for IT services. It does not address AI governance or responsible AI practices.

Why B is Wrong: ISO 27001 is the standard for Information Security Management Systems (ISMS). It addresses general information security risk management, not AI-specific governance or responsible AI practices such as fairness, transparency, and AI lifecycle management.

Why C is Wrong: ISO 27701 extends ISO 27001 to address Privacy Information Management (PIMS), covering personal data protection requirements aligned with GDPR. While relevant to data privacy in AI systems, it does not specifically certify responsible AI governance practices.

Basic Concept: Identifying AI-specific application vulnerabilities requires consulting a resource that has cataloged and documented the unique vulnerability types that affect AI systems, particularly LLMs. Different security standards serve different purposes, and selecting the right reference for AI application vulnerabilities is essential. CompTIA SecAI+ Study Guide references OWASP for AI application vulnerability guidance.

Why C is Correct: OWASP maintains the OWASP Top 10 for Large Language Model Applications, which specifically catalogs the most critical and common vulnerabilities in AI applications including prompt injection, sensitive information disclosure, excessive agency, insecure output handling, and training data poisoning. This AI-specific vulnerability list is the most directly relevant and accessible resource for a presentation on AI application vulnerabilities.

Why A is Wrong: ISO 27001 is a general information security management system standard covering broad organizational security controls. It does not specifically catalog AI application vulnerabilities or LLM-specific weakness categories.

Why B is Wrong: CWE catalogues software weakness types at a code and design level for traditional software. While some weaknesses apply to AI systems, CWE does not have a dedicated AI application vulnerability taxonomy comparable to the OWASP LLM Top 10.

Why D is Wrong: NIST RMF is a risk management framework providing guidance for managing and reducing information security risk. It is a process framework, not a vulnerability catalog, and does not list specific AI application vulnerability types suitable for a vulnerabilities presentation.

Basic Concept: AI agents in SOC environments can automate repetitive, rules-based response actions that previously required human intervention. When the primary concerns are enterprise uptime and case resolution time, the AI agent's ability to autonomously execute containment actions through SOAR is the most impactful application. CompTIA SecAI+ Study Guide covers AI agent use cases in security operations.

Why A is Correct: Using the AI agent to analyze incidents and execute containment actions through SOAR playbooks directly addresses both uptime and resolution time concerns. The agent can immediately analyze alert details, determine the appropriate playbook, and execute containment actions such as isolating compromised hosts or disabling compromised accounts autonomously, without waiting for human intervention. This dramatically reduces mean time to contain threats, improving both uptime and resolution speed.

Why B is Wrong: Enriching alerts with open-source intelligence improves analyst context but is a preparatory step rather than a response action. While valuable, it does not directly reduce resolution time by taking containment actions to stop ongoing threats.

Why C is Wrong: Aggregating metrics and generating leadership reports is an administrative function that consumes agent capacity for non-operational purposes. It improves visibility but does not directly improve uptime or case resolution time for active incidents.

Why D is Wrong: Creating tabletop exercises improves team preparedness over time through training scenarios. While beneficial for long-term capability development, it does not directly address the immediate concerns of enterprise uptime and active case resolution time.

Basic Concept: AI-specific threat modeling requires consulting resources that catalogue adversarial attacks specifically developed for AI and ML systems. General cybersecurity frameworks may miss AI-unique attack vectors such as model inversion, data poisoning, and adversarial examples. CompTIA SecAI+ Study Guide identifies MITRE ATLAS as the authoritative source for AI system TTPs.

Why D is Correct: MITRE ATLAS provides a comprehensive, curated knowledge base of adversarial tactics, techniques, and procedures specifically targeting AI and ML systems, derived from real-world attack case studies. Analyzing ATLAS enables the architect to enumerate realistic AI-specific attacks applicable to the system being threat-modeled, which directly answers the question of which attacks can be performed.

Why A is Wrong: Using an LLM to map attack paths introduces uncertainty and potential hallucination risk. LLMs may generate plausible-sounding but inaccurate attack paths and cannot guarantee comprehensive coverage of AI-specific attack techniques.

Why B is Wrong: Quantifying risk of known vulnerabilities is a risk assessment step that occurs after identifying which attacks are possible. The architect must first identify attack possibilities before quantifying their risk impact.

Why C is Wrong: OWASP Top 10 covers web application vulnerabilities and, in its LLM edition, certain LLM-specific risks. However, MITRE ATLAS provides a more comprehensive and structured catalog of AI and ML-specific adversarial TTPs for systematic threat modeling.

Basic Concept: Class imbalance in training data --- where some categories have significantly more examples than others --- causes ML models to be biased toward the majority class, producing poor detection of minority class threats. Addressing this imbalance before training is critical for threat classification accuracy. CompTIA SecAI+ covers data preparation techniques under basic AI concepts.

Why B is Correct: Data augmentation addresses class imbalance by artificially increasing the number of training samples in under-represented classes. Techniques include oversampling minority classes by creating synthetic examples using methods like SMOTE (Synthetic Minority Over-sampling Technique), or undersampling majority classes. This balances label distribution and enables the model to learn decision boundaries that accurately classify all threat categories, not just the dominant ones.

Why A is Wrong: Data lineage documents the origin, movement, and transformation of data throughout its lifecycle. It provides traceability and auditability but does not address class imbalance in training data distribution.

Why C is Wrong: Data provenance records the history and context of data origins. Like lineage, it is a governance and tracking concept that does not alter data distribution for model training balance.

Why D is Wrong: Data verification confirms that data is correct and consistent with expected formats and values. It checks data quality and integrity but does not address the statistical distribution imbalance between threat classes in training datasets.