Quick Navigation
Core Security Definitions (Domain 1 — 27%)Phishing Attack Variants (Domain 2 — 33%)Social Engineering Techniques (Domain 2 — 33%)Malware and System Threats (Domain 2 — 33%)Authentication and Account Security (Domain 1 — 27%)Data Classification and Sensitivity Labels (Domain 3 — 28%)Data Handling and Protection Practices (Domain 3 — 28%)Incident Reporting and Response (Domain 4 — 12%)Exam Mindset: Business User vs. IT Admin
Core Security Definitions (Domain 1 — 27%)
- Vulnerability
- A weakness or flaw in a system, application, or process that COULD be exploited — it exists regardless of whether anyone acts on it.
- Threat
- A potential danger that COULD exploit a vulnerability to cause harm — the actor or event (hacker, malware, natural disaster) that acts on a weakness.
- Risk
- The likelihood and impact of a threat successfully exploiting a vulnerability — Risk = Threat × Vulnerability × Impact.
- Exploit
- The method, tool, or technique an attacker uses to take advantage of a vulnerability and perform unauthorized actions.
- Encryption
- Converting readable data (plaintext) into an unreadable format (ciphertext) that can only be decoded with the correct key — protects data confidentiality but does NOT prevent theft; encrypted data can still be exfiltrated, it just cannot be read without the key.
- Deepfakes
- AI-generated synthetic media (audio, video, images) that realistically impersonate real people or fabricate events — used for fraud, disinformation, and social engineering.
- Shared Responsibility Model
- On this exam: security is a joint duty between IT/security teams AND every individual employee — not solely IT's job.
- Misinformation vs. Disinformation
- Misinformation is false content spread WITHOUT deliberate intent; disinformation is false content spread WITH deliberate intent to deceive.
Phishing Attack Variants (Domain 2 — 33%)
- Phishing (email)
- Fraudulent emails impersonating trusted entities to trick recipients into clicking malicious links, opening attachments, or revealing credentials.
- Smishing (SMS phishing)
- Phishing conducted via SMS text messages — same urgency and impersonation tactics as email phishing but delivered by text.
- Vishing (voice phishing)
- Phishing conducted over phone calls — attacker impersonates tech support, bank, government agency, or a colleague.
- Quishing (QR code phishing)
- Malicious QR codes that redirect victims to fraudulent websites — often placed on physical materials or embedded in emails.
- Phishing red flags
- Mismatched sender address, urgency or fear tactics, generic greetings, grammatical errors, unexpected attachments, and requests for credentials or payments — a legitimate-looking email from a known contact can still be phishing if the address is spoofed or the account is compromised.
- Malicious link detection
- Hover over links to preview the real URL; check for misspelled domains, HTTP (not HTTPS), or shortened URLs before clicking.
- Business Email Compromise (BEC)
- Attacker impersonates an executive or vendor via email to trick employees into making unauthorized wire transfers or disclosing sensitive data.
Social Engineering Techniques (Domain 2 — 33%)
- Social Engineering
- Psychological manipulation exploiting human behavior to gain unauthorized access to systems, data, or physical spaces without needing technical attacks.
- Pretexting
- Attacker creates a fabricated scenario (pretext) and builds a believable backstory to manipulate victims — may occur over multiple interactions via phone, email, or in person.
- Baiting
- Enticing victims with something appealing — free USB drives, downloads, or prizes — to trick them into compromising their security.
- Tailgating (piggybacking)
- Physically following an authorized person through a secure door or access point without presenting credentials.
- Phishing vs. Pretexting distinction
- Phishing uses digital messages with urgency and impersonation for a quick strike; pretexting builds a believable backstory across multiple interactions over time.
- Verifying suspicious requests
- Always verify unexpected requests for payments, credentials, or sensitive actions through a SEPARATE, independently known communication channel — never trust the contact info in the suspicious message itself.
Malware and System Threats (Domain 2 — 33%)
- Malware
- Broad category of malicious software — includes viruses, worms, trojans, ransomware, and spyware — designed to damage, disrupt, or gain unauthorized access.
- Ransomware
- A specific type of malware that encrypts a victim's files or locks their system and demands payment for restoration — all ransomware is malware, but not all malware is ransomware.
- Malware infection indicators
- Unexpected system slowdowns, unusual pop-ups, programs launching without user action, unexplained file changes, disabled antivirus software, or unexpected network activity.
- Insider Threat
- Security risk originating from within the organization — includes malicious employees, negligent staff, or compromised accounts. Can be intentional OR accidental.
- Insider threat indicators
- Accessing systems outside normal job duties, downloading large volumes of data, working unusual hours without justification, or expressing dissatisfaction while holding sensitive access.
- Public Wi-Fi risks
- Unsecured public networks expose users to eavesdropping, man-in-the-middle attacks, rogue hotspots, and session hijacking — even password-protected coffee shop Wi-Fi is a shared public network.
- Access Controls (least privilege)
- Limiting access to systems and data to only what is needed for a specific role — business users should request access through proper channels, not self-configure permissions.
Authentication and Account Security (Domain 1 — 27%)
- Multifactor Authentication (MFA)
- Requiring two or more verification factors to access an account — a stolen password alone cannot compromise an MFA-protected account.
- MFA factor types
- Something you KNOW (password, PIN), something you HAVE (phone, hardware token), something you ARE (fingerprint, facial scan, retina).
- Password Managers
- Tools that generate strong unique passwords, securely store credentials, and auto-fill login forms — eliminate password reuse and remove the need to remember or write down passwords.
- Strong password alone is NOT enough
- The exam consistently positions MFA as essential even when a strong password is already in use — MFA is always the correct additional control.
- Software updates and patches
- Vendor-released updates that fix known security vulnerabilities — delaying patches leaves systems exposed to actively exploited weaknesses; apply promptly.
Data Classification and Sensitivity Labels (Domain 3 — 28%)
- Public
- Data approved for external sharing with anyone — poses no risk to the organization if disclosed. Examples: press releases, published marketing materials.
- Internal
- Data intended for employees only — not sensitive but not for external distribution. Examples: internal memos, general company announcements.
- Confidential
- Data restricted to specific teams or roles due to sensitivity — unauthorized disclosure could cause organizational or personal harm. Examples: customer records, financial data.
- Highly Confidential
- Strictest classification — need-to-know access only. Examples: executive strategy documents, M&A plans, PII combined with financial data.
- Sensitivity Labels (user responsibility)
- Labels are applied by USERS based on content sensitivity — the exam tests YOUR responsibility to classify documents correctly, not the system doing it automatically.
- Rights Management
- Technical controls that enforce restrictions on what users can DO with protected content — prevents copying, printing, forwarding, or editing sensitive documents.
- Sensitivity Labels vs. Rights Management
- Labels CLASSIFY data and communicate handling requirements; Rights Management ENFORCES restrictions on actions. Labels tell you what it is; Rights Management controls what you can do.
Data Handling and Protection Practices (Domain 3 — 28%)
- Data lifecycle phases
- Collect → Use → Transfer → Store → Retain → Destroy — each phase has specific handling obligations under organizational policy.
- Proper data destruction
- Simply deleting a file is NOT sufficient destruction — proper destruction ensures data cannot be recovered, per organizational procedures (e.g., secure wipe, shredding, degaussing).
- Data backup best practice
- Backups must be stored in a SEPARATE location from the primary data — backing up to the same device offers no protection against device failure or ransomware.
- AI tool data risks
- Never share confidential business data, customer PII, financial records, trade secrets, or internal strategy with public AI tools — they may store, train on, or expose submitted data.
- Remote work security
- Use VPN on public networks, enable screen lock, position screen to prevent shoulder surfing, avoid leaving devices unattended, and keep software updated.
- Clean desk policy
- Lock your computer when stepping away, secure physical documents, avoid leaving sensitive materials visible — prevents unauthorized physical access to information.
- Data retention policy
- Organizational rules specifying how long data must be kept and when it must be destroyed — employees must report data that exceeds retention periods rather than self-deleting.
Incident Reporting and Response (Domain 4 — 12%)
- Always report phishing attempts
- Report phishing EVEN IF you did not click the link — the security team needs to protect other employees and assess organizational exposure.
- Always report lost or stolen devices
- A lost encrypted, password-protected device MUST still be reported immediately — IT needs to remotely wipe it, revoke access, and assess potential data exposure.
- Incident report contents
- Date and time of the incident, type of incident (phishing, lost device, unauthorized access), affected data or systems, actions already taken, and any evidence preserved.
- Correct reporting channels
- IT help desk, dedicated incident reporting form, or the security team — use your organization's designated channel, never personal email or social media.
- Ransomware response sequence
- 1. Disconnect the device from the NETWORK (Wi-Fi/Ethernet). 2. Notify IT immediately. Do NOT pay the ransom, do NOT turn off the computer (destroys forensic evidence), do NOT attempt self-remediation.
- Disconnect vs. power off during incident
- Remove the device from the NETWORK to stop spread — do NOT power it off, as this may destroy forensic evidence needed for investigation.
- Business user incident role
- Report, disconnect affected device from network, preserve evidence, and follow organizational procedures — do NOT investigate, fix, track the attacker, or pay ransom without authorization.
- Escalation path
- Escalation means following the organization's defined path (help desk → security team → management) — not going over a manager's head.
Exam Mindset: Business User vs. IT Admin
- The golden rule
- The SC-730 asks what a NON-TECHNICAL BUSINESS USER should do — the correct answer is almost always 'report to IT' or 'follow organizational procedures,' NOT 'troubleshoot it yourself.'
- SC-730 vs. SC-900
- SC-730 is vendor-agnostic, targets non-technical professionals, and asks what a business user should do. SC-900 is Microsoft-specific, targets IT professionals, and tests what the technology does.
- Access requests (business user answer)
- When you need access to a system or data you do not have: request access through proper channels — do NOT configure or grant access yourself.
- When systems fail (business user answer)
- Contact IT or follow organizational recovery procedures — do NOT troubleshoot, reinstall software, or attempt to fix the issue independently.
- Passing score
- 700 out of 1000 (scaled score). 58 questions in 60 minutes of actual exam time. No penalty for wrong answers — always answer every question.