WGU D488 Practice Exam |
Cybersecurity Architecture &
Engineering Exam | 100% Correctly
Answered and Graded A+ | 2025/2026
Guide
A U.S. government agency has contracted a risk auditor to conduct a risk
assessment. Which of the following frameworks should the auditor use?
A - ISO 31000
B - COBIT
C - NIST RMF
D - COSO
-Correct Answer- C - NIST RMF (Risk Management Framework)
The National Institute of Standards and Technology Risk Management
Framework (NIST RMF) defines standards that US Federal Agencies must
use to assess and manage cybersecurity risks.
The International Organization for Standardization (ISO) is one of the
world's largest developers of standards. Many international organizations
have adopted ISO standards to establish a common taxonomy among
diverse industries.
The Control Objectives for Information and Related Technologies (COBIT)
is a framework created and maintained by Information Systems Audit and
Control Association (ISACA). COBIT frames IT risk from a business
,leadership viewpoint.
The Committee of Sponsoring Organizations of the Treadway Commission
(COSO) is an initiative of five private sector organizations collaborating on
the development of risk management frameworks.
What are the two major components of risk? Select 2 answers.
A - Impact
B - Exploitability
C - Integrity
D - Likelihood
-Correct Answer- A & D - Impact & Likelihood
Impact is the severity of the risk when realized. Determining factors include
the scope, the value of the asset, or the financial impacts of the event.
The likelihood of occurrence is the probability that a threat is taking place.
Exploitability is a factor, though not one of the main components. It is one
of the primary scores multiplied to assess the CVSS score.
While integrity is not one of the main components, it does play a role in
calculating scores based on the Common Vulnerability Scoring System
(CVSS). The integrity metric describes the type of information alteration
that might occur if an attacker successfully exploits the vulnerability.
A consultant for various IT services wants to draft a document that explains
basic responsibilities but has concerns that companies will try to fight about
additional changes in the project. Therefore, the consultant wants to draft a
,document to set expectations and keep companies from trying to get more
services than they paid for in the agreement. Which would best fit this
situation?
A - MOU
B - NDA
C - MSA
D - ISA
-Correct Answer- A - MOU (Memorandum of Understanding)
Widely considered as a non-binding agreement or one that is difficult to
enforce in a court setting, a Memorandum of Understanding (MOU) serves
as a formal means to define roles and expectations.
Non-disclosure agreements (NDAs) occur between entities and define the
conditions upon which the entities can use data and information.
Master service agreements (MSAs) are typically "umbrella" contracts that
establish an agreement between two entities to conduct business during a
defined term.
An interconnection security agreement (ISA) occurs between two entities
that need to share data via an interface.
A systems administrator has a litigation hold for HIPAA data that is older
than four years old. How should the administrator respond?
A - Inform the litigators that data is only kept for 4 years due to HIPAA
compliance
B - Release the information requested
, C - Deny the request since HIPAA data cannot be shared
D - Consult with the company attorney
-Correct Answer- D - Consult with the company attorney
Systems administrators should consult with company attorneys and
management on how to proceed before providing any data to anyone.
By regulation, companies must keep HIPAA data for six years. If the
administrator had sent the reply regarding four years, the company would
most likely be in trouble during a court proceeding, regardless of whether
they allowed the data in litigation.
The systems administrator should not immediately release the information
since HIPAA information, by law, may not allow it. Attorneys would be able
to provide specific guidance in this regard.
Denying the data without first consulting attorneys is not advisable as the
litigation could have already taken into account that it was HIPAA data and
justified it to be released.
An IT consultant is starting to travel abroad but has concerns about being
able to VPN back home to access a private home network. The consultant
would like to be able to watch the latest TV shows previously recorded
digitally while traveling. What should the consultant research?
A - National export controls
B - Encryption laws
C - Wassenaar arrangement
D - e-Discovery
Cybersecurity Architecture &
Engineering Exam | 100% Correctly
Answered and Graded A+ | 2025/2026
Guide
A U.S. government agency has contracted a risk auditor to conduct a risk
assessment. Which of the following frameworks should the auditor use?
A - ISO 31000
B - COBIT
C - NIST RMF
D - COSO
-Correct Answer- C - NIST RMF (Risk Management Framework)
The National Institute of Standards and Technology Risk Management
Framework (NIST RMF) defines standards that US Federal Agencies must
use to assess and manage cybersecurity risks.
The International Organization for Standardization (ISO) is one of the
world's largest developers of standards. Many international organizations
have adopted ISO standards to establish a common taxonomy among
diverse industries.
The Control Objectives for Information and Related Technologies (COBIT)
is a framework created and maintained by Information Systems Audit and
Control Association (ISACA). COBIT frames IT risk from a business
,leadership viewpoint.
The Committee of Sponsoring Organizations of the Treadway Commission
(COSO) is an initiative of five private sector organizations collaborating on
the development of risk management frameworks.
What are the two major components of risk? Select 2 answers.
A - Impact
B - Exploitability
C - Integrity
D - Likelihood
-Correct Answer- A & D - Impact & Likelihood
Impact is the severity of the risk when realized. Determining factors include
the scope, the value of the asset, or the financial impacts of the event.
The likelihood of occurrence is the probability that a threat is taking place.
Exploitability is a factor, though not one of the main components. It is one
of the primary scores multiplied to assess the CVSS score.
While integrity is not one of the main components, it does play a role in
calculating scores based on the Common Vulnerability Scoring System
(CVSS). The integrity metric describes the type of information alteration
that might occur if an attacker successfully exploits the vulnerability.
A consultant for various IT services wants to draft a document that explains
basic responsibilities but has concerns that companies will try to fight about
additional changes in the project. Therefore, the consultant wants to draft a
,document to set expectations and keep companies from trying to get more
services than they paid for in the agreement. Which would best fit this
situation?
A - MOU
B - NDA
C - MSA
D - ISA
-Correct Answer- A - MOU (Memorandum of Understanding)
Widely considered as a non-binding agreement or one that is difficult to
enforce in a court setting, a Memorandum of Understanding (MOU) serves
as a formal means to define roles and expectations.
Non-disclosure agreements (NDAs) occur between entities and define the
conditions upon which the entities can use data and information.
Master service agreements (MSAs) are typically "umbrella" contracts that
establish an agreement between two entities to conduct business during a
defined term.
An interconnection security agreement (ISA) occurs between two entities
that need to share data via an interface.
A systems administrator has a litigation hold for HIPAA data that is older
than four years old. How should the administrator respond?
A - Inform the litigators that data is only kept for 4 years due to HIPAA
compliance
B - Release the information requested
, C - Deny the request since HIPAA data cannot be shared
D - Consult with the company attorney
-Correct Answer- D - Consult with the company attorney
Systems administrators should consult with company attorneys and
management on how to proceed before providing any data to anyone.
By regulation, companies must keep HIPAA data for six years. If the
administrator had sent the reply regarding four years, the company would
most likely be in trouble during a court proceeding, regardless of whether
they allowed the data in litigation.
The systems administrator should not immediately release the information
since HIPAA information, by law, may not allow it. Attorneys would be able
to provide specific guidance in this regard.
Denying the data without first consulting attorneys is not advisable as the
litigation could have already taken into account that it was HIPAA data and
justified it to be released.
An IT consultant is starting to travel abroad but has concerns about being
able to VPN back home to access a private home network. The consultant
would like to be able to watch the latest TV shows previously recorded
digitally while traveling. What should the consultant research?
A - National export controls
B - Encryption laws
C - Wassenaar arrangement
D - e-Discovery
