WGU D489 TASK 1 | CYBERSECURITY MANAGEMENT | 2026 UPDATE WITH
COMPLETE QUESTIONS AND CORRECT ANSWERS WITH RATIONALES | ALREADY
GRADED A+||BRAND NEW VERSION!!
Question 1
Based on the "Independent Security Report" for SAGE Books, the company collects data
from customers in the European Union but lacks specific protection measures. Which
regulation is SAGE Books primarily at risk of violating regarding these customers?
A) HIPAA (Health Insurance Portability and Accountability Act)
B) FISMA (Federal Information Security Management Act)
C) GDPR (General Data Protection Regulation)
D) SOX (Sarbanes-Oxley Act)
E) FERPA (Family Educational Rights and Privacy Act)
Correct Answer: C) GDPR (General Data Protection Regulation)
Rationale: The General Data Protection Regulation (GDPR) is the primary law regulating how
companies protect the personal data of citizens located within the EU. The scenario explicitly
mentions customers in the European Union and a lack of specific measures to protect the
collection, storage, and use of their data. HIPAA applies to healthcare, FISMA to US federal
agencies, SOX to financial reporting, and FERPA to education records.
Question 2
SAGE Books processes credit card payments but currently lacks documentation
confirming adherence to industry security standards. Which specific framework must
SAGE Books align with to secure these transaction environments?
A) NIST SP 800-53
B) ISO 27001
C) PCI DSS (Payment Card Industry Data Security Standard)
D) COBIT 5
E) ITIL v4
Correct Answer: C) PCI DSS (Payment Card Industry Data Security Standard)
Rationale: The Payment Card Industry Data Security Standard (PCI DSS) is the global standard
mandated by card brands (Visa, MasterCard, etc.) for any organization that stores, processes, or
transmits cardholder data. The case study notes the absence of documentation stating they are
following these standards. While NIST and ISO are robust security frameworks, PCI DSS is the
specific requirement for payment card data.
Question 3
The assessment identifies that SAGE Books has a security team that meets operational
goals but lacks a sufficient Governance, Risk, and Compliance (GRC) team. What is the
most immediate strategic risk caused by this specific staffing gap?
A) Inability to configure firewalls correctly
, 2
B) Slower network speeds due to unmanaged traffic
C) Immediate failure of all server backups
D) Lapses in regulatory compliance leading to lawsuits and sanctions
E) Lack of technical support for desktop users
Correct Answer: D) Lapses in regulatory compliance leading to lawsuits and sanctions
Rationale: Operational teams handle day-to-day technical tasks (firewalls, patching), but a GRC
team is responsible for ensuring the organization aligns with laws, regulations, and internal
policies. The case study explicitly links the lack of a GRC team to potential non-compliance with
GDPR, FISMA, or PCI DSS, which directly leads to legal and financial liabilities (lawsuits and
sanctions).
Question 4
According to the SAGE Books report, the current cybersecurity awareness program is
described as "Ad Hoc." What does this maturity level imply about the training?
A) It is continuous and fully automated.
B) It is strictly defined and metrics are gathered monthly.
C) It occurs only on an "as needed" basis without a formal schedule.
D) It is optimized and integrated into daily workflows.
E) It is managed centrally by a third-party vendor.
Correct Answer: C) It occurs only on an "as needed" basis without a formal schedule.
Rationale: In capability maturity models, "Ad Hoc" refers to a process that is chaotic,
disorganized, or reactive. The report defines the training as being on an "as needed basis." This is
the opposite of a managed, defined, or optimized process, meaning training only happens when a
problem arises or someone remembers to do it, rather than being a systematic requirement.
Question 5
To mitigate gaps in the Incident Response Plan (IRP), the report suggests aligning the plan
with which specific publication?
A) NIST SP 800-61 Revision 2
B) NIST SP 800-37
C) FIPS 140-2
D) ISO 31000
E) OWASP Top 10
Correct Answer: A) NIST SP 800-61 Revision 2
Rationale: NIST Special Publication (SP) 800-61 Revision 2 is the "Computer Security Incident
Handling Guide." It provides instructions for organizing a computer security incident response
capability (CSIRC) and handling incidents. The case study explicitly recommends aligning the
IRP with this document to enhance response capabilities. NIST 800-37 relates to Risk
Management Frameworks, and FIPS 140-2 relates to cryptography modules.
, 3
Question 6
SAGE Books lacks a Business Continuity Plan (BCP). Why is this considered a high risk
specifically regarding the location of their distribution centers?
A) The centers are located in areas with high crime rates.
B) The centers are at a higher risk of natural disaster interruptions.
C) The centers rely on outdated legacy hardware.
D) The centers are located in countries with strict censorship laws.
E) The centers are not connected to the internet.
Correct Answer: B) The centers are at a higher risk of natural disaster interruptions.
Rationale: A Business Continuity Plan (BCP) focuses on keeping business operations running
during a disruption. The report highlights that SAGE's distribution centers are geographically
located in areas prone to natural disasters. Without a BCP, a natural disaster could indefinitely
halt operations, whereas a BCP would outline recovery procedures to restore operational
capability.
Question 7
The report indicates that SAGE Books lacks a specific policy outlining "Acceptable Use."
What is the primary function of an Acceptable Use Policy (AUP)?
A) To define how to encrypt database passwords.
B) To outline the technical specifications of the firewall.
C) To establish rules for how employees may use company assets and networks.
D) To list the penalties for failing a phishing simulation.
E) To provide a disaster recovery contact list.
Correct Answer: C) To establish rules for how employees may use company assets and
networks.
Rationale: An Acceptable Use Policy (AUP) is a management document that stipulates what is
and is not allowed behavior for users accessing corporate systems (e.g., forbidding illegal
downloads, restricting personal email use on company time). The report lists the absence of this
policy as a major gap in securing organizational assets.
Question 8
Only 10% of current SAGE employees and 25% of new hires have taken cybersecurity
training. When updating the training program to meet PCI DSS Requirement 12.6, what is
the required frequency for general security awareness training?
A) Once every 5 years.
B) Only upon hiring.
C) Upon hire and at least annually.
D) Monthly.
E) Only after a security incident occurs.
, 4
Correct Answer: C) Upon hire and at least annually.
Rationale: PCI DSS Requirement 12.6 mandates that organizations implement a formal security
awareness program to make all personnel aware of the cardholder data security policy and
procedures. This standard specifically requires that personnel be trained upon hire and at least
annually thereafter to ensure knowledge remains current.
Question 9
Which lifecycle phase of the NIST SP 800-61 Incident Response framework focuses on
establishing the incident response team and acquiring necessary tools prior to an attack?
A) Detection and Analysis
B) Preparation
C) Containment, Eradication, and Recovery
D) Post-Incident Activity
E) Risk Assessment
Correct Answer: B) Preparation
Rationale: The "Preparation" phase is the first phase of the NIST IR lifecycle. It involves
establishing the incident response capability, creating policies, training the team, and acquiring
the necessary hardware/software tools to handle incidents before they occur. The SAGE report
highlights a lack of clear roles, which falls under the Preparation phase gap.
Question 10
SAGE Books is advised to create a policy specifically for "Mobile Device Security." Which
of the following risks does this policy primarily address?
A) SQL Injection attacks on the web server.
B) Unsecured storage of data on employee smartphones and tablets (BYOD).
C) Improper disposal of paper documents.
D) Lack of firewall rules in the data center.
E) Inefficient coding practices by developers.
Correct Answer: B) Unsecured storage of data on employee smartphones and tablets
(BYOD).
Rationale: Mobile device policies (often associated with BYOD - Bring Your Own Device)
address risks specific to portable devices, such as lost/stolen devices, connecting to unsecured
public Wi-Fi, and the commingling of personal and corporate data. The report notes SAGE lacks
this "poly" (policy), leaving mobile endpoints vulnerable.
Question 11
The report states SAGE Books puts "information assets at risk" due to an inadequate IRP.
In the context of the CIA Triad, which element is most compromised if an incident causes a
prolonged outage of services?
A) Confidentiality
COMPLETE QUESTIONS AND CORRECT ANSWERS WITH RATIONALES | ALREADY
GRADED A+||BRAND NEW VERSION!!
Question 1
Based on the "Independent Security Report" for SAGE Books, the company collects data
from customers in the European Union but lacks specific protection measures. Which
regulation is SAGE Books primarily at risk of violating regarding these customers?
A) HIPAA (Health Insurance Portability and Accountability Act)
B) FISMA (Federal Information Security Management Act)
C) GDPR (General Data Protection Regulation)
D) SOX (Sarbanes-Oxley Act)
E) FERPA (Family Educational Rights and Privacy Act)
Correct Answer: C) GDPR (General Data Protection Regulation)
Rationale: The General Data Protection Regulation (GDPR) is the primary law regulating how
companies protect the personal data of citizens located within the EU. The scenario explicitly
mentions customers in the European Union and a lack of specific measures to protect the
collection, storage, and use of their data. HIPAA applies to healthcare, FISMA to US federal
agencies, SOX to financial reporting, and FERPA to education records.
Question 2
SAGE Books processes credit card payments but currently lacks documentation
confirming adherence to industry security standards. Which specific framework must
SAGE Books align with to secure these transaction environments?
A) NIST SP 800-53
B) ISO 27001
C) PCI DSS (Payment Card Industry Data Security Standard)
D) COBIT 5
E) ITIL v4
Correct Answer: C) PCI DSS (Payment Card Industry Data Security Standard)
Rationale: The Payment Card Industry Data Security Standard (PCI DSS) is the global standard
mandated by card brands (Visa, MasterCard, etc.) for any organization that stores, processes, or
transmits cardholder data. The case study notes the absence of documentation stating they are
following these standards. While NIST and ISO are robust security frameworks, PCI DSS is the
specific requirement for payment card data.
Question 3
The assessment identifies that SAGE Books has a security team that meets operational
goals but lacks a sufficient Governance, Risk, and Compliance (GRC) team. What is the
most immediate strategic risk caused by this specific staffing gap?
A) Inability to configure firewalls correctly
, 2
B) Slower network speeds due to unmanaged traffic
C) Immediate failure of all server backups
D) Lapses in regulatory compliance leading to lawsuits and sanctions
E) Lack of technical support for desktop users
Correct Answer: D) Lapses in regulatory compliance leading to lawsuits and sanctions
Rationale: Operational teams handle day-to-day technical tasks (firewalls, patching), but a GRC
team is responsible for ensuring the organization aligns with laws, regulations, and internal
policies. The case study explicitly links the lack of a GRC team to potential non-compliance with
GDPR, FISMA, or PCI DSS, which directly leads to legal and financial liabilities (lawsuits and
sanctions).
Question 4
According to the SAGE Books report, the current cybersecurity awareness program is
described as "Ad Hoc." What does this maturity level imply about the training?
A) It is continuous and fully automated.
B) It is strictly defined and metrics are gathered monthly.
C) It occurs only on an "as needed" basis without a formal schedule.
D) It is optimized and integrated into daily workflows.
E) It is managed centrally by a third-party vendor.
Correct Answer: C) It occurs only on an "as needed" basis without a formal schedule.
Rationale: In capability maturity models, "Ad Hoc" refers to a process that is chaotic,
disorganized, or reactive. The report defines the training as being on an "as needed basis." This is
the opposite of a managed, defined, or optimized process, meaning training only happens when a
problem arises or someone remembers to do it, rather than being a systematic requirement.
Question 5
To mitigate gaps in the Incident Response Plan (IRP), the report suggests aligning the plan
with which specific publication?
A) NIST SP 800-61 Revision 2
B) NIST SP 800-37
C) FIPS 140-2
D) ISO 31000
E) OWASP Top 10
Correct Answer: A) NIST SP 800-61 Revision 2
Rationale: NIST Special Publication (SP) 800-61 Revision 2 is the "Computer Security Incident
Handling Guide." It provides instructions for organizing a computer security incident response
capability (CSIRC) and handling incidents. The case study explicitly recommends aligning the
IRP with this document to enhance response capabilities. NIST 800-37 relates to Risk
Management Frameworks, and FIPS 140-2 relates to cryptography modules.
, 3
Question 6
SAGE Books lacks a Business Continuity Plan (BCP). Why is this considered a high risk
specifically regarding the location of their distribution centers?
A) The centers are located in areas with high crime rates.
B) The centers are at a higher risk of natural disaster interruptions.
C) The centers rely on outdated legacy hardware.
D) The centers are located in countries with strict censorship laws.
E) The centers are not connected to the internet.
Correct Answer: B) The centers are at a higher risk of natural disaster interruptions.
Rationale: A Business Continuity Plan (BCP) focuses on keeping business operations running
during a disruption. The report highlights that SAGE's distribution centers are geographically
located in areas prone to natural disasters. Without a BCP, a natural disaster could indefinitely
halt operations, whereas a BCP would outline recovery procedures to restore operational
capability.
Question 7
The report indicates that SAGE Books lacks a specific policy outlining "Acceptable Use."
What is the primary function of an Acceptable Use Policy (AUP)?
A) To define how to encrypt database passwords.
B) To outline the technical specifications of the firewall.
C) To establish rules for how employees may use company assets and networks.
D) To list the penalties for failing a phishing simulation.
E) To provide a disaster recovery contact list.
Correct Answer: C) To establish rules for how employees may use company assets and
networks.
Rationale: An Acceptable Use Policy (AUP) is a management document that stipulates what is
and is not allowed behavior for users accessing corporate systems (e.g., forbidding illegal
downloads, restricting personal email use on company time). The report lists the absence of this
policy as a major gap in securing organizational assets.
Question 8
Only 10% of current SAGE employees and 25% of new hires have taken cybersecurity
training. When updating the training program to meet PCI DSS Requirement 12.6, what is
the required frequency for general security awareness training?
A) Once every 5 years.
B) Only upon hiring.
C) Upon hire and at least annually.
D) Monthly.
E) Only after a security incident occurs.
, 4
Correct Answer: C) Upon hire and at least annually.
Rationale: PCI DSS Requirement 12.6 mandates that organizations implement a formal security
awareness program to make all personnel aware of the cardholder data security policy and
procedures. This standard specifically requires that personnel be trained upon hire and at least
annually thereafter to ensure knowledge remains current.
Question 9
Which lifecycle phase of the NIST SP 800-61 Incident Response framework focuses on
establishing the incident response team and acquiring necessary tools prior to an attack?
A) Detection and Analysis
B) Preparation
C) Containment, Eradication, and Recovery
D) Post-Incident Activity
E) Risk Assessment
Correct Answer: B) Preparation
Rationale: The "Preparation" phase is the first phase of the NIST IR lifecycle. It involves
establishing the incident response capability, creating policies, training the team, and acquiring
the necessary hardware/software tools to handle incidents before they occur. The SAGE report
highlights a lack of clear roles, which falls under the Preparation phase gap.
Question 10
SAGE Books is advised to create a policy specifically for "Mobile Device Security." Which
of the following risks does this policy primarily address?
A) SQL Injection attacks on the web server.
B) Unsecured storage of data on employee smartphones and tablets (BYOD).
C) Improper disposal of paper documents.
D) Lack of firewall rules in the data center.
E) Inefficient coding practices by developers.
Correct Answer: B) Unsecured storage of data on employee smartphones and tablets
(BYOD).
Rationale: Mobile device policies (often associated with BYOD - Bring Your Own Device)
address risks specific to portable devices, such as lost/stolen devices, connecting to unsecured
public Wi-Fi, and the commingling of personal and corporate data. The report notes SAGE lacks
this "poly" (policy), leaving mobile endpoints vulnerable.
Question 11
The report states SAGE Books puts "information assets at risk" due to an inadequate IRP.
In the context of the CIA Triad, which element is most compromised if an incident causes a
prolonged outage of services?
A) Confidentiality
