WGU D489 Cybersecurity Management Final Exam 2025/2026 – Latest
Questions & Answers| Questions & Answers| Grade A+| 100% Correct (Verified
Solutions)-
Question 1
In the context of cybersecurity governance, which of the following is the primary responsibility
of the Board of Directors?
A) Installing and configuring the organizational firewalls.
B) Monitoring daily security logs for suspicious activity.
C) Defining the organization's risk appetite and ensuring security strategy aligns with business
goals.
D) Conducting deep-dive forensic analysis after a data breach.
E) Writing the specific code for data encryption modules.
Correct Answer: C) Defining the organization's risk appetite and ensuring security strategy
aligns with business goals.
Rationale: Governance is the high-level oversight of an organization’s security posture.
While the IT and security teams handle operations, the Board is responsible for the
strategic direction, ensuring that security investments are justified and that the
organization's risk tolerance is clearly defined to guide management decisions.
Question 2
Which function of the NIST Cybersecurity Framework (CSF) is focused on "developing and
implementing the appropriate activities to identify the occurrence of a cybersecurity event"?
A) Identify
B) Protect
C) Detect
D) Respond
E) Recover
Correct Answer: C) Detect
Rationale: The Detect function is specifically designed to ensure that an organization has
the visibility and monitoring capabilities necessary to recognize a security event in a timely
manner. This includes categories such as Anomalies and Events, Security Continuous
Monitoring, and Detection Processes.
Question 3
Under PCI DSS Requirement 1, what is the primary purpose of maintaining a firewall and router
configuration?
A) To speed up the internet connection for employees.
B) To protect cardholder data by controlling traffic entering and leaving the network.
C) To allow all incoming traffic to ensure maximum business uptime.
, 2
D) To track the physical location of the company's servers.
E) To monitor the electricity usage of the data center.
Correct Answer: B) To protect cardholder data by controlling traffic entering and leaving
the network.
Rationale: Requirement 1 of PCI DSS focuses on establishing a "demilitarized zone" (DMZ)
and internal firewalls to ensure that the Cardholder Data Environment (CDE) is isolated
from untrusted networks and that only necessary traffic is allowed through.
Question 4
When performing a Business Impact Analysis (BIA), what does the "Recovery Time Objective"
(RTO) represent?
A) The maximum age of data that must be recovered from backups.
B) The total cost of the hardware needed for recovery.
C) The maximum tolerable duration of time a business process can be down after a disruption.
D) The number of employees required to restart a server.
E) The distance between the primary data center and the backup site.
Correct Answer: C) The maximum tolerable duration of time a business process can be
down after a disruption.
Rationale: RTO is a time-based metric that helps management understand how quickly a
system must be restored to avoid unacceptable consequences to the business. It differs from
RPO, which focuses on data loss and backup frequency.
Question 5
According to the GDPR, what is the maximum timeframe for an organization to report a personal
data breach to a supervisory authority after becoming aware of it?
A) 24 hours
B) 48 hours
C) 72 hours
D) 7 days
E) 30 days
Correct Answer: C) 72 hours
Rationale: Article 33 of the GDPR requires that data controllers notify the relevant
supervisory authority within 72 hours of becoming aware of a breach, unless the breach is
unlikely to result in a risk to the rights and freedoms of natural persons.
Question 6
Which NIST special publication provides the standard guide for "Conducting Risk
Assessments"?
A) NIST SP 800-53
, 3
B) NIST SP 800-37
C) NIST SP 800-30
D) NIST SP 800-18
E) NIST SP 800-61
Correct Answer: C) NIST SP 800-30
Rationale: NIST SP 800-30 Rev. 1 is the definitive guide for conducting risk assessments for
federal information systems and organizations. It outlines a four-step process: prepare for
assessment, conduct assessment, communicate results, and maintain the assessment.
Question 7
A "Security Steering Committee" typically includes representatives from which departments?
A) Only the IT and Security departments.
B) IT, Legal, Human Resources, Finance, and Business Operations.
C) Only the Executive Leadership and the CEO.
D) External auditors and government regulators only.
E) The Physical Security team and Janitorial services.
Correct Answer: B) IT, Legal, Human Resources, Finance, and Business Operations.
Rationale: For cybersecurity management to be effective, it must be cross-functional. A
Steering Committee ensures that security policies and projects have the support of all
major business units and that security initiatives do not conflict with legal or operational
requirements.
Question 8
In the context of risk response, what does "Risk Transference" involve?
A) Implementing a firewall to stop attacks.
B) Deleting all sensitive data to eliminate the risk.
C) Purchasing a cyber insurance policy to shift the financial impact of a breach to a third party.
D) Accepting that the risk is part of doing business and doing nothing.
E) Moving the servers to a different physical building.
Correct Answer: C) Purchasing a cyber insurance policy to shift the financial impact of a
breach to a third party.
Rationale: Transference involves sharing or moving the risk to another entity. While it does
not eliminate the technical risk, it mitigates the financial and sometimes the operational
burden in the event of an incident.
Question 9
Which of the following is considered an "Administrative Control"?
A) An Intrusion Detection System (IDS).
) Data encryption at rest using AES-256.
, 4
C) An Employee Termination Procedure that includes immediate revocation of access.
D) A biometric thumbprint scanner on a door.
E) A web application firewall (WAF).
Correct Answer: C) An Employee Termination Procedure that includes immediate
revocation of access.
Rationale: Administrative (or managerial) controls are policies, procedures, and guidelines.
They govern human behavior and organizational processes, whereas technical controls use
software/hardware and physical controls use tangible barriers.
Question 10
In NIST SP 800-53, what is the purpose of the "Least Privilege" control?
A) To make sure the CEO has access to everything.
B) To ensure users are only granted the access rights necessary to perform their specific job
functions.
C) To limit the number of hours an employee can work per day.
D) To ensure that all employees use the same password for simplicity.
E) To prevent employees from talking to each other about security.
Correct Answer: B) To ensure users are only granted the access rights necessary to perform
their specific job functions.
Rationale: The principle of least privilege (PoLP) minimizes the "attack surface." If a user's
account is compromised, the attacker only gains access to the limited resources that the
user was authorized to use, preventing lateral movement through the network.
Question 11
What is the primary difference between a "Policy" and a "Procedure" in a Cybersecurity
Management Plan?
A) A policy is optional, while a procedure is mandatory.
B) A policy is a high-level statement of management's intent, while a procedure provides step-
by-step instructions.
C) A policy is written by the IT staff, and a procedure is written by the CEO.
D) A policy describes software settings, and a procedure describes hardware parts.
E) There is no difference; the terms are interchangeable.
Correct Answer: B) A policy is a high-level statement of management's intent, while a
procedure provides step-by-step instructions.
Rationale: Policies set the "rules of the house" and provide the authority for security
actions. Procedures are the operational "how-to" documents that ensure those rules are
followed consistently across the organization.
Questions & Answers| Questions & Answers| Grade A+| 100% Correct (Verified
Solutions)-
Question 1
In the context of cybersecurity governance, which of the following is the primary responsibility
of the Board of Directors?
A) Installing and configuring the organizational firewalls.
B) Monitoring daily security logs for suspicious activity.
C) Defining the organization's risk appetite and ensuring security strategy aligns with business
goals.
D) Conducting deep-dive forensic analysis after a data breach.
E) Writing the specific code for data encryption modules.
Correct Answer: C) Defining the organization's risk appetite and ensuring security strategy
aligns with business goals.
Rationale: Governance is the high-level oversight of an organization’s security posture.
While the IT and security teams handle operations, the Board is responsible for the
strategic direction, ensuring that security investments are justified and that the
organization's risk tolerance is clearly defined to guide management decisions.
Question 2
Which function of the NIST Cybersecurity Framework (CSF) is focused on "developing and
implementing the appropriate activities to identify the occurrence of a cybersecurity event"?
A) Identify
B) Protect
C) Detect
D) Respond
E) Recover
Correct Answer: C) Detect
Rationale: The Detect function is specifically designed to ensure that an organization has
the visibility and monitoring capabilities necessary to recognize a security event in a timely
manner. This includes categories such as Anomalies and Events, Security Continuous
Monitoring, and Detection Processes.
Question 3
Under PCI DSS Requirement 1, what is the primary purpose of maintaining a firewall and router
configuration?
A) To speed up the internet connection for employees.
B) To protect cardholder data by controlling traffic entering and leaving the network.
C) To allow all incoming traffic to ensure maximum business uptime.
, 2
D) To track the physical location of the company's servers.
E) To monitor the electricity usage of the data center.
Correct Answer: B) To protect cardholder data by controlling traffic entering and leaving
the network.
Rationale: Requirement 1 of PCI DSS focuses on establishing a "demilitarized zone" (DMZ)
and internal firewalls to ensure that the Cardholder Data Environment (CDE) is isolated
from untrusted networks and that only necessary traffic is allowed through.
Question 4
When performing a Business Impact Analysis (BIA), what does the "Recovery Time Objective"
(RTO) represent?
A) The maximum age of data that must be recovered from backups.
B) The total cost of the hardware needed for recovery.
C) The maximum tolerable duration of time a business process can be down after a disruption.
D) The number of employees required to restart a server.
E) The distance between the primary data center and the backup site.
Correct Answer: C) The maximum tolerable duration of time a business process can be
down after a disruption.
Rationale: RTO is a time-based metric that helps management understand how quickly a
system must be restored to avoid unacceptable consequences to the business. It differs from
RPO, which focuses on data loss and backup frequency.
Question 5
According to the GDPR, what is the maximum timeframe for an organization to report a personal
data breach to a supervisory authority after becoming aware of it?
A) 24 hours
B) 48 hours
C) 72 hours
D) 7 days
E) 30 days
Correct Answer: C) 72 hours
Rationale: Article 33 of the GDPR requires that data controllers notify the relevant
supervisory authority within 72 hours of becoming aware of a breach, unless the breach is
unlikely to result in a risk to the rights and freedoms of natural persons.
Question 6
Which NIST special publication provides the standard guide for "Conducting Risk
Assessments"?
A) NIST SP 800-53
, 3
B) NIST SP 800-37
C) NIST SP 800-30
D) NIST SP 800-18
E) NIST SP 800-61
Correct Answer: C) NIST SP 800-30
Rationale: NIST SP 800-30 Rev. 1 is the definitive guide for conducting risk assessments for
federal information systems and organizations. It outlines a four-step process: prepare for
assessment, conduct assessment, communicate results, and maintain the assessment.
Question 7
A "Security Steering Committee" typically includes representatives from which departments?
A) Only the IT and Security departments.
B) IT, Legal, Human Resources, Finance, and Business Operations.
C) Only the Executive Leadership and the CEO.
D) External auditors and government regulators only.
E) The Physical Security team and Janitorial services.
Correct Answer: B) IT, Legal, Human Resources, Finance, and Business Operations.
Rationale: For cybersecurity management to be effective, it must be cross-functional. A
Steering Committee ensures that security policies and projects have the support of all
major business units and that security initiatives do not conflict with legal or operational
requirements.
Question 8
In the context of risk response, what does "Risk Transference" involve?
A) Implementing a firewall to stop attacks.
B) Deleting all sensitive data to eliminate the risk.
C) Purchasing a cyber insurance policy to shift the financial impact of a breach to a third party.
D) Accepting that the risk is part of doing business and doing nothing.
E) Moving the servers to a different physical building.
Correct Answer: C) Purchasing a cyber insurance policy to shift the financial impact of a
breach to a third party.
Rationale: Transference involves sharing or moving the risk to another entity. While it does
not eliminate the technical risk, it mitigates the financial and sometimes the operational
burden in the event of an incident.
Question 9
Which of the following is considered an "Administrative Control"?
A) An Intrusion Detection System (IDS).
) Data encryption at rest using AES-256.
, 4
C) An Employee Termination Procedure that includes immediate revocation of access.
D) A biometric thumbprint scanner on a door.
E) A web application firewall (WAF).
Correct Answer: C) An Employee Termination Procedure that includes immediate
revocation of access.
Rationale: Administrative (or managerial) controls are policies, procedures, and guidelines.
They govern human behavior and organizational processes, whereas technical controls use
software/hardware and physical controls use tangible barriers.
Question 10
In NIST SP 800-53, what is the purpose of the "Least Privilege" control?
A) To make sure the CEO has access to everything.
B) To ensure users are only granted the access rights necessary to perform their specific job
functions.
C) To limit the number of hours an employee can work per day.
D) To ensure that all employees use the same password for simplicity.
E) To prevent employees from talking to each other about security.
Correct Answer: B) To ensure users are only granted the access rights necessary to perform
their specific job functions.
Rationale: The principle of least privilege (PoLP) minimizes the "attack surface." If a user's
account is compromised, the attacker only gains access to the limited resources that the
user was authorized to use, preventing lateral movement through the network.
Question 11
What is the primary difference between a "Policy" and a "Procedure" in a Cybersecurity
Management Plan?
A) A policy is optional, while a procedure is mandatory.
B) A policy is a high-level statement of management's intent, while a procedure provides step-
by-step instructions.
C) A policy is written by the IT staff, and a procedure is written by the CEO.
D) A policy describes software settings, and a procedure describes hardware parts.
E) There is no difference; the terms are interchangeable.
Correct Answer: B) A policy is a high-level statement of management's intent, while a
procedure provides step-by-step instructions.
Rationale: Policies set the "rules of the house" and provide the authority for security
actions. Procedures are the operational "how-to" documents that ensure those rules are
followed consistently across the organization.
