1
WGU D488 Cybersecurity Architecture & Engineering
ACTUAL FINAL EXAM TEST BANK 2026/2027 | Verified
Questions and Solutions | Aligned to WGU Competencies |
Grade A Target | Pass Guaranteed
SECTION 1 – Foundational Security Principles & Governance (15 Q)
Q1. A global e-commerce firm must comply with both GDPR and PCI-DSS. The board asks the
security-architecture team to classify all card-holder data (CHD) and EU personal data within a
single data-map. Which principle from the CIA triad is MOST strengthened by this unified
classification exercise?
A. Availability through redundant storage of data
B. Integrity via SHA-256 hashing of CHD
C. Confidentiality by enabling tiered access controls proportional to data sensitivity [CORRECT]
D. Non-repudiation through public-key certificates
Correct Answer: C
Rationale: Creating a unified map allows architects to label data sets (e.g., “Restricted” for
CHD, “High” for GDPR special-category) and apply commensurate confidentiality controls
(encryption, ACLs, tokenisation). Option A addresses availability but is not the primary outcome
of classification. Option B protects integrity but does not flow from classification itself. Option
D is irrelevant; non-repudiation is not a CIA triad element.
Q2. While drafting an ISO 27001 Statement of Applicability (SoA), the CISO discovers that the
control A.8.1.3 (Acceptable-use Policies) is deemed not applicable because all users are
contractors covered under separate MSA clauses. What MUST be true for this exclusion to pass
the Stage-1 audit?
A. Risk assessment shows no unacceptable risk and justification is documented [CORRECT]
B. The MSA is signed by the CTO
C. A compensating technical control is implemented
D. The exclusion is less than 5 % of the total controls
Correct Answer: A
Rationale: ISO 27001:2022 clause 6.1.3(d) requires that every excluded control be justified
through risk assessment and that residual risk is acceptable. Option B is insufficient; signatory
level does not satisfy ISO. Option C is optional—compensating controls are required only if risk
is unacceptable. Option D is fictional; no percentage threshold exists.
,2
Q3. A hospital expanding into tele-health must choose a control-framework alignment that
satisfies HIPAA Security Rule, allows mapping to NIST CSF, and is recognised by HHS. Which
approach BEST meets those criteria?
A. Adopt COBIT 2019 exclusively
B. Implement NIST SP 800-53 Rev 5 moderate baseline and cross-walk to CSF [CORRECT]
C. Use PCI-DSS v4.0 and augment with ISO 27017
D. Deploy CIS Critical Security Controls v8 and self-certify
Correct Answer: B
Rationale: 800-53 is explicitly referenced by HIPAA Security Rule guidance; HHS provides
CSF mapping. COBIT (A) is governance-heavy and not HIPAA-specific. PCI-DSS (C) is for
payment data. CIS (D) is operational but not a compliance vehicle acceptable to HIPAA auditors.
Q4. A start-up processing EU employee biometric data for physical access establishes a DPIA.
Which GDPR article mandates this control?
A. Art. 5 (Principles)
B. Art. 25 (Data-protection by design)
C. Art. 35 (DPIA requirement) [CORRECT]
D. Art. 46 (Transfers)
Correct Answer: C
Rationale: Article 35 compels DPIA where processing is “likely to result in high risk,” including
systematic biometric monitoring. Other articles set broader principles but not the DPIA trigger.
Q5. (Diagram question – textual description) A table lists five data types: “Public Web Content,”
“Internal Memos,” “Customer PII,” “CHD,” and “Source Code.” The architecture team assigns
labels 0–4 under a NIST SP 800-60 impact schema. Which assignment is INCORRECT?
A. Public Web Content = 0 (Low)
B. Customer PII = 3 (High confidentiality)
C. Source Code = 2 (Moderate confidentiality / Low integrity) [CORRECT – integrity should be
High]
D. CHD = 4 (Very High confidentiality)
Correct Answer: C
Rationale: Source-code loss threatens intellectual property (confidentiality) but also risks
integrity compromise (e.g., malicious commit). Assigning “Low integrity” understates impact
and violates 800-60 mapping guidance for critical system components.
Q6. Under the NIST Risk Management Framework, at which step is the System Security Plan
(SSP) baseline formally approved by the Authorizing Official?
A. Step 2 – Select Controls
B. Step 3 – Implement Controls
C. Step 4 – Assess Controls
D. Step 5 – Authorize [CORRECT]
Correct Answer: D
, 3
Rationale: Authorization decision (Step 5) includes acceptance of SSP and POA&M. Earlier
steps develop but do not approve the plan.
Q7. A publicly traded US retailer must file annual certification that its cyber-risk controls are
effective. Which regulation imposes this requirement?
A. SOX §404 (management assessment) [CORRECT]
B. GLBA Safeguards Rule
C. CCPA
D. FISMA
Correct Answer: A
Rationale: SOX §404 requires management attest effectiveness of internal controls over
financial reporting, which SEC guidance includes cyber controls material to financial statements.
GLBA (B) applies to financial institutions. CCPA (C) is privacy only. FISMA (D) covers federal
agencies.
Q8. A company adopts COBIT 2019 for governance. Which design-factor most influences
whether “APO01 – Manage IT Management Framework” is cascaded to subordinates?
A. Enterprise strategy alignment [CORRECT]
B. Threat landscape volatility
C. Cloud service model (IaaS vs SaaS)
D. Regulatory compliance cost
Correct Answer: A
Rationale: COBIT 2019 design-factor matrix shows enterprise strategy drives need for
consistent management frameworks across business units. Other factors are secondary.
Q9. (Multi-part scenario) A FinTech startup plans to offer a crypto-currency wallet in the EU and
US.
Part 1: Which regulatory requirement obliges the firm to implement KYC/AML controls
BEFORE onboarding users?
A. GDPR
B. EU 5th AML Directive [CORRECT]
C. eIDAS
D. CCPA
Correct Answer: B
Rationale: 5AMLD brings crypto-wallet providers into regulated-entity scope mandating KYC.
GDPR (A) is privacy; eIDAS (C) is electronic identity; CCPA (D) is California privacy.
Part 2: To reconcile AML data-retention (5 years) with GDPR data-minimisation, the
architecture team should embed which control into the system design?
A. Tokenisation of wallet keys
B. Purpose limitation & time-based deletion policy [CORRECT]
C. Pseudonymisation by hashing passport numbers irreversibly
WGU D488 Cybersecurity Architecture & Engineering
ACTUAL FINAL EXAM TEST BANK 2026/2027 | Verified
Questions and Solutions | Aligned to WGU Competencies |
Grade A Target | Pass Guaranteed
SECTION 1 – Foundational Security Principles & Governance (15 Q)
Q1. A global e-commerce firm must comply with both GDPR and PCI-DSS. The board asks the
security-architecture team to classify all card-holder data (CHD) and EU personal data within a
single data-map. Which principle from the CIA triad is MOST strengthened by this unified
classification exercise?
A. Availability through redundant storage of data
B. Integrity via SHA-256 hashing of CHD
C. Confidentiality by enabling tiered access controls proportional to data sensitivity [CORRECT]
D. Non-repudiation through public-key certificates
Correct Answer: C
Rationale: Creating a unified map allows architects to label data sets (e.g., “Restricted” for
CHD, “High” for GDPR special-category) and apply commensurate confidentiality controls
(encryption, ACLs, tokenisation). Option A addresses availability but is not the primary outcome
of classification. Option B protects integrity but does not flow from classification itself. Option
D is irrelevant; non-repudiation is not a CIA triad element.
Q2. While drafting an ISO 27001 Statement of Applicability (SoA), the CISO discovers that the
control A.8.1.3 (Acceptable-use Policies) is deemed not applicable because all users are
contractors covered under separate MSA clauses. What MUST be true for this exclusion to pass
the Stage-1 audit?
A. Risk assessment shows no unacceptable risk and justification is documented [CORRECT]
B. The MSA is signed by the CTO
C. A compensating technical control is implemented
D. The exclusion is less than 5 % of the total controls
Correct Answer: A
Rationale: ISO 27001:2022 clause 6.1.3(d) requires that every excluded control be justified
through risk assessment and that residual risk is acceptable. Option B is insufficient; signatory
level does not satisfy ISO. Option C is optional—compensating controls are required only if risk
is unacceptable. Option D is fictional; no percentage threshold exists.
,2
Q3. A hospital expanding into tele-health must choose a control-framework alignment that
satisfies HIPAA Security Rule, allows mapping to NIST CSF, and is recognised by HHS. Which
approach BEST meets those criteria?
A. Adopt COBIT 2019 exclusively
B. Implement NIST SP 800-53 Rev 5 moderate baseline and cross-walk to CSF [CORRECT]
C. Use PCI-DSS v4.0 and augment with ISO 27017
D. Deploy CIS Critical Security Controls v8 and self-certify
Correct Answer: B
Rationale: 800-53 is explicitly referenced by HIPAA Security Rule guidance; HHS provides
CSF mapping. COBIT (A) is governance-heavy and not HIPAA-specific. PCI-DSS (C) is for
payment data. CIS (D) is operational but not a compliance vehicle acceptable to HIPAA auditors.
Q4. A start-up processing EU employee biometric data for physical access establishes a DPIA.
Which GDPR article mandates this control?
A. Art. 5 (Principles)
B. Art. 25 (Data-protection by design)
C. Art. 35 (DPIA requirement) [CORRECT]
D. Art. 46 (Transfers)
Correct Answer: C
Rationale: Article 35 compels DPIA where processing is “likely to result in high risk,” including
systematic biometric monitoring. Other articles set broader principles but not the DPIA trigger.
Q5. (Diagram question – textual description) A table lists five data types: “Public Web Content,”
“Internal Memos,” “Customer PII,” “CHD,” and “Source Code.” The architecture team assigns
labels 0–4 under a NIST SP 800-60 impact schema. Which assignment is INCORRECT?
A. Public Web Content = 0 (Low)
B. Customer PII = 3 (High confidentiality)
C. Source Code = 2 (Moderate confidentiality / Low integrity) [CORRECT – integrity should be
High]
D. CHD = 4 (Very High confidentiality)
Correct Answer: C
Rationale: Source-code loss threatens intellectual property (confidentiality) but also risks
integrity compromise (e.g., malicious commit). Assigning “Low integrity” understates impact
and violates 800-60 mapping guidance for critical system components.
Q6. Under the NIST Risk Management Framework, at which step is the System Security Plan
(SSP) baseline formally approved by the Authorizing Official?
A. Step 2 – Select Controls
B. Step 3 – Implement Controls
C. Step 4 – Assess Controls
D. Step 5 – Authorize [CORRECT]
Correct Answer: D
, 3
Rationale: Authorization decision (Step 5) includes acceptance of SSP and POA&M. Earlier
steps develop but do not approve the plan.
Q7. A publicly traded US retailer must file annual certification that its cyber-risk controls are
effective. Which regulation imposes this requirement?
A. SOX §404 (management assessment) [CORRECT]
B. GLBA Safeguards Rule
C. CCPA
D. FISMA
Correct Answer: A
Rationale: SOX §404 requires management attest effectiveness of internal controls over
financial reporting, which SEC guidance includes cyber controls material to financial statements.
GLBA (B) applies to financial institutions. CCPA (C) is privacy only. FISMA (D) covers federal
agencies.
Q8. A company adopts COBIT 2019 for governance. Which design-factor most influences
whether “APO01 – Manage IT Management Framework” is cascaded to subordinates?
A. Enterprise strategy alignment [CORRECT]
B. Threat landscape volatility
C. Cloud service model (IaaS vs SaaS)
D. Regulatory compliance cost
Correct Answer: A
Rationale: COBIT 2019 design-factor matrix shows enterprise strategy drives need for
consistent management frameworks across business units. Other factors are secondary.
Q9. (Multi-part scenario) A FinTech startup plans to offer a crypto-currency wallet in the EU and
US.
Part 1: Which regulatory requirement obliges the firm to implement KYC/AML controls
BEFORE onboarding users?
A. GDPR
B. EU 5th AML Directive [CORRECT]
C. eIDAS
D. CCPA
Correct Answer: B
Rationale: 5AMLD brings crypto-wallet providers into regulated-entity scope mandating KYC.
GDPR (A) is privacy; eIDAS (C) is electronic identity; CCPA (D) is California privacy.
Part 2: To reconcile AML data-retention (5 years) with GDPR data-minimisation, the
architecture team should embed which control into the system design?
A. Tokenisation of wallet keys
B. Purpose limitation & time-based deletion policy [CORRECT]
C. Pseudonymisation by hashing passport numbers irreversibly
