WGU D426 V2 Exam| Complete Exam
Questions and CORRECT Answers
PLUS RATIONALES| (2026 update)
Assured success
1. What is the primary objective of risk management in cybersecurity?
A. Eliminate all risks
B. Accept all risks
C. Reduce risk to an acceptable level
D. Transfer all risks to vendors
Answer: C
Rationale: Risk management seeks to identify, analyze, and mitigate risks to an acceptable level
aligned with organizational goals.
2. Which framework provides a risk-based approach to cybersecurity?
A. ISO 9001
B. COBIT
C. NIST CSF
D. ITIL
Answer: C
Rationale: The NIST Cybersecurity Framework uses risk-based prioritization to guide security
decisions.
3. A residual risk is best described as:
A. The total risk before mitigation
B. The risk an organization decides to accept
C. Risk transferred to insurance
D. Risk that no longer exists
Answer: B
Rationale: Residual risk remains after security controls are applied and is what the organization
accepts.
,4. Which policy defines acceptable use of corporate systems?
A. DRP
B. AUP
C. SLA
D. NDA
Answer: B
Rationale: Acceptable Use Policy (AUP) outlines what users are permitted and prohibited from
doing.
5. Which analysis technique quantifies risk in monetary terms?
A. Qualitative
B. Quantitative
C. Heuristic
D. Benchmarking
Answer: B
Rationale: Quantitative risk analysis assigns numerical values to risk factors.
6. Separation of duties helps prevent:
A. Malware infections
B. Insider fraud
C. DDoS attacks
D. Phishing
Answer: B
Rationale: Separation of duties reduces the ability of one person to commit fraud undetected.
7. A risk register typically includes:
A. Policies and procedures
B. Identified risks and mitigation plans
C. Job descriptions
D. Legal contracts
Answer: B
Rationale: Risk registers document risks, likelihood, impact, and mitigation.
8. Which governance framework is focused on IT controls?
, A. COSO
B. COBIT
C. ADA
D. PCI DSS
Answer: B
Rationale: COBIT aligns IT processes with business goals and controls.
9. GDPR is primarily concerned with:
A. Network uptime
B. Data privacy
C. Software licensing
D. Encryption algorithms
Answer: B
Rationale: GDPR focuses on personal data privacy and protection.
10. Annual security awareness training is an example of:
A. Technical control
B. Physical control
C. Administrative control
D. Detective control
Answer: C
Rationale: Training is an administrative (management) control.
10. Which document outlines how an organization will recover IT systems after a disruption?
A. Incident Response Plan
B. Disaster Recovery Plan
C. Acceptable Use Policy
D. Service Level Agreement
Answer: B
Rationale: A Disaster Recovery Plan (DRP) focuses specifically on restoring IT systems and
infrastructure after a disruption.
11. Which risk response strategy involves shifting risk to another party?
A. Mitigation
B. Acceptance
Questions and CORRECT Answers
PLUS RATIONALES| (2026 update)
Assured success
1. What is the primary objective of risk management in cybersecurity?
A. Eliminate all risks
B. Accept all risks
C. Reduce risk to an acceptable level
D. Transfer all risks to vendors
Answer: C
Rationale: Risk management seeks to identify, analyze, and mitigate risks to an acceptable level
aligned with organizational goals.
2. Which framework provides a risk-based approach to cybersecurity?
A. ISO 9001
B. COBIT
C. NIST CSF
D. ITIL
Answer: C
Rationale: The NIST Cybersecurity Framework uses risk-based prioritization to guide security
decisions.
3. A residual risk is best described as:
A. The total risk before mitigation
B. The risk an organization decides to accept
C. Risk transferred to insurance
D. Risk that no longer exists
Answer: B
Rationale: Residual risk remains after security controls are applied and is what the organization
accepts.
,4. Which policy defines acceptable use of corporate systems?
A. DRP
B. AUP
C. SLA
D. NDA
Answer: B
Rationale: Acceptable Use Policy (AUP) outlines what users are permitted and prohibited from
doing.
5. Which analysis technique quantifies risk in monetary terms?
A. Qualitative
B. Quantitative
C. Heuristic
D. Benchmarking
Answer: B
Rationale: Quantitative risk analysis assigns numerical values to risk factors.
6. Separation of duties helps prevent:
A. Malware infections
B. Insider fraud
C. DDoS attacks
D. Phishing
Answer: B
Rationale: Separation of duties reduces the ability of one person to commit fraud undetected.
7. A risk register typically includes:
A. Policies and procedures
B. Identified risks and mitigation plans
C. Job descriptions
D. Legal contracts
Answer: B
Rationale: Risk registers document risks, likelihood, impact, and mitigation.
8. Which governance framework is focused on IT controls?
, A. COSO
B. COBIT
C. ADA
D. PCI DSS
Answer: B
Rationale: COBIT aligns IT processes with business goals and controls.
9. GDPR is primarily concerned with:
A. Network uptime
B. Data privacy
C. Software licensing
D. Encryption algorithms
Answer: B
Rationale: GDPR focuses on personal data privacy and protection.
10. Annual security awareness training is an example of:
A. Technical control
B. Physical control
C. Administrative control
D. Detective control
Answer: C
Rationale: Training is an administrative (management) control.
10. Which document outlines how an organization will recover IT systems after a disruption?
A. Incident Response Plan
B. Disaster Recovery Plan
C. Acceptable Use Policy
D. Service Level Agreement
Answer: B
Rationale: A Disaster Recovery Plan (DRP) focuses specifically on restoring IT systems and
infrastructure after a disruption.
11. Which risk response strategy involves shifting risk to another party?
A. Mitigation
B. Acceptance
