WGU D430 / C836 Fundamentals of Information Security-
Comprehensive Study Notes & Final Assessment Review |
2026 Updated
Operational Security (OPSEC) - correct answer A process you use to protect your
information.
Involves not only putting security measures in place but also identifying what exactly
you need to protect and what to protect it against.
OPSEC Process - correct answer
1. Identification of Critical Information
2. Analysis of Threats
3. Analysis of Vulnerabilities
4. Assessment of Risks
5. Application of Countermeasures
OPSEC Process - Identification of Critical Information - correct answer First and most
important step in the OPSEC process is to identify your most critical information assets.
Any given business, individual, military operation, process, or project is bound to have
at least a few critical items of information on which everything else depends.
OPSEC Process - Analysis of Threats - correct answer The second step in the OPSEC
process is to analyze any threats related to the critical information identified in step one.
OPSEC Process - Analysis of Vulnerabilities - correct answer The third step in the
OPSEC process is analyzing the vulnerabilities in the protections you've put in place to
secure your information assets. This is done by looking at how these assets are
interacted with and determining what areas an attacker might target to compromise
them.
,OPSEC Process - Assessment of Risks - correct answer The fourth step in the
OPSEC process is to decide what issues need to be addressed in the rest of the
OPSEC process.
OPSEC Process - Application of Countermeasures - correct answer The fifth step in
the OPSEC process, after risks to critical information have been identified, is to put
measures in place to mitigate them. In OPSEC, these are called countermeasures.
Countermeasures must mitigate either the threat or vulnerability at the bare minimum.
This is an iterative process, and an organization will likely need to repeat the cycle more
than once to fully mitigate any issues.
CIA Triad - correct answer Confidentiality, Integrity, Availability:
Essentially the balance between IT Security (Confidentiality and Integrity,) and Business
Need (Availability.)
CIA Triad - Confidentiality - correct answer Addresses the importance of data security.
Data should not be exposed or accessible to parties other than those who are
authorized to interact with it.
An example of upholding the standards of this principle: Creating authentication,
authorization, and access controls to control who has access to what information, and
how each individual with access can interact with that information.
CIA Triad - Integrity - correct answer This principle mandates that data should not be
tampered with or modified in such a way as to compromise the reliability of the
information.
An example of upholding the standards of this principle: Hashing or encrypting data as
it's in transit or at rest to monitor the information for unauthorized changes or prevent
attackers from accessing the data.
,CIA Triad - Availability - correct answer This principle focuses on the need for
businesses to balance the principles of _____________ and _____________, whilst
also allowing authorized parties to access and interact with data.
Information Security (InfoSec) - correct answer
Parkerian Hexad - - correct answer A less well-known model named after Donn Parker.
Provides a somewhat more complex variation of the classic CIA triad.
Consists of six principles:
Confidentiality
Integrity
Authenticity
Utility
Possession
Availability
Compensating Controls - correct answer Controls that replace impractical or
unfeasible key controls.
For example: Although regulations may require you to run antivirus tools on all systems,
certain systems might not have sufficient resources to run these utilities without adverse
impacts. In this case, as a compensating control, you might use Linux operating
systems, which are less susceptible to malware.
Steps of Maintaining Compliance - correct answer 1. Monitoring
2. Reviewing
3. Documenting
4. Reporting
, Maintaining Compliance - Monitoring - correct answer You must monitor your controls
(and the data produced by or related to them) on an ongoing basis to determine
whether they effectively mitigate or reduce risk.
In the information security world, no news often just means no good news. Since your
environment and technology might change, it's important to check that your controls-
especially your key controls-continue to play their intended role. Without such
monitoring, your controls quickly stop being useful, possibly without your knowledge.
Maintaining Compliance - Reviewing - correct answer Controls need to undergo a
periodic review to determine whether they're still effective and meet the objectives for
managing risk in your particular environment.
As old risks evolve and new risks arise, you'll need to make sure your controls still cover
these risks appropriately, determine whether you need any new controls, or decide
whether you should retire old controls.
Maintaining Compliance - Documenting - correct answer You should document the
results of your reviews and carefully track any changes to a control's environment.
Documentation helps you evaluate trends and maybe even predict future control
changes, which can allow you to forecast the resources you'll need later.
Maintaining Compliance - Reporting - correct answer After monitoring, reviewing, and
documenting the state of your controls, you must report the results to your leadership.
This not only keeps them aware of the state of your controls and enables them to make
informed decisions for the organization but also provides you with a means of
requesting the staff and resources you need for these efforts.
Federal Information Security Management Act (FISMA) - correct answer Established in
2002, this act applies to all US federal government agencies, all state agencies that
administer federal programs (such as Medicare,) and all private companies that support,
sell to, or receive grant money from the federal government.
Comprehensive Study Notes & Final Assessment Review |
2026 Updated
Operational Security (OPSEC) - correct answer A process you use to protect your
information.
Involves not only putting security measures in place but also identifying what exactly
you need to protect and what to protect it against.
OPSEC Process - correct answer
1. Identification of Critical Information
2. Analysis of Threats
3. Analysis of Vulnerabilities
4. Assessment of Risks
5. Application of Countermeasures
OPSEC Process - Identification of Critical Information - correct answer First and most
important step in the OPSEC process is to identify your most critical information assets.
Any given business, individual, military operation, process, or project is bound to have
at least a few critical items of information on which everything else depends.
OPSEC Process - Analysis of Threats - correct answer The second step in the OPSEC
process is to analyze any threats related to the critical information identified in step one.
OPSEC Process - Analysis of Vulnerabilities - correct answer The third step in the
OPSEC process is analyzing the vulnerabilities in the protections you've put in place to
secure your information assets. This is done by looking at how these assets are
interacted with and determining what areas an attacker might target to compromise
them.
,OPSEC Process - Assessment of Risks - correct answer The fourth step in the
OPSEC process is to decide what issues need to be addressed in the rest of the
OPSEC process.
OPSEC Process - Application of Countermeasures - correct answer The fifth step in
the OPSEC process, after risks to critical information have been identified, is to put
measures in place to mitigate them. In OPSEC, these are called countermeasures.
Countermeasures must mitigate either the threat or vulnerability at the bare minimum.
This is an iterative process, and an organization will likely need to repeat the cycle more
than once to fully mitigate any issues.
CIA Triad - correct answer Confidentiality, Integrity, Availability:
Essentially the balance between IT Security (Confidentiality and Integrity,) and Business
Need (Availability.)
CIA Triad - Confidentiality - correct answer Addresses the importance of data security.
Data should not be exposed or accessible to parties other than those who are
authorized to interact with it.
An example of upholding the standards of this principle: Creating authentication,
authorization, and access controls to control who has access to what information, and
how each individual with access can interact with that information.
CIA Triad - Integrity - correct answer This principle mandates that data should not be
tampered with or modified in such a way as to compromise the reliability of the
information.
An example of upholding the standards of this principle: Hashing or encrypting data as
it's in transit or at rest to monitor the information for unauthorized changes or prevent
attackers from accessing the data.
,CIA Triad - Availability - correct answer This principle focuses on the need for
businesses to balance the principles of _____________ and _____________, whilst
also allowing authorized parties to access and interact with data.
Information Security (InfoSec) - correct answer
Parkerian Hexad - - correct answer A less well-known model named after Donn Parker.
Provides a somewhat more complex variation of the classic CIA triad.
Consists of six principles:
Confidentiality
Integrity
Authenticity
Utility
Possession
Availability
Compensating Controls - correct answer Controls that replace impractical or
unfeasible key controls.
For example: Although regulations may require you to run antivirus tools on all systems,
certain systems might not have sufficient resources to run these utilities without adverse
impacts. In this case, as a compensating control, you might use Linux operating
systems, which are less susceptible to malware.
Steps of Maintaining Compliance - correct answer 1. Monitoring
2. Reviewing
3. Documenting
4. Reporting
, Maintaining Compliance - Monitoring - correct answer You must monitor your controls
(and the data produced by or related to them) on an ongoing basis to determine
whether they effectively mitigate or reduce risk.
In the information security world, no news often just means no good news. Since your
environment and technology might change, it's important to check that your controls-
especially your key controls-continue to play their intended role. Without such
monitoring, your controls quickly stop being useful, possibly without your knowledge.
Maintaining Compliance - Reviewing - correct answer Controls need to undergo a
periodic review to determine whether they're still effective and meet the objectives for
managing risk in your particular environment.
As old risks evolve and new risks arise, you'll need to make sure your controls still cover
these risks appropriately, determine whether you need any new controls, or decide
whether you should retire old controls.
Maintaining Compliance - Documenting - correct answer You should document the
results of your reviews and carefully track any changes to a control's environment.
Documentation helps you evaluate trends and maybe even predict future control
changes, which can allow you to forecast the resources you'll need later.
Maintaining Compliance - Reporting - correct answer After monitoring, reviewing, and
documenting the state of your controls, you must report the results to your leadership.
This not only keeps them aware of the state of your controls and enables them to make
informed decisions for the organization but also provides you with a means of
requesting the staff and resources you need for these efforts.
Federal Information Security Management Act (FISMA) - correct answer Established in
2002, this act applies to all US federal government agencies, all state agencies that
administer federal programs (such as Medicare,) and all private companies that support,
sell to, or receive grant money from the federal government.
