Western Governors University
Cybersecurity Architecture and Engineering
(KFO1/D488)
Complete Exam Study Guide
2026 Edition
About This Resource
This comprehensive study guide contains 200 verified questions and detailed
rationales covering all major content areas for the WGU KFO1/D488 Cybersecurity
Architecture and Engineering exam. This course focuses on designing, implementing,
and managing security architectures, security engineering principles, and enterprise
security solutions aligned with industry frameworks and best practices.
Course Objectives Covered:
• Security Architecture Design and Implementation
• Security Engineering Principles
• Enterprise Security Solutions
• Risk Management and Compliance
• Security Operations and Monitoring
• Identity and Access Management
• Network Security Architecture
• Cloud Security Engineering
, SECTION 1: SECURITY ARCHITECTURE PRINCIPLES AND
FRAMEWORKS
*(Questions 1-30)*
1. Which security architecture framework provides a comprehensive approach to
aligning security with business strategy and risk management?
• A) TOGAF
• B) SABSA
• C) Zachman Framework
• D) COBIT
Answer: B) SABSA
Expert Rationale: SABSA (Sherwood Applied Business Security Architecture) is a
business-driven security architecture framework that focuses on aligning security
with business objectives. It provides a comprehensive methodology for developing
security architectures based on risk management .
2. The Open Group Architecture Framework (TOGAF) is primarily used for:
• A) Security-specific architecture only
• B) Enterprise architecture development
• C) Cloud security implementation
• D) Incident response planning
Answer: B) Enterprise architecture development
Expert Rationale: TOGAF is a framework for enterprise architecture that provides
a comprehensive approach to designing, planning, implementing, and governing
enterprise information architecture. It includes security considerations but is not
exclusively security-focused .
, 3. In the context of security architecture, "defense in depth" refers to:
• A) A single layer of strong security controls
• B) Multiple layers of security controls throughout the IT infrastructure
• C) Physical security only
• D) Perimeter security only
Answer: B) Multiple layers of security controls throughout the IT
infrastructure
Expert Rationale: Defense in depth is a security strategy that employs multiple
layers of security controls throughout the IT infrastructure, including physical,
network, host, application, and data layers. This ensures that if one layer is
compromised, additional layers provide protection .
4. Which security principle states that a system should maintain its security
properties even when operating in a hostile environment?
• A) Defense in depth
• B) Least privilege
• C) Fail-safe defaults
• D) Complete mediation
Answer: D) Complete mediation
Expert Rationale: Complete mediation is a security principle requiring that every
access to a resource be checked against an access control mechanism. The system
must validate all access attempts, even if previously authenticated .
5. The principle of "least privilege" requires that:
• A) Users have full administrative access
• B) Users and processes are granted only the minimum access necessary to perform
their functions
• C) All users have the same access level
• D) Access is granted based on seniority
, Answer: B) Users and processes are granted only the minimum access
necessary to perform their functions
Expert Rationale: Least privilege is a fundamental security principle that limits
access rights to the minimum necessary for users, applications, and processes to
perform their authorized functions. This reduces the attack surface and limits
potential damage from compromised accounts .
6. Which NIST SP 800-53 control family addresses security architecture and
engineering?
• A) AC (Access Control)
• B) AU (Audit and Accountability)
• C) SC (System and Communications Protection)
• D) SI (System and Information Integrity)
Answer: C) SC (System and Communications Protection)
Expert Rationale: NIST SP 800-53 SC control family focuses on system and
communications protection, including architectural considerations for boundary
protection, cryptographic mechanisms, and secure communications .
7. The ISO/IEC 27001 standard is primarily concerned with:
• A) Technical security controls
• B) Information Security Management Systems (ISMS)
• C) Network security protocols
• D) Application security testing
Answer: B) Information Security Management Systems (ISMS)
Expert Rationale: ISO/IEC 27001 specifies requirements for establishing,
implementing, maintaining, and continually improving an Information Security
Management System (ISMS). It provides a framework for managing security risks
through policies, procedures, and controls .
Cybersecurity Architecture and Engineering
(KFO1/D488)
Complete Exam Study Guide
2026 Edition
About This Resource
This comprehensive study guide contains 200 verified questions and detailed
rationales covering all major content areas for the WGU KFO1/D488 Cybersecurity
Architecture and Engineering exam. This course focuses on designing, implementing,
and managing security architectures, security engineering principles, and enterprise
security solutions aligned with industry frameworks and best practices.
Course Objectives Covered:
• Security Architecture Design and Implementation
• Security Engineering Principles
• Enterprise Security Solutions
• Risk Management and Compliance
• Security Operations and Monitoring
• Identity and Access Management
• Network Security Architecture
• Cloud Security Engineering
, SECTION 1: SECURITY ARCHITECTURE PRINCIPLES AND
FRAMEWORKS
*(Questions 1-30)*
1. Which security architecture framework provides a comprehensive approach to
aligning security with business strategy and risk management?
• A) TOGAF
• B) SABSA
• C) Zachman Framework
• D) COBIT
Answer: B) SABSA
Expert Rationale: SABSA (Sherwood Applied Business Security Architecture) is a
business-driven security architecture framework that focuses on aligning security
with business objectives. It provides a comprehensive methodology for developing
security architectures based on risk management .
2. The Open Group Architecture Framework (TOGAF) is primarily used for:
• A) Security-specific architecture only
• B) Enterprise architecture development
• C) Cloud security implementation
• D) Incident response planning
Answer: B) Enterprise architecture development
Expert Rationale: TOGAF is a framework for enterprise architecture that provides
a comprehensive approach to designing, planning, implementing, and governing
enterprise information architecture. It includes security considerations but is not
exclusively security-focused .
, 3. In the context of security architecture, "defense in depth" refers to:
• A) A single layer of strong security controls
• B) Multiple layers of security controls throughout the IT infrastructure
• C) Physical security only
• D) Perimeter security only
Answer: B) Multiple layers of security controls throughout the IT
infrastructure
Expert Rationale: Defense in depth is a security strategy that employs multiple
layers of security controls throughout the IT infrastructure, including physical,
network, host, application, and data layers. This ensures that if one layer is
compromised, additional layers provide protection .
4. Which security principle states that a system should maintain its security
properties even when operating in a hostile environment?
• A) Defense in depth
• B) Least privilege
• C) Fail-safe defaults
• D) Complete mediation
Answer: D) Complete mediation
Expert Rationale: Complete mediation is a security principle requiring that every
access to a resource be checked against an access control mechanism. The system
must validate all access attempts, even if previously authenticated .
5. The principle of "least privilege" requires that:
• A) Users have full administrative access
• B) Users and processes are granted only the minimum access necessary to perform
their functions
• C) All users have the same access level
• D) Access is granted based on seniority
, Answer: B) Users and processes are granted only the minimum access
necessary to perform their functions
Expert Rationale: Least privilege is a fundamental security principle that limits
access rights to the minimum necessary for users, applications, and processes to
perform their authorized functions. This reduces the attack surface and limits
potential damage from compromised accounts .
6. Which NIST SP 800-53 control family addresses security architecture and
engineering?
• A) AC (Access Control)
• B) AU (Audit and Accountability)
• C) SC (System and Communications Protection)
• D) SI (System and Information Integrity)
Answer: C) SC (System and Communications Protection)
Expert Rationale: NIST SP 800-53 SC control family focuses on system and
communications protection, including architectural considerations for boundary
protection, cryptographic mechanisms, and secure communications .
7. The ISO/IEC 27001 standard is primarily concerned with:
• A) Technical security controls
• B) Information Security Management Systems (ISMS)
• C) Network security protocols
• D) Application security testing
Answer: B) Information Security Management Systems (ISMS)
Expert Rationale: ISO/IEC 27001 specifies requirements for establishing,
implementing, maintaining, and continually improving an Information Security
Management System (ISMS). It provides a framework for managing security risks
through policies, procedures, and controls .
