WGU D827/D430 Fundamentals of
Information Security | Practice Exam|
Questions and Answers | 2025 Update | 100%
Correct.
1. A startup is developing a new healthcare application that will store patient data. To ensure
compliance with regulatory requirements and manage risk, they implement a policy requiring a
formal review of all security controls every six months. Which security principle is being directly
enforced by this action?
a) Non-repudiation
b) Due diligence
c) Separation of duties
d) Single point of failure
2. A Chief Information Security Officer (CISO) is presenting the annual budget request to the
board. To justify a new security tool, the CISO explains the potential financial impact of a data
breach if the tool is not purchased. Which type of risk treatment strategy is being used to argue for
the purchase?
a) Risk avoidance
b) Risk acceptance
c) Risk mitigation
d) Risk transference
3. An organization is implementing a new system. The security team requires that no single
individual has the authority to approve and execute a financial transaction over $10,000. Which
security control does this enforce?
a) Mandatory vacation
b) Job rotation
c) Separation of duties
d) Least privilege
4. Which of the following is the primary purpose of a security framework, such as NIST CSF or
ISO/IEC 27001?
a) To provide a specific set of firewall rules
c) To provide a structured approach to managing cybersecurity risk
b) To guarantee that an organization will not suffer a data breach
d) To replace the need for a security team
, Domain 2: Identity and Access Management (IAM)
5. A user logs into a corporate laptop using a smart card and a Personal Identification Number
(PIN). The smart card provides a cryptographic key, and the PIN is something the user knows.
Which authentication method is being used?
a) Single-factor authentication
b) Two-factor authentication (2FA)
c) Biometric authentication
d) Single sign-on (SSO)
6. An administrator needs to grant a helpdesk team the ability to reset user passwords but should
not grant them the ability to modify group memberships. Which identity management principle is
the administrator following?
a) Privilege creep
b) Principle of least privilege
c) Need-to-know
d) Mandatory access control
7. A user authenticates to their Windows laptop in the morning. Throughout the day, they access a
file server, a cloud-based CRM, and a SharePoint site without being prompted to re-enter their
credentials. What enables this seamless experience?
a) Federation
b) RADIUS
c) Single sign-on (SSO)
d) LDAP
8. An organization discovers that a terminated employee’s badge still grants them access to the
data center three weeks after their departure. Which of the following processes failed?
a) Authorization
b) Authentication
c) Provisioning
d) Deprovisioning
Domain 3: Threats, Attacks, and Vulnerabilities
9. A security analyst notices that a server is receiving an unusually high volume of traffic from
thousands of different IP addresses, all targeting a specific web service port, causing the service to
become unavailable to legitimate users. What type of attack is occurring?
a) Man-in-the-middle
b) SQL injection
c) Phishing
d) Distributed Denial-of-Service (DDoS)
Information Security | Practice Exam|
Questions and Answers | 2025 Update | 100%
Correct.
1. A startup is developing a new healthcare application that will store patient data. To ensure
compliance with regulatory requirements and manage risk, they implement a policy requiring a
formal review of all security controls every six months. Which security principle is being directly
enforced by this action?
a) Non-repudiation
b) Due diligence
c) Separation of duties
d) Single point of failure
2. A Chief Information Security Officer (CISO) is presenting the annual budget request to the
board. To justify a new security tool, the CISO explains the potential financial impact of a data
breach if the tool is not purchased. Which type of risk treatment strategy is being used to argue for
the purchase?
a) Risk avoidance
b) Risk acceptance
c) Risk mitigation
d) Risk transference
3. An organization is implementing a new system. The security team requires that no single
individual has the authority to approve and execute a financial transaction over $10,000. Which
security control does this enforce?
a) Mandatory vacation
b) Job rotation
c) Separation of duties
d) Least privilege
4. Which of the following is the primary purpose of a security framework, such as NIST CSF or
ISO/IEC 27001?
a) To provide a specific set of firewall rules
c) To provide a structured approach to managing cybersecurity risk
b) To guarantee that an organization will not suffer a data breach
d) To replace the need for a security team
, Domain 2: Identity and Access Management (IAM)
5. A user logs into a corporate laptop using a smart card and a Personal Identification Number
(PIN). The smart card provides a cryptographic key, and the PIN is something the user knows.
Which authentication method is being used?
a) Single-factor authentication
b) Two-factor authentication (2FA)
c) Biometric authentication
d) Single sign-on (SSO)
6. An administrator needs to grant a helpdesk team the ability to reset user passwords but should
not grant them the ability to modify group memberships. Which identity management principle is
the administrator following?
a) Privilege creep
b) Principle of least privilege
c) Need-to-know
d) Mandatory access control
7. A user authenticates to their Windows laptop in the morning. Throughout the day, they access a
file server, a cloud-based CRM, and a SharePoint site without being prompted to re-enter their
credentials. What enables this seamless experience?
a) Federation
b) RADIUS
c) Single sign-on (SSO)
d) LDAP
8. An organization discovers that a terminated employee’s badge still grants them access to the
data center three weeks after their departure. Which of the following processes failed?
a) Authorization
b) Authentication
c) Provisioning
d) Deprovisioning
Domain 3: Threats, Attacks, and Vulnerabilities
9. A security analyst notices that a server is receiving an unusually high volume of traffic from
thousands of different IP addresses, all targeting a specific web service port, causing the service to
become unavailable to legitimate users. What type of attack is occurring?
a) Man-in-the-middle
b) SQL injection
c) Phishing
d) Distributed Denial-of-Service (DDoS)
