1|Page
WGU D489 TASK 1 : Cybersecurity Management Plan 2026-2027
BANK QUESTIONS WITH DETAILED VERIFIED ANSWERS
EXAM QUESTIONS WILL COME FROM HERE (100%
CORRECT ANSWERS A+ GRADED
Cybersecurity Governance and Strategy
1. A cybersecurity management plan's primary purpose is to:
A) Eliminate all cyber threats
B) Serve as a static document for auditors
C) Align security initiatives with business objectives
D) Detail the technical specifications of firewall rules
Answer: C. A management plan is a strategic document that bridges
business goals and security operations, ensuring resources support the
organization's mission.
2. Which element is most critical for building a cybersecurity-aware
culture?
A) Punitive policies for repeat offenders
B) Executive leadership endorsement and modeling
C) Mandatory quarterly security newsletters
,2|Page
D) Outsourcing all awareness training
Answer: B. Culture starts at the top. When executives visibly champion
security and follow protocols, it signals organizational values, making
awareness efforts credible.
3. A company's Board of Directors is primarily responsible for which
aspect of cybersecurity?
A) Configuring intrusion detection systems
B) Approving the risk appetite and providing strategic oversight
C) Conducting daily threat intelligence analysis
D) Managing third-party vendor patching schedules
Answer: B. The board governs risk. Their role is fiduciary oversight,
setting the "tone at the top" and accepting the level of residual risk the
organization will bear.
4. When developing a cybersecurity strategy, a gap analysis is used to:
A) Identify differences between current security posture and a desired
future state
B) Scan for open ports on the external network perimeter
C) Calculate the annual loss expectancy of a specific asset
D) Document the chain of custody for digital evidence
Answer: A. A gap analysis benchmarks the "as-is" state against the "to-
be" state, revealing missing controls or capabilities that the
management plan must address.
,3|Page
5. Which framework is specifically designed for cybersecurity and
integrates with enterprise risk management?
A) COSO
B) ITIL
C) NIST Cybersecurity Framework (CSF)
D) ISO 9001
Answer: C. The NIST CSF, with its core functions of Identify, Protect,
Detect, Respond, and Recover, was built to integrate cybersecurity risk
into broader enterprise risk management.
6. The concept of "reasonable security" in a legal context means:
A) Deploying the most expensive and advanced technology available
B) Implementing controls proportionate to the organization's size,
complexity, and the sensitivity of data
C) Guaranteeing perfect protection against all known vulnerabilities
D) Simply complying with the PCI-DSS standard
Answer: B. Legal and regulatory standards often measure security
against what a "reasonable" entity would do, considering cost, risk, and
feasibility, not perfection.
7. A security steering committee should ideally include members from:
A) Exclusively the IT security department
B) Legal, HR, IT, and key business unit leaders
, 4|Page
C) Only external consultants and auditors
D) The software development team leads
Answer: B. Cybersecurity is a business problem, not just a technical
one. Cross-functional representation ensures the plan aligns with legal,
human capital, and operational requirements.
8. A mission statement for a cybersecurity program should articulate:
A) Specific metrics for server uptime
B) The software versions currently in use
C) The high-level purpose and principles guiding the security function
D) A detailed project plan for the next fiscal year
Answer: C. A mission statement is a concise declaration of "why" the
program exists, its core values, and its commitment to protecting
stakeholders.
9. Which leadership role is ultimately accountable for an organization's
cybersecurity posture?
A) Chief Information Security Officer (CISO)
B) Chief Executive Officer (CEO)
C) Network Security Manager
D) Data Protection Officer (DPO)
Answer: B. While the CISO manages the program, ultimate
accountability cannot be delegated and rests with the CEO and the
Board of Directors.
WGU D489 TASK 1 : Cybersecurity Management Plan 2026-2027
BANK QUESTIONS WITH DETAILED VERIFIED ANSWERS
EXAM QUESTIONS WILL COME FROM HERE (100%
CORRECT ANSWERS A+ GRADED
Cybersecurity Governance and Strategy
1. A cybersecurity management plan's primary purpose is to:
A) Eliminate all cyber threats
B) Serve as a static document for auditors
C) Align security initiatives with business objectives
D) Detail the technical specifications of firewall rules
Answer: C. A management plan is a strategic document that bridges
business goals and security operations, ensuring resources support the
organization's mission.
2. Which element is most critical for building a cybersecurity-aware
culture?
A) Punitive policies for repeat offenders
B) Executive leadership endorsement and modeling
C) Mandatory quarterly security newsletters
,2|Page
D) Outsourcing all awareness training
Answer: B. Culture starts at the top. When executives visibly champion
security and follow protocols, it signals organizational values, making
awareness efforts credible.
3. A company's Board of Directors is primarily responsible for which
aspect of cybersecurity?
A) Configuring intrusion detection systems
B) Approving the risk appetite and providing strategic oversight
C) Conducting daily threat intelligence analysis
D) Managing third-party vendor patching schedules
Answer: B. The board governs risk. Their role is fiduciary oversight,
setting the "tone at the top" and accepting the level of residual risk the
organization will bear.
4. When developing a cybersecurity strategy, a gap analysis is used to:
A) Identify differences between current security posture and a desired
future state
B) Scan for open ports on the external network perimeter
C) Calculate the annual loss expectancy of a specific asset
D) Document the chain of custody for digital evidence
Answer: A. A gap analysis benchmarks the "as-is" state against the "to-
be" state, revealing missing controls or capabilities that the
management plan must address.
,3|Page
5. Which framework is specifically designed for cybersecurity and
integrates with enterprise risk management?
A) COSO
B) ITIL
C) NIST Cybersecurity Framework (CSF)
D) ISO 9001
Answer: C. The NIST CSF, with its core functions of Identify, Protect,
Detect, Respond, and Recover, was built to integrate cybersecurity risk
into broader enterprise risk management.
6. The concept of "reasonable security" in a legal context means:
A) Deploying the most expensive and advanced technology available
B) Implementing controls proportionate to the organization's size,
complexity, and the sensitivity of data
C) Guaranteeing perfect protection against all known vulnerabilities
D) Simply complying with the PCI-DSS standard
Answer: B. Legal and regulatory standards often measure security
against what a "reasonable" entity would do, considering cost, risk, and
feasibility, not perfection.
7. A security steering committee should ideally include members from:
A) Exclusively the IT security department
B) Legal, HR, IT, and key business unit leaders
, 4|Page
C) Only external consultants and auditors
D) The software development team leads
Answer: B. Cybersecurity is a business problem, not just a technical
one. Cross-functional representation ensures the plan aligns with legal,
human capital, and operational requirements.
8. A mission statement for a cybersecurity program should articulate:
A) Specific metrics for server uptime
B) The software versions currently in use
C) The high-level purpose and principles guiding the security function
D) A detailed project plan for the next fiscal year
Answer: C. A mission statement is a concise declaration of "why" the
program exists, its core values, and its commitment to protecting
stakeholders.
9. Which leadership role is ultimately accountable for an organization's
cybersecurity posture?
A) Chief Information Security Officer (CISO)
B) Chief Executive Officer (CEO)
C) Network Security Manager
D) Data Protection Officer (DPO)
Answer: B. While the CISO manages the program, ultimate
accountability cannot be delegated and rests with the CEO and the
Board of Directors.
