WGU C727 — CYBERSECURITY MANAGEMENT
Practice Exam — 250 MCQs | questions , answers & rationales
Key Study Areas for WGU C727 Cybersecurity Management:
Governance & Strategy: CIA triad, security governance, CISO role, security policies
(hierarchy), risk appetite, GRC, security metrics and KPIs, board reporting, SEC disclosure rules,
budget justification
Risk Management: Risk assessment, risk treatment options (FAIR), threat/vulnerability/risk,
business impact analysis (BIA), risk quantification, security control frameworks (NIST SP 800-
53, CIS Controls, ISO 27001)
Frameworks & Compliance: NIST CSF (5 functions), NIST RMF (7 steps), ISO 27001/ISMS,
HIPAA, PCI DSS, GDPR, FISMA, SOX, NERC CIP, NY DFS
Incident Response: IR lifecycle (NIST phases), CSIRT, digital forensics, chain of custody,
tabletop exercises, post-incident review, BCP/DR (RTO/RPO)
Technical Security: Access control (RBAC, MAC, DAC, ABAC), encryption
(symmetric/asymmetric, TLS, PKI), network security (firewall, IDS/IPS, segmentation, DMZ),
endpoint security (EDR, EPM), vulnerability management
Security Operations: SIEM, SOC, SOAR, threat intelligence, MITRE ATT&CK, kill chain,
threat hunting, MDR, security automation (MTTD/MTTR)
Emerging Topics: Zero trust, cloud security (shared responsibility, CSPM, CASB), DevSecOps,
supply chain security (SBOM, SolarWinds), OT/ICS security, ransomware defense, identity
lifecycle, MFA/passwordless
Privacy & Data: GDPR, data classification, DLP, tokenization, data sovereignty, privacy by
design, data minimization, PIA
1. What is the primary goal of cybersecurity management?
A) Installing antivirus software on all endpoints
, B) Protecting the confidentiality, integrity, and availability of organizational information
and systems (correct answer)
C) Preventing all cyberattacks from occurring
D) Managing the IT department's budget
Rationale: Cybersecurity management focuses on the CIA triad — Confidentiality
(protecting information from unauthorized disclosure), Integrity (ensuring accuracy and
trustworthiness of data), and Availability (ensuring systems and data are accessible when
needed) — across people, processes, and technology.
2. What does the "CIA triad" stand for in cybersecurity?
A) Cyber Intelligence Agency
B) Confidentiality, Integrity, and Availability (correct answer)
C) Control, Identification, and Authorization
D) Compliance, Integrity, and Accountability
Rationale: The CIA triad is the foundational model of information security: Confidentiality
(data only accessible to authorized parties), Integrity (data remains accurate and
unaltered), and Availability (systems and data accessible when needed by authorized users)
— the basis for security policy and control design.
3. What is "information security governance"?
A) Government regulations for cybersecurity
B) The system by which an organization directs and controls security activities —
establishing accountability, authority, and strategic direction for cybersecurity (correct
answer)
C) The technical management of firewalls and IDS
D) A compliance program for regulatory requirements
Rationale: Information security governance: the framework of policies, roles,
responsibilities, and oversight ensuring security activities align with business objectives;
includes: board-level accountability, executive sponsorship (CISO), policy framework, risk
appetite definition, and performance measurement — it is the foundation from which all
security management flows.
4. What is the role of a Chief Information Security Officer (CISO)?
A) Managing the organization's IT infrastructure
, B) Providing strategic leadership for the information security program — aligning
security with business objectives, managing risk, and reporting to senior leadership
(correct answer)
C) Performing technical security testing
D) Approving all software purchases
Rationale: CISO responsibilities: developing and implementing the information security
strategy, managing the security program (policies, controls, teams), risk management,
compliance oversight, incident response leadership, board-level security reporting, and
ensuring security investments align with business risk tolerance.
5. What is a "security policy" in cybersecurity management?
A) A technical configuration applied to a firewall
B) A high-level document expressing management's intent, goals, and direction for
protecting information assets (correct answer)
C) A procedure for responding to security incidents
D) A list of approved software applications
Rationale: Security policies are management-level documents expressing the organization's
commitment and direction for security; they are high-level (not technical), mandatory, and
approved by senior leadership; policies drive the development of more specific standards,
procedures, and guidelines — forming the top level of the security documentation
hierarchy.
6. What is the hierarchy of security documentation from highest to lowest?
A) Procedures, Standards, Guidelines, Policies
B) Policies, Standards, Procedures, Guidelines (correct answer)
C) Guidelines, Policies, Standards, Procedures
D) Standards, Policies, Guidelines, Procedures
Rationale: Security documentation hierarchy: Policies (management intent — mandatory,
high-level), Standards (specific mandatory requirements implementing policies),
Procedures (step-by-step instructions for specific tasks), and Guidelines (recommended but
optional practices); policies drive everything else — each level becomes more specific and
operational.
7. What is "risk management" in cybersecurity?
, A) Eliminating all identified risks
B) The process of identifying, assessing, and treating risks to reduce them to an
acceptable level (correct answer)
C) Purchasing cybersecurity insurance
D) Installing security controls to prevent breaches
Rationale: Risk management: (1) Identify threats and vulnerabilities, (2) Assess likelihood
and impact, (3) Determine risk level (risk = likelihood × impact), (4) Select risk treatment
(accept, avoid, mitigate, transfer), (5) Implement controls, (6) Monitor; the goal is not zero
risk but managing risk to acceptable levels given cost-benefit analysis.
8. What are the four primary risk treatment options?
A) Prevent, Detect, Respond, Recover
B) Accept, Avoid, Mitigate (Reduce), Transfer (correct answer)
C) Encrypt, Backup, Monitor, Patch
D) Identify, Assess, Control, Review
Rationale: Risk treatment options: Accept (acknowledge risk, no action — cost of control
exceeds risk impact); Avoid (eliminate the activity causing the risk); Mitigate/Reduce
(implement controls to reduce likelihood or impact); Transfer (shift financial risk to
another party — insurance, contracts); organizations choose treatment based on cost-
benefit analysis and risk appetite.
9. What is "risk appetite" in an organization?
A) The amount of risk an organization has already accepted
B) The amount and type of risk an organization is willing to accept in pursuit of its
objectives (correct answer)
C) The total risk exposure of an organization
D) Management's fear of cybersecurity incidents
Rationale: Risk appetite: the board-level decision about how much risk the organization is
willing to tolerate; informs security investment decisions and policy design; risk tolerance
(operational deviations from appetite) and risk threshold (maximum acceptable risk level)
are related concepts; security program investments should reduce risk to within the
defined risk appetite.
10. What is the difference between a "threat" and a "vulnerability"?
Practice Exam — 250 MCQs | questions , answers & rationales
Key Study Areas for WGU C727 Cybersecurity Management:
Governance & Strategy: CIA triad, security governance, CISO role, security policies
(hierarchy), risk appetite, GRC, security metrics and KPIs, board reporting, SEC disclosure rules,
budget justification
Risk Management: Risk assessment, risk treatment options (FAIR), threat/vulnerability/risk,
business impact analysis (BIA), risk quantification, security control frameworks (NIST SP 800-
53, CIS Controls, ISO 27001)
Frameworks & Compliance: NIST CSF (5 functions), NIST RMF (7 steps), ISO 27001/ISMS,
HIPAA, PCI DSS, GDPR, FISMA, SOX, NERC CIP, NY DFS
Incident Response: IR lifecycle (NIST phases), CSIRT, digital forensics, chain of custody,
tabletop exercises, post-incident review, BCP/DR (RTO/RPO)
Technical Security: Access control (RBAC, MAC, DAC, ABAC), encryption
(symmetric/asymmetric, TLS, PKI), network security (firewall, IDS/IPS, segmentation, DMZ),
endpoint security (EDR, EPM), vulnerability management
Security Operations: SIEM, SOC, SOAR, threat intelligence, MITRE ATT&CK, kill chain,
threat hunting, MDR, security automation (MTTD/MTTR)
Emerging Topics: Zero trust, cloud security (shared responsibility, CSPM, CASB), DevSecOps,
supply chain security (SBOM, SolarWinds), OT/ICS security, ransomware defense, identity
lifecycle, MFA/passwordless
Privacy & Data: GDPR, data classification, DLP, tokenization, data sovereignty, privacy by
design, data minimization, PIA
1. What is the primary goal of cybersecurity management?
A) Installing antivirus software on all endpoints
, B) Protecting the confidentiality, integrity, and availability of organizational information
and systems (correct answer)
C) Preventing all cyberattacks from occurring
D) Managing the IT department's budget
Rationale: Cybersecurity management focuses on the CIA triad — Confidentiality
(protecting information from unauthorized disclosure), Integrity (ensuring accuracy and
trustworthiness of data), and Availability (ensuring systems and data are accessible when
needed) — across people, processes, and technology.
2. What does the "CIA triad" stand for in cybersecurity?
A) Cyber Intelligence Agency
B) Confidentiality, Integrity, and Availability (correct answer)
C) Control, Identification, and Authorization
D) Compliance, Integrity, and Accountability
Rationale: The CIA triad is the foundational model of information security: Confidentiality
(data only accessible to authorized parties), Integrity (data remains accurate and
unaltered), and Availability (systems and data accessible when needed by authorized users)
— the basis for security policy and control design.
3. What is "information security governance"?
A) Government regulations for cybersecurity
B) The system by which an organization directs and controls security activities —
establishing accountability, authority, and strategic direction for cybersecurity (correct
answer)
C) The technical management of firewalls and IDS
D) A compliance program for regulatory requirements
Rationale: Information security governance: the framework of policies, roles,
responsibilities, and oversight ensuring security activities align with business objectives;
includes: board-level accountability, executive sponsorship (CISO), policy framework, risk
appetite definition, and performance measurement — it is the foundation from which all
security management flows.
4. What is the role of a Chief Information Security Officer (CISO)?
A) Managing the organization's IT infrastructure
, B) Providing strategic leadership for the information security program — aligning
security with business objectives, managing risk, and reporting to senior leadership
(correct answer)
C) Performing technical security testing
D) Approving all software purchases
Rationale: CISO responsibilities: developing and implementing the information security
strategy, managing the security program (policies, controls, teams), risk management,
compliance oversight, incident response leadership, board-level security reporting, and
ensuring security investments align with business risk tolerance.
5. What is a "security policy" in cybersecurity management?
A) A technical configuration applied to a firewall
B) A high-level document expressing management's intent, goals, and direction for
protecting information assets (correct answer)
C) A procedure for responding to security incidents
D) A list of approved software applications
Rationale: Security policies are management-level documents expressing the organization's
commitment and direction for security; they are high-level (not technical), mandatory, and
approved by senior leadership; policies drive the development of more specific standards,
procedures, and guidelines — forming the top level of the security documentation
hierarchy.
6. What is the hierarchy of security documentation from highest to lowest?
A) Procedures, Standards, Guidelines, Policies
B) Policies, Standards, Procedures, Guidelines (correct answer)
C) Guidelines, Policies, Standards, Procedures
D) Standards, Policies, Guidelines, Procedures
Rationale: Security documentation hierarchy: Policies (management intent — mandatory,
high-level), Standards (specific mandatory requirements implementing policies),
Procedures (step-by-step instructions for specific tasks), and Guidelines (recommended but
optional practices); policies drive everything else — each level becomes more specific and
operational.
7. What is "risk management" in cybersecurity?
, A) Eliminating all identified risks
B) The process of identifying, assessing, and treating risks to reduce them to an
acceptable level (correct answer)
C) Purchasing cybersecurity insurance
D) Installing security controls to prevent breaches
Rationale: Risk management: (1) Identify threats and vulnerabilities, (2) Assess likelihood
and impact, (3) Determine risk level (risk = likelihood × impact), (4) Select risk treatment
(accept, avoid, mitigate, transfer), (5) Implement controls, (6) Monitor; the goal is not zero
risk but managing risk to acceptable levels given cost-benefit analysis.
8. What are the four primary risk treatment options?
A) Prevent, Detect, Respond, Recover
B) Accept, Avoid, Mitigate (Reduce), Transfer (correct answer)
C) Encrypt, Backup, Monitor, Patch
D) Identify, Assess, Control, Review
Rationale: Risk treatment options: Accept (acknowledge risk, no action — cost of control
exceeds risk impact); Avoid (eliminate the activity causing the risk); Mitigate/Reduce
(implement controls to reduce likelihood or impact); Transfer (shift financial risk to
another party — insurance, contracts); organizations choose treatment based on cost-
benefit analysis and risk appetite.
9. What is "risk appetite" in an organization?
A) The amount of risk an organization has already accepted
B) The amount and type of risk an organization is willing to accept in pursuit of its
objectives (correct answer)
C) The total risk exposure of an organization
D) Management's fear of cybersecurity incidents
Rationale: Risk appetite: the board-level decision about how much risk the organization is
willing to tolerate; informs security investment decisions and policy design; risk tolerance
(operational deviations from appetite) and risk threshold (maximum acceptable risk level)
are related concepts; security program investments should reduce risk to within the
defined risk appetite.
10. What is the difference between a "threat" and a "vulnerability"?
