WGU D489 TASK 1 Cybersecurity Management
Official Exam Actual Exam Complete Questions
and Answers Detailed Rationales Pass
Guaranteed - A+ Graded
TABLE OF CONTENTS
Section 1 | Cybersecurity Governance and Strategy | Q1 – Q10
Section 2 | Risk Management and Compliance | Q11 – Q20
Section 3 | Security Architecture and Controls | Q21 – Q30
Section 4 | Incident Response and Business Continuity | Q31 – Q40
Section 5 | Security Operations and Leadership | Q41 – Q50
Instructions: Choose the single best answer. Pass: 80% in 90 minutes.
══════════════════════════════════════
SECTION 1: CYBERSECURITY GOVERNANCE AND STRATEGY Q1 – Q10
══════════════════════════════════════
Question 1 of 50
A mid-sized healthcare organization's board of directors asks the CISO to present a
three-year security roadmap. The CISO proposes a strategy that prioritizes patient data
protection, aligns with HIPAA requirements, and supports the organization's expansion
into telehealth services.
A. The CISO should focus exclusively on technical controls like firewalls and endpoint
detection.
B. The CISO should defer strategy development until after the telehealth platform is fully
deployed.
C. The CISO is demonstrating effective security governance by aligning the
cybersecurity strategy with business objectives and regulatory requirements. ✓
CORRECT
,D. The CISO should prioritize cost reduction over patient data protection to maximize
profitability.
Correct Answer: C
Rationale: Effective cybersecurity governance requires that security strategy directly
support organizational goals and regulatory mandates rather than existing in isolation.
Focusing exclusively on technical controls ignores the business context and risk
appetite that should shape investment priorities. Boards respond best to CISOs who
translate security initiatives into business enablement and compliance assurance.
Question 2 of 50
A manufacturing firm's newly appointed security director discovers that each
department has created its own password policy, acceptable use standards vary by
location, and no central document defines roles and responsibilities for data protection.
A. The director should allow departments to maintain autonomy because local policies
reflect unique operational needs.
B. The director should develop an enterprise security policy framework with
standardized baselines and clear governance roles. ✓ CORRECT
C. The director should immediately implement multi-factor authentication across all
systems without documenting policies.
D. The director should hire an external auditor to write policies that the security team
will enforce without business input.
Correct Answer: B
Rationale: Fragmented policies create inconsistent protection and accountability gaps
that increase organizational risk, so central governance with standardized baselines is
essential. Allowing departmental autonomy perpetuates the inconsistencies that make
compliance and incident response unnecessarily complex. Organizations that build
policy frameworks collaboratively with business units typically achieve higher
adherence because stakeholders understand their specific obligations.
,Question 3 of 50
A financial services CISO is preparing for the annual board meeting and must justify the
security budget. She compiles metrics on vulnerability remediation time, phishing
simulation click rates, incident response costs, and the percentage of critical assets
covered by monitoring.
A. The CISO should present only technical vulnerability scan results because boards
understand scan data.
B. The CISO should request the previous year's budget plus inflation without supporting
metrics.
C. The CISO should focus exclusively on the number of security incidents prevented.
D. The CISO is demonstrating governance accountability by using a balanced scorecard
of operational and risk-reduction metrics. ✓ CORRECT
Correct Answer: D
Rationale: Board-level governance requires communicating security value through
business-relevant metrics that demonstrate risk reduction and operational efficiency,
not just technical outputs. Vulnerability scans alone do not convey financial or strategic
impact, and budgets without justification rarely survive scrutiny. CISOs who link security
investments to measurable risk outcomes typically secure more sustainable funding
than those who rely on fear-based appeals.
Question 4 of 50
During a merger between two technology companies, the acquiring firm's security team
discovers that the target company lacks a formal information security governance
structure, has no CISO, and delegates security decisions to the IT director.
A. The acquiring team should prioritize establishing a governance framework,
appointing security leadership, and defining risk ownership before integrating networks.
✓ CORRECT
, B. The acquiring team should proceed with network integration immediately to realize
merger synergies.
C. The acquiring team should assume the IT director can continue managing security
indefinitely.
D. The acquiring team should delay all integration for two years while building
governance from scratch.
Correct Answer: A
Rationale: Merging networks without governance and clear risk ownership creates
immediate exposure because no one is accountable for security decisions during the
transition. IT directors often lack the authority, independence, and expertise to serve as
effective security governors for merged entities. Acquirers who front-load governance
establishment typically prevent integration incidents that expose both organizations to
breach and regulatory penalties.
Question 5 of 50
A retail organization's executive team wants to adopt a "cloud-first" strategy for all new
applications. The security architect raises concerns about data residency requirements
for customer payment information and the lack of a cloud security governance model.
A. The architect should block all cloud adoption until on-premises infrastructure is fully
depreciated.
B. The architect should allow each business unit to select cloud providers
independently.
C. The architect is fulfilling a governance role by ensuring cloud strategy accounts for
regulatory constraints and control frameworks. ✓ CORRECT
D. The architect should focus only on encrypting data and ignore provider governance.
Correct Answer: C
Rationale: Security governance in cloud adoption requires evaluating regulatory
constraints, data residency, and shared responsibility models before migration
decisions are finalized. Allowing independent business unit selection creates shadow IT
and inconsistent protection of sensitive data across the enterprise. Architects who
Official Exam Actual Exam Complete Questions
and Answers Detailed Rationales Pass
Guaranteed - A+ Graded
TABLE OF CONTENTS
Section 1 | Cybersecurity Governance and Strategy | Q1 – Q10
Section 2 | Risk Management and Compliance | Q11 – Q20
Section 3 | Security Architecture and Controls | Q21 – Q30
Section 4 | Incident Response and Business Continuity | Q31 – Q40
Section 5 | Security Operations and Leadership | Q41 – Q50
Instructions: Choose the single best answer. Pass: 80% in 90 minutes.
══════════════════════════════════════
SECTION 1: CYBERSECURITY GOVERNANCE AND STRATEGY Q1 – Q10
══════════════════════════════════════
Question 1 of 50
A mid-sized healthcare organization's board of directors asks the CISO to present a
three-year security roadmap. The CISO proposes a strategy that prioritizes patient data
protection, aligns with HIPAA requirements, and supports the organization's expansion
into telehealth services.
A. The CISO should focus exclusively on technical controls like firewalls and endpoint
detection.
B. The CISO should defer strategy development until after the telehealth platform is fully
deployed.
C. The CISO is demonstrating effective security governance by aligning the
cybersecurity strategy with business objectives and regulatory requirements. ✓
CORRECT
,D. The CISO should prioritize cost reduction over patient data protection to maximize
profitability.
Correct Answer: C
Rationale: Effective cybersecurity governance requires that security strategy directly
support organizational goals and regulatory mandates rather than existing in isolation.
Focusing exclusively on technical controls ignores the business context and risk
appetite that should shape investment priorities. Boards respond best to CISOs who
translate security initiatives into business enablement and compliance assurance.
Question 2 of 50
A manufacturing firm's newly appointed security director discovers that each
department has created its own password policy, acceptable use standards vary by
location, and no central document defines roles and responsibilities for data protection.
A. The director should allow departments to maintain autonomy because local policies
reflect unique operational needs.
B. The director should develop an enterprise security policy framework with
standardized baselines and clear governance roles. ✓ CORRECT
C. The director should immediately implement multi-factor authentication across all
systems without documenting policies.
D. The director should hire an external auditor to write policies that the security team
will enforce without business input.
Correct Answer: B
Rationale: Fragmented policies create inconsistent protection and accountability gaps
that increase organizational risk, so central governance with standardized baselines is
essential. Allowing departmental autonomy perpetuates the inconsistencies that make
compliance and incident response unnecessarily complex. Organizations that build
policy frameworks collaboratively with business units typically achieve higher
adherence because stakeholders understand their specific obligations.
,Question 3 of 50
A financial services CISO is preparing for the annual board meeting and must justify the
security budget. She compiles metrics on vulnerability remediation time, phishing
simulation click rates, incident response costs, and the percentage of critical assets
covered by monitoring.
A. The CISO should present only technical vulnerability scan results because boards
understand scan data.
B. The CISO should request the previous year's budget plus inflation without supporting
metrics.
C. The CISO should focus exclusively on the number of security incidents prevented.
D. The CISO is demonstrating governance accountability by using a balanced scorecard
of operational and risk-reduction metrics. ✓ CORRECT
Correct Answer: D
Rationale: Board-level governance requires communicating security value through
business-relevant metrics that demonstrate risk reduction and operational efficiency,
not just technical outputs. Vulnerability scans alone do not convey financial or strategic
impact, and budgets without justification rarely survive scrutiny. CISOs who link security
investments to measurable risk outcomes typically secure more sustainable funding
than those who rely on fear-based appeals.
Question 4 of 50
During a merger between two technology companies, the acquiring firm's security team
discovers that the target company lacks a formal information security governance
structure, has no CISO, and delegates security decisions to the IT director.
A. The acquiring team should prioritize establishing a governance framework,
appointing security leadership, and defining risk ownership before integrating networks.
✓ CORRECT
, B. The acquiring team should proceed with network integration immediately to realize
merger synergies.
C. The acquiring team should assume the IT director can continue managing security
indefinitely.
D. The acquiring team should delay all integration for two years while building
governance from scratch.
Correct Answer: A
Rationale: Merging networks without governance and clear risk ownership creates
immediate exposure because no one is accountable for security decisions during the
transition. IT directors often lack the authority, independence, and expertise to serve as
effective security governors for merged entities. Acquirers who front-load governance
establishment typically prevent integration incidents that expose both organizations to
breach and regulatory penalties.
Question 5 of 50
A retail organization's executive team wants to adopt a "cloud-first" strategy for all new
applications. The security architect raises concerns about data residency requirements
for customer payment information and the lack of a cloud security governance model.
A. The architect should block all cloud adoption until on-premises infrastructure is fully
depreciated.
B. The architect should allow each business unit to select cloud providers
independently.
C. The architect is fulfilling a governance role by ensuring cloud strategy accounts for
regulatory constraints and control frameworks. ✓ CORRECT
D. The architect should focus only on encrypting data and ignore provider governance.
Correct Answer: C
Rationale: Security governance in cloud adoption requires evaluating regulatory
constraints, data residency, and shared responsibility models before migration
decisions are finalized. Allowing independent business unit selection creates shadow IT
and inconsistent protection of sensitive data across the enterprise. Architects who
