WGU D488 Cybersecurity Architecture &
Engineering FINAL EXAM / OBJECTIVE
ASSESSMENT (OA) PRACTICE TEST BANK 100
QUESTIONS WITH ANSWERS AND RATIONALES
Section 1: Security Architecture Frameworks & Principles (Q1–Q20)
Q1. Which enterprise security architecture framework focuses on "why"
(business context), "who," "where," "when," and "how" across six layers?
A. TOGAF
B. SABSA
C. DoDAF
D. COBIT
Answer: B. SABSA
Rationale: SABSA (Sherwood Applied Business Security Architecture) is a
business-driven, risk-based framework that organizes security architecture
into six layers (contextual, conceptual, logical, physical, component,
operational) and six attributes (why, who, where, when, what, how).
Q2. A security architect needs to align IT projects with business goals and
standardize the development lifecycle. Which framework provides the
Architecture Development Method (ADM)?
A. Zachman Framework
B. SABSA
C. TOGAF
D. NIST SP 800-53
,Answer: C. TOGAF
Rationale: TOGAF (The Open Group Architecture Framework) includes the
Architecture Development Method (ADM) as a step-by-step process for
creating and managing enterprise architectures. It is vendor-neutral and
business-goal oriented.
Q3. Which Zachman Framework column addresses "How does the system
work?" from the Planner's perspective?
A. Data (What)
B. Function (How)
C. Network (Where)
D. People (Who)
Answer: B. Function (How)
Rationale: The Zachman Framework is a 6x6 matrix. The Function column
(How) represents processes and activities. From the Planner's perspective
(row 1), this asks "How does the business operate?" — a high-level
functional description.
Q4. A security engineer is designing a system that must maintain
confidentiality even if physical drives are stolen. Which control directly
addresses this?
A. Access control lists
B. Full disk encryption
C. Intrusion detection system
D. Backup power supply
Answer: B. Full disk encryption
Rationale: Full disk encryption (FDE) protects data at rest. If a drive is
,physically removed, the encrypted data is unreadable without the
encryption key, directly enforcing confidentiality.
Q5. Which SABSA layer defines policies, standards, and procedures for
technology components?
A. Contextual
B. Conceptual
C. Logical
D. Physical
Answer: D. Physical
Rationale: SABSA’s Physical layer maps logical security services to actual
hardware, software, mechanisms, and procedures. It includes specific
technology components, configurations, and operational procedures.
Q6. An organization wants to measure maturity of its security processes.
Which model should it use?
A. CMMI
B. ISO 27001
C. NIST CSF
D. COBIT
Answer: A. CMMI
Rationale: Capability Maturity Model Integration (CMMI) provides maturity
levels (0 to 5) for process improvement. While COBIT includes maturity
models, CMMI is the most widely cited for engineering process maturity.
, Q7. Which architectural principle means a security control should not be
easily bypassed or disabled?
A. Least privilege
B. Defense in depth
C. Non-bypassability
D. Separation of duties
Answer: C. Non-bypassability
Rationale: Non-bypassability ensures that security controls cannot be
circumvented. All access requests must pass through the control
mechanism — a core principle of secure architecture.
Q8. A company is implementing a zero trust model. Which design element
is fundamental?
A. VPN for all remote access
B. Implicit trust for internal network
C. Continuous verification of every request
D. Single perimeter firewall
Answer: C. Continuous verification of every request
Rationale: Zero trust assumes no implicit trust — regardless of network
location. Every access request is authenticated, authorized, and encrypted,
with continuous monitoring and verification.
Q9. Which type of security control is a firewall rule that blocks inbound port
445?
A. Preventive
B. Detective
C. Corrective
D. Deterrent
Engineering FINAL EXAM / OBJECTIVE
ASSESSMENT (OA) PRACTICE TEST BANK 100
QUESTIONS WITH ANSWERS AND RATIONALES
Section 1: Security Architecture Frameworks & Principles (Q1–Q20)
Q1. Which enterprise security architecture framework focuses on "why"
(business context), "who," "where," "when," and "how" across six layers?
A. TOGAF
B. SABSA
C. DoDAF
D. COBIT
Answer: B. SABSA
Rationale: SABSA (Sherwood Applied Business Security Architecture) is a
business-driven, risk-based framework that organizes security architecture
into six layers (contextual, conceptual, logical, physical, component,
operational) and six attributes (why, who, where, when, what, how).
Q2. A security architect needs to align IT projects with business goals and
standardize the development lifecycle. Which framework provides the
Architecture Development Method (ADM)?
A. Zachman Framework
B. SABSA
C. TOGAF
D. NIST SP 800-53
,Answer: C. TOGAF
Rationale: TOGAF (The Open Group Architecture Framework) includes the
Architecture Development Method (ADM) as a step-by-step process for
creating and managing enterprise architectures. It is vendor-neutral and
business-goal oriented.
Q3. Which Zachman Framework column addresses "How does the system
work?" from the Planner's perspective?
A. Data (What)
B. Function (How)
C. Network (Where)
D. People (Who)
Answer: B. Function (How)
Rationale: The Zachman Framework is a 6x6 matrix. The Function column
(How) represents processes and activities. From the Planner's perspective
(row 1), this asks "How does the business operate?" — a high-level
functional description.
Q4. A security engineer is designing a system that must maintain
confidentiality even if physical drives are stolen. Which control directly
addresses this?
A. Access control lists
B. Full disk encryption
C. Intrusion detection system
D. Backup power supply
Answer: B. Full disk encryption
Rationale: Full disk encryption (FDE) protects data at rest. If a drive is
,physically removed, the encrypted data is unreadable without the
encryption key, directly enforcing confidentiality.
Q5. Which SABSA layer defines policies, standards, and procedures for
technology components?
A. Contextual
B. Conceptual
C. Logical
D. Physical
Answer: D. Physical
Rationale: SABSA’s Physical layer maps logical security services to actual
hardware, software, mechanisms, and procedures. It includes specific
technology components, configurations, and operational procedures.
Q6. An organization wants to measure maturity of its security processes.
Which model should it use?
A. CMMI
B. ISO 27001
C. NIST CSF
D. COBIT
Answer: A. CMMI
Rationale: Capability Maturity Model Integration (CMMI) provides maturity
levels (0 to 5) for process improvement. While COBIT includes maturity
models, CMMI is the most widely cited for engineering process maturity.
, Q7. Which architectural principle means a security control should not be
easily bypassed or disabled?
A. Least privilege
B. Defense in depth
C. Non-bypassability
D. Separation of duties
Answer: C. Non-bypassability
Rationale: Non-bypassability ensures that security controls cannot be
circumvented. All access requests must pass through the control
mechanism — a core principle of secure architecture.
Q8. A company is implementing a zero trust model. Which design element
is fundamental?
A. VPN for all remote access
B. Implicit trust for internal network
C. Continuous verification of every request
D. Single perimeter firewall
Answer: C. Continuous verification of every request
Rationale: Zero trust assumes no implicit trust — regardless of network
location. Every access request is authenticated, authorized, and encrypted,
with continuous monitoring and verification.
Q9. Which type of security control is a firewall rule that blocks inbound port
445?
A. Preventive
B. Detective
C. Corrective
D. Deterrent
