WGU C845 Information Systems Security VUN1 Task 3:
Evaluating & Defending Data Security and System
Operations | Complete A+ Guide | 2026/2027 Edition | 150
Verified Questions
WGU C845 Information Systems Security VUN1 Task 3 Exam 2026-2027 Questions and
Answers Already Graded A+. 100% Verified Solutions | Updated Per Latest Guidelines | Graded
A+
This comprehensive exam prep guide for WGU C845 VUN1 Task 3 focuses on evaluating and
defending data security and system operations. It covers key domains including risk management,
security controls, incident response, and compliance frameworks. With 150 verified questions and
detailed rationales, this resource ensures mastery of information systems security principles. Ideal for
students seeking to demonstrate competency in protecting organizational assets and ensuring
operational resilience.
Key Features:
Risk assessment and management strategies
Implementation of security controls (administrative, technical, physical)
Incident response lifecycle and forensic analysis
System and data protection techniques (encryption, access control, backup)
Compliance with regulations (HIPAA, GDPR, PCI DSS) and standards (NIST, ISO 27001)
Business continuity and disaster recovery planning
Updates for 2026:
- Updated to reflect 2026/2027 WGU C845 curriculum changes
- Incorporated latest NIST SP 800-53 rev5 and ISO 27001:2022 updates
- Added new questions on cloud security and zero trust architecture
- Enhanced rationales with real-world scenarios and common pitfalls
- Revised answer explanations to align with current exam grading criteria
Abstract:
This document provides a rigorous preparation tool for the WGU C845 Information Systems Security VUN1 Task 3
assessment, which evaluates a student's ability to assess and defend data security and system operations. The
content is organized around core competencies such as risk management, security architecture, incident response,
and compliance. Each of the 150 questions is accompanied by a detailed rationale explaining the correct answer
and common misconceptions. The material emphasizes practical application of security principles in
organizational contexts, including the use of frameworks like NIST and ISO. Special attention is given to emerging
threats and defenses, such as ransomware, phishing, and cloud vulnerabilities. This guide is designed to help
students achieve a thorough understanding of information security governance and operational resilience. By
mastering these concepts, students will be well-prepared to pass the task and apply security best practices in
professional settings.
Keywords:
WGU C845, Information Systems Security, VUN1 Task 3, Data Security, System Operations, Risk Management,
Incident Response, Compliance
Answer Format:
Each question is followed by the correct answer and a detailed rationale explaining why it is correct, along with
Page 1
,analysis of incorrect options. Rationales include references to industry standards and best practices. Distractors are
explained to clarify common errors.
Compliance Checklist:
All questions align with WGU C845 VUN1 Task 3 competencies
Answers are verified against official WGU materials and industry standards
Rationales include citations to NIST, ISO, and other relevant frameworks
Content reflects the latest 2026/2027 academic year updates
Questions cover all key domains with appropriate weight distribution
Format follows WGU's assessment style for objective and scenario-based items
Content Area Overview:
Content Area Questions Key Topics Weight
Risk Management and Security 1-30 Risk assessment, risk treatment, security 20%
Governance policies, governance frameworks,
compliance
Security Architecture and 31-60 Access control, cryptography, network 20%
Controls security, physical security, security models
Incident Response and Forensics 61-90 Incident handling, forensic analysis, 20%
evidence collection, recovery procedures
System and Data Protection 91-120 Data classification, encryption, backup, 20%
disaster recovery, business continuity
Compliance and Legal Issues 121-150 HIPAA, GDPR, PCI DSS, SOX, privacy 20%
laws, audit and monitoring
Page 2
,Q1. An organization implements attribute-based access control (ABAC) for a cloud-based document
management system. Which scenario best demonstrates a security weakness inherent to ABAC that could be
exploited by an insider threat?
A. A user with a temporary project role gains access to documents outside their clearance after the project ends
because the policy engine caches attributes.
B. A user exploits a buffer overflow in the policy enforcement point to elevate privileges.
C. A user with read-only access modifies a document due to a misconfigured rule that grants write access to all
users with 'employee' attribute.
D. A user intercepts network traffic to steal session tokens and impersonate a user with higher clearance.
Correct Answer: C. A user with read-only access modifies a document due to a misconfigured rule that
grants write access to all users with 'employee' attribute.
Rationale: ABAC relies on attribute-based rules; a misconfigured rule (e.g., granting write to all 'employees') can
lead to unintended privilege escalation. Option A describes a temporal attribute issue but caching is not inherent;
B and D are general vulnerabilities not specific to ABAC.
Why Wrong:
A - Caching attributes is a configuration issue, not an inherent ABAC weakness.
B - Buffer overflow is a software vulnerability unrelated to ABAC design.
D - Session hijacking is a network-level threat, not specific to ABAC.
Reference: NIST SP 800-162 (Guide to Attribute Based Access Control) Section 2.3
Q2. During a forensic investigation of a data breach, the incident response team discovers that the attacker
exfiltrated data using DNS tunneling. Which of the following controls would be most effective at detecting
this technique in real time?
A. Deploying a web application firewall (WAF) to inspect HTTP traffic.
B. Implementing network flow analysis to identify large volumes of DNS queries to a single domain.
C. Enabling DNS security extensions (DNSSEC) to authenticate DNS responses.
D. Using host-based intrusion detection to monitor file integrity.
Correct Answer: B. Implementing network flow analysis to identify large volumes of DNS queries to a single
domain.
Rationale: DNS tunneling often generates a high volume of DNS queries to a specific domain, which network flow
analysis can detect. A WAF inspects HTTP, not DNS; DNSSEC prevents spoofing but not exfiltration; host-based
IDS monitors local files, not network DNS traffic.
Why Wrong:
A - WAF inspects HTTP traffic, not DNS queries.
C - DNSSEC ensures authenticity of DNS responses but does not detect tunneling.
D - Host-based IDS monitors local system changes, not network-level DNS patterns.
Reference: NIST SP 800-83 Rev. 1 (Guide to Malware Incident Prevention and Handling) Section 3.2
Q3. A healthcare organization must ensure that electronic protected health information (ePHI) is encrypted
at rest and in transit. Which combination of cryptographic standards meets HIPAA Security Rule
requirements and provides forward secrecy for data in transit?
A. AES-256 for data at rest and TLS 1.2 with RSA key exchange for data in transit.
B. AES-128 for data at rest and TLS 1.3 with Diffie-Hellman ephemeral (DHE) key exchange for data in
transit.
C. Triple DES (3DES) for data at rest and SSL 3.0 for data in transit.
D. Blowfish for data at rest and TLS 1.2 with static ECDH for data in transit.
Correct Answer: B. AES-128 for data at rest and TLS 1.3 with Diffie-Hellman ephemeral (DHE) key
exchange for data in transit.
Rationale: HIPAA requires encryption for ePHI; AES-128/256 are acceptable. TLS 1.3 with DHE provides perfect
Page 3
, forward secrecy, preventing decryption of past sessions if keys are compromised. RSA key exchange lacks forward
secrecy; 3DES and SSL 3.0 are deprecated; Blowfish is not a standard for compliance.
Why Wrong:
A - RSA key exchange does not provide forward secrecy.
C - 3DES and SSL 3.0 are deprecated and not considered secure.
D - Blowfish is not a NIST-approved algorithm for ePHI encryption; static ECDH lacks forward secrecy.
Reference: HIPAA Security Rule, 45 CFR § 164.312(a)(2)(iv); NIST SP 800-175B
Q4. An organization's security policy requires that all employees use multi-factor authentication (MFA) when
accessing internal systems remotely. Which of the following is a valid implementation that satisfies the
'something you have' factor while minimizing user friction?
A. Requiring a one-time password (OTP) sent via SMS to the user's registered phone number.
B. Using a hardware token that generates time-based OTPs (TOTP) and is inserted into a USB port.
C. Deploying a push notification to a smartphone that the user must approve via biometric.
D. Using a smart card with a PIN that must be entered at login.
Correct Answer: C. Deploying a push notification to a smartphone that the user must approve via biometric.
Rationale: Push notification uses the smartphone as 'something you have' and biometric approval (fingerprint/face)
as 'something you are', combining both factors with low friction. SMS OTP is vulnerable to SIM swapping;
hardware token is physical but requires carrying; smart card with PIN is two-factor but less convenient than
biometric push.
Why Wrong:
A - SMS OTP is susceptible to SIM swapping and phishing.
B - Hardware token is physical but adds friction of carrying and inserting.
D - Smart card with PIN is valid but does not minimize friction compared to biometric push.
Reference: NIST SP 800-63B (Digital Identity Guidelines) Section 5.1.3
Q5. During a risk assessment, a security analyst identifies that the organization's backup tapes are stored in
an unlocked cabinet in the same building as the primary servers. Which of the following risk treatment
strategies is most appropriate for this finding?
A. Risk acceptance, because the likelihood of a physical breach is low.
B. Risk mitigation by moving tapes to a secure, off-site storage facility.
C. Risk avoidance by discontinuing the use of tape backups entirely.
D. Risk transfer by purchasing cyber insurance that covers data loss.
Correct Answer: B. Risk mitigation by moving tapes to a secure, off-site storage facility.
Rationale: The finding presents a physical security risk that can be easily mitigated by moving tapes to a secure
off-site location, which is a standard best practice. Acceptance is inappropriate without compensating controls;
avoidance is drastic and unnecessary; transfer via insurance does not prevent data loss.
Why Wrong:
A - Acceptance is not justified because the risk can be mitigated with a simple control.
C - Avoidance by discontinuing tape backups is an overreaction and may not be feasible.
D - Cyber insurance covers financial loss but does not prevent data compromise.
Reference: NIST SP 800-30 Rev. 1 (Guide for Conducting Risk Assessments) Section 2.3
Q6. A company is designing a disaster recovery plan for a critical database. The recovery time objective
(RTO) is 2 hours, and the recovery point objective (RPO) is 15 minutes. Which backup strategy best meets
these requirements?
A. Daily full backups with hourly transaction log backups stored on a remote server.
B. Continuous data replication to a standby server in a different geographic region.
C. Weekly full backups with daily differential backups stored on tape.
Page 4
Evaluating & Defending Data Security and System
Operations | Complete A+ Guide | 2026/2027 Edition | 150
Verified Questions
WGU C845 Information Systems Security VUN1 Task 3 Exam 2026-2027 Questions and
Answers Already Graded A+. 100% Verified Solutions | Updated Per Latest Guidelines | Graded
A+
This comprehensive exam prep guide for WGU C845 VUN1 Task 3 focuses on evaluating and
defending data security and system operations. It covers key domains including risk management,
security controls, incident response, and compliance frameworks. With 150 verified questions and
detailed rationales, this resource ensures mastery of information systems security principles. Ideal for
students seeking to demonstrate competency in protecting organizational assets and ensuring
operational resilience.
Key Features:
Risk assessment and management strategies
Implementation of security controls (administrative, technical, physical)
Incident response lifecycle and forensic analysis
System and data protection techniques (encryption, access control, backup)
Compliance with regulations (HIPAA, GDPR, PCI DSS) and standards (NIST, ISO 27001)
Business continuity and disaster recovery planning
Updates for 2026:
- Updated to reflect 2026/2027 WGU C845 curriculum changes
- Incorporated latest NIST SP 800-53 rev5 and ISO 27001:2022 updates
- Added new questions on cloud security and zero trust architecture
- Enhanced rationales with real-world scenarios and common pitfalls
- Revised answer explanations to align with current exam grading criteria
Abstract:
This document provides a rigorous preparation tool for the WGU C845 Information Systems Security VUN1 Task 3
assessment, which evaluates a student's ability to assess and defend data security and system operations. The
content is organized around core competencies such as risk management, security architecture, incident response,
and compliance. Each of the 150 questions is accompanied by a detailed rationale explaining the correct answer
and common misconceptions. The material emphasizes practical application of security principles in
organizational contexts, including the use of frameworks like NIST and ISO. Special attention is given to emerging
threats and defenses, such as ransomware, phishing, and cloud vulnerabilities. This guide is designed to help
students achieve a thorough understanding of information security governance and operational resilience. By
mastering these concepts, students will be well-prepared to pass the task and apply security best practices in
professional settings.
Keywords:
WGU C845, Information Systems Security, VUN1 Task 3, Data Security, System Operations, Risk Management,
Incident Response, Compliance
Answer Format:
Each question is followed by the correct answer and a detailed rationale explaining why it is correct, along with
Page 1
,analysis of incorrect options. Rationales include references to industry standards and best practices. Distractors are
explained to clarify common errors.
Compliance Checklist:
All questions align with WGU C845 VUN1 Task 3 competencies
Answers are verified against official WGU materials and industry standards
Rationales include citations to NIST, ISO, and other relevant frameworks
Content reflects the latest 2026/2027 academic year updates
Questions cover all key domains with appropriate weight distribution
Format follows WGU's assessment style for objective and scenario-based items
Content Area Overview:
Content Area Questions Key Topics Weight
Risk Management and Security 1-30 Risk assessment, risk treatment, security 20%
Governance policies, governance frameworks,
compliance
Security Architecture and 31-60 Access control, cryptography, network 20%
Controls security, physical security, security models
Incident Response and Forensics 61-90 Incident handling, forensic analysis, 20%
evidence collection, recovery procedures
System and Data Protection 91-120 Data classification, encryption, backup, 20%
disaster recovery, business continuity
Compliance and Legal Issues 121-150 HIPAA, GDPR, PCI DSS, SOX, privacy 20%
laws, audit and monitoring
Page 2
,Q1. An organization implements attribute-based access control (ABAC) for a cloud-based document
management system. Which scenario best demonstrates a security weakness inherent to ABAC that could be
exploited by an insider threat?
A. A user with a temporary project role gains access to documents outside their clearance after the project ends
because the policy engine caches attributes.
B. A user exploits a buffer overflow in the policy enforcement point to elevate privileges.
C. A user with read-only access modifies a document due to a misconfigured rule that grants write access to all
users with 'employee' attribute.
D. A user intercepts network traffic to steal session tokens and impersonate a user with higher clearance.
Correct Answer: C. A user with read-only access modifies a document due to a misconfigured rule that
grants write access to all users with 'employee' attribute.
Rationale: ABAC relies on attribute-based rules; a misconfigured rule (e.g., granting write to all 'employees') can
lead to unintended privilege escalation. Option A describes a temporal attribute issue but caching is not inherent;
B and D are general vulnerabilities not specific to ABAC.
Why Wrong:
A - Caching attributes is a configuration issue, not an inherent ABAC weakness.
B - Buffer overflow is a software vulnerability unrelated to ABAC design.
D - Session hijacking is a network-level threat, not specific to ABAC.
Reference: NIST SP 800-162 (Guide to Attribute Based Access Control) Section 2.3
Q2. During a forensic investigation of a data breach, the incident response team discovers that the attacker
exfiltrated data using DNS tunneling. Which of the following controls would be most effective at detecting
this technique in real time?
A. Deploying a web application firewall (WAF) to inspect HTTP traffic.
B. Implementing network flow analysis to identify large volumes of DNS queries to a single domain.
C. Enabling DNS security extensions (DNSSEC) to authenticate DNS responses.
D. Using host-based intrusion detection to monitor file integrity.
Correct Answer: B. Implementing network flow analysis to identify large volumes of DNS queries to a single
domain.
Rationale: DNS tunneling often generates a high volume of DNS queries to a specific domain, which network flow
analysis can detect. A WAF inspects HTTP, not DNS; DNSSEC prevents spoofing but not exfiltration; host-based
IDS monitors local files, not network DNS traffic.
Why Wrong:
A - WAF inspects HTTP traffic, not DNS queries.
C - DNSSEC ensures authenticity of DNS responses but does not detect tunneling.
D - Host-based IDS monitors local system changes, not network-level DNS patterns.
Reference: NIST SP 800-83 Rev. 1 (Guide to Malware Incident Prevention and Handling) Section 3.2
Q3. A healthcare organization must ensure that electronic protected health information (ePHI) is encrypted
at rest and in transit. Which combination of cryptographic standards meets HIPAA Security Rule
requirements and provides forward secrecy for data in transit?
A. AES-256 for data at rest and TLS 1.2 with RSA key exchange for data in transit.
B. AES-128 for data at rest and TLS 1.3 with Diffie-Hellman ephemeral (DHE) key exchange for data in
transit.
C. Triple DES (3DES) for data at rest and SSL 3.0 for data in transit.
D. Blowfish for data at rest and TLS 1.2 with static ECDH for data in transit.
Correct Answer: B. AES-128 for data at rest and TLS 1.3 with Diffie-Hellman ephemeral (DHE) key
exchange for data in transit.
Rationale: HIPAA requires encryption for ePHI; AES-128/256 are acceptable. TLS 1.3 with DHE provides perfect
Page 3
, forward secrecy, preventing decryption of past sessions if keys are compromised. RSA key exchange lacks forward
secrecy; 3DES and SSL 3.0 are deprecated; Blowfish is not a standard for compliance.
Why Wrong:
A - RSA key exchange does not provide forward secrecy.
C - 3DES and SSL 3.0 are deprecated and not considered secure.
D - Blowfish is not a NIST-approved algorithm for ePHI encryption; static ECDH lacks forward secrecy.
Reference: HIPAA Security Rule, 45 CFR § 164.312(a)(2)(iv); NIST SP 800-175B
Q4. An organization's security policy requires that all employees use multi-factor authentication (MFA) when
accessing internal systems remotely. Which of the following is a valid implementation that satisfies the
'something you have' factor while minimizing user friction?
A. Requiring a one-time password (OTP) sent via SMS to the user's registered phone number.
B. Using a hardware token that generates time-based OTPs (TOTP) and is inserted into a USB port.
C. Deploying a push notification to a smartphone that the user must approve via biometric.
D. Using a smart card with a PIN that must be entered at login.
Correct Answer: C. Deploying a push notification to a smartphone that the user must approve via biometric.
Rationale: Push notification uses the smartphone as 'something you have' and biometric approval (fingerprint/face)
as 'something you are', combining both factors with low friction. SMS OTP is vulnerable to SIM swapping;
hardware token is physical but requires carrying; smart card with PIN is two-factor but less convenient than
biometric push.
Why Wrong:
A - SMS OTP is susceptible to SIM swapping and phishing.
B - Hardware token is physical but adds friction of carrying and inserting.
D - Smart card with PIN is valid but does not minimize friction compared to biometric push.
Reference: NIST SP 800-63B (Digital Identity Guidelines) Section 5.1.3
Q5. During a risk assessment, a security analyst identifies that the organization's backup tapes are stored in
an unlocked cabinet in the same building as the primary servers. Which of the following risk treatment
strategies is most appropriate for this finding?
A. Risk acceptance, because the likelihood of a physical breach is low.
B. Risk mitigation by moving tapes to a secure, off-site storage facility.
C. Risk avoidance by discontinuing the use of tape backups entirely.
D. Risk transfer by purchasing cyber insurance that covers data loss.
Correct Answer: B. Risk mitigation by moving tapes to a secure, off-site storage facility.
Rationale: The finding presents a physical security risk that can be easily mitigated by moving tapes to a secure
off-site location, which is a standard best practice. Acceptance is inappropriate without compensating controls;
avoidance is drastic and unnecessary; transfer via insurance does not prevent data loss.
Why Wrong:
A - Acceptance is not justified because the risk can be mitigated with a simple control.
C - Avoidance by discontinuing tape backups is an overreaction and may not be feasible.
D - Cyber insurance covers financial loss but does not prevent data compromise.
Reference: NIST SP 800-30 Rev. 1 (Guide for Conducting Risk Assessments) Section 2.3
Q6. A company is designing a disaster recovery plan for a critical database. The recovery time objective
(RTO) is 2 hours, and the recovery point objective (RPO) is 15 minutes. Which backup strategy best meets
these requirements?
A. Daily full backups with hourly transaction log backups stored on a remote server.
B. Continuous data replication to a standby server in a different geographic region.
C. Weekly full backups with daily differential backups stored on tape.
Page 4
