WGU D489 Final Exam 2025/2026 – Latest Questions & Answers| Questions &
Answers| Grade A+| 100% Correct (Verified Solutions)-
Question 1
Which of the following best describes the primary goal of Information Security Governance?
A) To ensure that all firewalls are configured with the latest rule sets.
B) To align the security strategy with business objectives and manage risks.
C) To provide technical support for end-user password resets.
D) To eliminate all possible risks within the organizational infrastructure.
E) To oversee the procurement of new antivirus software licenses.
Correct Answer: B) To align the security strategy with business objectives and manage risks.
Rationale: Governance is a high-level management function. It is not about the technical
execution of security tasks but about ensuring that security efforts support the
organization's goals, provide value, and manage risks to an acceptable level through
oversight and accountability.
Question 2
In the context of security documentation, which of the following is considered a mandatory
requirement that specifies uniform use of specific technologies or configurations?
A) Policy
B) Guideline
C) Standard
D) Procedure
E) Baseline
Correct Answer: C) Standard
Rationale: Standards are mandatory rules or requirements that provide consistency. While
a Policy provides the high-level "what," a Standard provides the specific "must." For
example, a policy might state that "all data must be encrypted," while a standard specifies
that "AES-256 must be used."
Question 3
SAGE Corporation handles the personal data of citizens in France and Germany. Which
regulation mandates that they provide "The Right to be Forgotten" to these individuals?
A) HIPAA
B) GLBA
C) GDPR
) PCI-DSS
E) FISMA
Correct Answer: C) GDPR
Rationale: The General Data Protection Regulation (GDPR) applies to any organization
that processes the personal data of EU residents. The "Right to Erasure" (or Right to be
, 2
Forgotten) allows individuals to request the deletion of their data under specific
circumstances.
Question 4
A Chief Information Security Officer (CISO) is implementing the NIST Cybersecurity
Framework (CSF). Which of the following are the five core functions of this framework?
A) Plan, Do, Check, Act, Monitor
B) Identify, Protect, Detect, Respond, Recover
C) Governance, Risk, Compliance, Audit, Review
D) Policy, Standard, Procedure, Guideline, Baseline
E) Confidentiality, Integrity, Availability, Non-repudiation, Authenticity
Correct Answer: B) Identify, Protect, Detect, Respond, Recover
Rationale: The NIST CSF Core consists of these five functions which provide a strategic
view of the lifecycle of an organization’s management of cybersecurity risk. They allow
organizations to understand how they are managing their security posture and where
improvements are needed.
Question 5
Which risk management strategy is being used when an organization decides to purchase a
cyber-insurance policy to cover potential financial losses from a data breach?
A) Risk Mitigation
B) Risk Acceptance
C) Risk Avoidance
D) Risk Transfer
E) Risk Rejection
Correct Answer: D) Risk Transfer
Rationale: Risk transfer involves shifting the potential financial burden of a risk to a third
party (the insurance provider). The risk itself still exists, but the financial impact is shared
or moved.
Question 6
A company has discovered that an employee shared their password with a coworker. This is a
violation of which type of security control?
A) Technical control
B) Physical control
C) Administrative control
D) Logical control
E) Corrective control
, 3
Correct Answer: C) Administrative control
Rationale: Administrative controls (also called Management controls) are policies,
procedures, and training that define human behavior and expectations. A password-
sharing policy is a rule set by management, making it an administrative control.
Question 7
During a Business Impact Analysis (BIA), what does the term MTD (Maximum Tolerable
Downtime) represent?
A) The time it takes to restore a single server from backup.
B) The total amount of time a business process can be disrupted before causing irreparable harm.
C) The point in time to which data must be recovered.
D) The frequency with which the disaster recovery plan is tested.
E) The amount of time the IT team is allowed to work on a weekend.
Correct Answer: B) The total amount of time a business process can be disrupted before
causing irreparable harm.
Rationale: MTD (or MTPD) is the absolute ceiling for downtime. If the business is down
longer than the MTD, it may never recover financially or operationally. This metric helps
prioritize which systems need the fastest recovery times.
Question 8
Which of the following is a requirement for a company to be compliant with PCI-DSS?
A) Providing health insurance to all employees.
B) Encrypting transmission of cardholder data across open, public networks.
C) Storing all credit card CVV codes for at least 7 years for auditing.
D) Using only Apple-branded computers for transaction processing.
E) Allowing customers to pay only with cash.
Correct Answer: B) Encrypting transmission of cardholder data across open, public
networks.
Rationale: PCI-DSS Requirement 4 specifically mandates the use of strong cryptography
and security protocols to protect sensitive cardholder data during transmission over public
networks like the internet.
Question 9
An organization identifies a risk but determines that the cost of the safeguard exceeds the
potential loss. They decide to take no further action. This is known as:
A) Risk Mitigation
B) Risk Avoidance
C) Risk Acceptance
D) Risk Transference
E) Risk Analysis
, 4
Correct Answer: C) Risk Acceptance
Rationale: Risk acceptance is a conscious decision by management to live with a risk
because the cost of fixing it is higher than the value of the asset or the likelihood of the
event. This must be documented and approved by a stakeholder.
Question 10
Which framework is specifically designed for establishing, implementing, maintaining, and
continually improving an Information Security Management System (ISMS)?
A) NIST SP 800-37
B) ISO/IEC 27001
C) COBIT 5
D) ITIL
E) CSA STAR
Correct Answer: B) ISO/IEC 27001
Rationale: ISO 27001 is the international standard for an ISMS. It provides a holistic
approach to security management, covering people, processes, and technology, and is often
used by companies to demonstrate security maturity to global partners.
Question 11
What is the primary difference between a Business Continuity Plan (BCP) and a Disaster
Recovery Plan (DRP)?
A) BCP is for IT; DRP is for the CEO.
B) BCP focuses on keeping business operations running; DRP focuses on restoring technical
infrastructure.
C) BCP is mandatory for all companies; DRP is optional.
D) BCP only applies to natural disasters; DRP applies to cyberattacks.
E) There is no difference; they are the same document.
Correct Answer: B) BCP focuses on keeping business operations running; DRP focuses on
restoring technical infrastructure.
Rationale: BCP is broader and ensures the business can function (e.g., manual processes,
alternative work sites). DRP is a subset of BCP that specifically addresses how IT systems,
data, and networks will be recovered after a failure.
Question 12
Which of the following is an example of a "Technical" (Logical) control?
A) A background check for new hires.
B) A security guard at the front gate.
C) An Intrusion Detection System (IDS).
D) A written "Acceptable Use Policy."
E) A locked filing cabinet.
Answers| Grade A+| 100% Correct (Verified Solutions)-
Question 1
Which of the following best describes the primary goal of Information Security Governance?
A) To ensure that all firewalls are configured with the latest rule sets.
B) To align the security strategy with business objectives and manage risks.
C) To provide technical support for end-user password resets.
D) To eliminate all possible risks within the organizational infrastructure.
E) To oversee the procurement of new antivirus software licenses.
Correct Answer: B) To align the security strategy with business objectives and manage risks.
Rationale: Governance is a high-level management function. It is not about the technical
execution of security tasks but about ensuring that security efforts support the
organization's goals, provide value, and manage risks to an acceptable level through
oversight and accountability.
Question 2
In the context of security documentation, which of the following is considered a mandatory
requirement that specifies uniform use of specific technologies or configurations?
A) Policy
B) Guideline
C) Standard
D) Procedure
E) Baseline
Correct Answer: C) Standard
Rationale: Standards are mandatory rules or requirements that provide consistency. While
a Policy provides the high-level "what," a Standard provides the specific "must." For
example, a policy might state that "all data must be encrypted," while a standard specifies
that "AES-256 must be used."
Question 3
SAGE Corporation handles the personal data of citizens in France and Germany. Which
regulation mandates that they provide "The Right to be Forgotten" to these individuals?
A) HIPAA
B) GLBA
C) GDPR
) PCI-DSS
E) FISMA
Correct Answer: C) GDPR
Rationale: The General Data Protection Regulation (GDPR) applies to any organization
that processes the personal data of EU residents. The "Right to Erasure" (or Right to be
, 2
Forgotten) allows individuals to request the deletion of their data under specific
circumstances.
Question 4
A Chief Information Security Officer (CISO) is implementing the NIST Cybersecurity
Framework (CSF). Which of the following are the five core functions of this framework?
A) Plan, Do, Check, Act, Monitor
B) Identify, Protect, Detect, Respond, Recover
C) Governance, Risk, Compliance, Audit, Review
D) Policy, Standard, Procedure, Guideline, Baseline
E) Confidentiality, Integrity, Availability, Non-repudiation, Authenticity
Correct Answer: B) Identify, Protect, Detect, Respond, Recover
Rationale: The NIST CSF Core consists of these five functions which provide a strategic
view of the lifecycle of an organization’s management of cybersecurity risk. They allow
organizations to understand how they are managing their security posture and where
improvements are needed.
Question 5
Which risk management strategy is being used when an organization decides to purchase a
cyber-insurance policy to cover potential financial losses from a data breach?
A) Risk Mitigation
B) Risk Acceptance
C) Risk Avoidance
D) Risk Transfer
E) Risk Rejection
Correct Answer: D) Risk Transfer
Rationale: Risk transfer involves shifting the potential financial burden of a risk to a third
party (the insurance provider). The risk itself still exists, but the financial impact is shared
or moved.
Question 6
A company has discovered that an employee shared their password with a coworker. This is a
violation of which type of security control?
A) Technical control
B) Physical control
C) Administrative control
D) Logical control
E) Corrective control
, 3
Correct Answer: C) Administrative control
Rationale: Administrative controls (also called Management controls) are policies,
procedures, and training that define human behavior and expectations. A password-
sharing policy is a rule set by management, making it an administrative control.
Question 7
During a Business Impact Analysis (BIA), what does the term MTD (Maximum Tolerable
Downtime) represent?
A) The time it takes to restore a single server from backup.
B) The total amount of time a business process can be disrupted before causing irreparable harm.
C) The point in time to which data must be recovered.
D) The frequency with which the disaster recovery plan is tested.
E) The amount of time the IT team is allowed to work on a weekend.
Correct Answer: B) The total amount of time a business process can be disrupted before
causing irreparable harm.
Rationale: MTD (or MTPD) is the absolute ceiling for downtime. If the business is down
longer than the MTD, it may never recover financially or operationally. This metric helps
prioritize which systems need the fastest recovery times.
Question 8
Which of the following is a requirement for a company to be compliant with PCI-DSS?
A) Providing health insurance to all employees.
B) Encrypting transmission of cardholder data across open, public networks.
C) Storing all credit card CVV codes for at least 7 years for auditing.
D) Using only Apple-branded computers for transaction processing.
E) Allowing customers to pay only with cash.
Correct Answer: B) Encrypting transmission of cardholder data across open, public
networks.
Rationale: PCI-DSS Requirement 4 specifically mandates the use of strong cryptography
and security protocols to protect sensitive cardholder data during transmission over public
networks like the internet.
Question 9
An organization identifies a risk but determines that the cost of the safeguard exceeds the
potential loss. They decide to take no further action. This is known as:
A) Risk Mitigation
B) Risk Avoidance
C) Risk Acceptance
D) Risk Transference
E) Risk Analysis
, 4
Correct Answer: C) Risk Acceptance
Rationale: Risk acceptance is a conscious decision by management to live with a risk
because the cost of fixing it is higher than the value of the asset or the likelihood of the
event. This must be documented and approved by a stakeholder.
Question 10
Which framework is specifically designed for establishing, implementing, maintaining, and
continually improving an Information Security Management System (ISMS)?
A) NIST SP 800-37
B) ISO/IEC 27001
C) COBIT 5
D) ITIL
E) CSA STAR
Correct Answer: B) ISO/IEC 27001
Rationale: ISO 27001 is the international standard for an ISMS. It provides a holistic
approach to security management, covering people, processes, and technology, and is often
used by companies to demonstrate security maturity to global partners.
Question 11
What is the primary difference between a Business Continuity Plan (BCP) and a Disaster
Recovery Plan (DRP)?
A) BCP is for IT; DRP is for the CEO.
B) BCP focuses on keeping business operations running; DRP focuses on restoring technical
infrastructure.
C) BCP is mandatory for all companies; DRP is optional.
D) BCP only applies to natural disasters; DRP applies to cyberattacks.
E) There is no difference; they are the same document.
Correct Answer: B) BCP focuses on keeping business operations running; DRP focuses on
restoring technical infrastructure.
Rationale: BCP is broader and ensures the business can function (e.g., manual processes,
alternative work sites). DRP is a subset of BCP that specifically addresses how IT systems,
data, and networks will be recovered after a failure.
Question 12
Which of the following is an example of a "Technical" (Logical) control?
A) A background check for new hires.
B) A security guard at the front gate.
C) An Intrusion Detection System (IDS).
D) A written "Acceptable Use Policy."
E) A locked filing cabinet.
