WGU SECURITY POLICIES AND GOVERNANCE CH. 8-
14 FINAL EXAM 245 QUESTIONS WITH VERIFIED
ANSWERS 2025/2026
GRC for IT operations, governance, risk management, and compliance - CORRECT
ANSWER There are many IT security policy frameworks that can often be
combined to draw upon each of their strengths. Which of the following is not one
of the frameworks?
the importance of value delivery - CORRECT ANSWER Which of the following is not
one of the similarities shared by an enterprise risk management (ERM) framework
and a governance, risk management, and compliance (GRC) framework?
COBIT - CORRECT ANSWER _______________ is an international governance and
controls framework and a widely accepted standard for governing, assessing, and
managing IT security and risks.
reputational - CORRECT ANSWER Of the six specific business risks, the
___________________ risk results from negative publicity regarding an
organization's practices. Litigation and a decline in revenue are possible outcomes
of this type of risk.
COBIT, ISO - CORRECT ANSWER While these two approaches have similarities in
terms of the topics they address, ________ will cover broad IT management
topics and specify which security controls and management need to be installed;
however, ________ does not address how to implement specific controls.
,executive, security - CORRECT ANSWER The members of the _________________
committee help create priorities, remove obstacle, secure funding, and serve as a
source of authority. Members of the _______________ committee, however, are
leaders across the organization.
risk governance, risk evaluation - CORRECT ANSWER The
_______________________domain establishes the context and business view for
a risk evaluation and guarantees that risk activity aligns with the business goals,
objectives, and tolerances. The ________________ domain establishes that
technology risks are identified and delivered to leadership in business terms.
True - CORRECT ANSWER With a framework in place, controls and risk become
more measurable. The ability to measure the enterprise against a set of standards
and controls assures regulators of compliance and helps reduce uncertainty.
True - CORRECT ANSWER Because regulatory compliance is a significant effort,
some organizations engage full-time teams to collect, review, and report in an
attempt to demonstrate that regulations are being followed. However, creating
these full-time teams redirects business protection resources needlessly. A better
strategy is to create an IT policies framework that defines security controls that
aligns with policies and regulations.
The CISO should talk about how malware could prevent the service desk from
helping a customer. - CORRECT ANSWER If a CISO seeks to raise employees'
awareness of the dangers of malware in the organization, which of the following
approaches is recommended?
True - CORRECT ANSWER In the third line of defense, the auditor serves as an
advisor to the first and second lines of defense in matters concerning risk. The
,third line must preserve his or her independence but also offer input on risk
direction and strategies.
True - CORRECT ANSWER The operational risk committee has the ability to
determine which business activities are riskier than others. For example, if a
business wants to sell product on the Internet for the first time, then the risk
committee would need to understand the wide-ranging risks involved as well as
the organization's security capability.
This organization uses a layered approach that creates a separation of duties. -
CORRECT ANSWER In the financial services sector, some organizations have
implemented a three-lines-of defense model. What does the use of this model
suggest about an organization's structure?
True - CORRECT ANSWER Security frameworks establish behavior expectations
and define policy. Policies cannot address every scenario employees will face, but
strong training on the core principles that create those policies will equip
employees to do their jobs successfully.
True - CORRECT ANSWER If the governance and compliance framework is well-
defined, this means that the approach is structured around a common language
and is a foundation from which information security policies can be governed.
False - CORRECT ANSWER In the three-lines-of-defense model of risk
management, the second line of defense is the business unit (BU), which is
responsible for controlling risk on a daily basis. The BU locates risk, assesses the
impact, and mitigates the risk whenever possible.
, False - CORRECT ANSWER In the organizational structure, the vendor management
team is responsible for managing security concerns involving third parties and
vendors. This team conducts an assessment on a vendor before data leaves the
organization and is processed by a third party. The concept of separation of duties
is often put in place to ensure that data is verified before it leaves the
organization.
security event - CORRECT ANSWER A(n) __________________ is a term used to
indicate any unwanted event that takes places outside the normal daily security
operations. This type of event relates to a breakdown in controls as identified by
the security policies.
False - CORRECT ANSWER The security operations team has the responsibility of
monitoring intrusions and breaches in the form of firewalls and network traffic.
When the team finds a breach, they notify independent auditors who aid in the
recovery of the business and will provide an assessment of how the breach
occurred.
False - CORRECT ANSWER Of the different risks that can occur in an IT security
framework, events that transpire outside an organization's domain of control and
impact IT operations fall under the category of operational risks.
True - CORRECT ANSWER "Privilege creep" refers to individuals who retain access
privileges within an organization based on their previous jobs within the
organization. This is an undesirable situation because multiple access privileges
create the conditions for employees to engage in fraud.
lack of separation of duties - CORRECT ANSWER The Barings Bank collapsed in
1995 after it was found that an employee had lost over $1.3 billion of the bank's
14 FINAL EXAM 245 QUESTIONS WITH VERIFIED
ANSWERS 2025/2026
GRC for IT operations, governance, risk management, and compliance - CORRECT
ANSWER There are many IT security policy frameworks that can often be
combined to draw upon each of their strengths. Which of the following is not one
of the frameworks?
the importance of value delivery - CORRECT ANSWER Which of the following is not
one of the similarities shared by an enterprise risk management (ERM) framework
and a governance, risk management, and compliance (GRC) framework?
COBIT - CORRECT ANSWER _______________ is an international governance and
controls framework and a widely accepted standard for governing, assessing, and
managing IT security and risks.
reputational - CORRECT ANSWER Of the six specific business risks, the
___________________ risk results from negative publicity regarding an
organization's practices. Litigation and a decline in revenue are possible outcomes
of this type of risk.
COBIT, ISO - CORRECT ANSWER While these two approaches have similarities in
terms of the topics they address, ________ will cover broad IT management
topics and specify which security controls and management need to be installed;
however, ________ does not address how to implement specific controls.
,executive, security - CORRECT ANSWER The members of the _________________
committee help create priorities, remove obstacle, secure funding, and serve as a
source of authority. Members of the _______________ committee, however, are
leaders across the organization.
risk governance, risk evaluation - CORRECT ANSWER The
_______________________domain establishes the context and business view for
a risk evaluation and guarantees that risk activity aligns with the business goals,
objectives, and tolerances. The ________________ domain establishes that
technology risks are identified and delivered to leadership in business terms.
True - CORRECT ANSWER With a framework in place, controls and risk become
more measurable. The ability to measure the enterprise against a set of standards
and controls assures regulators of compliance and helps reduce uncertainty.
True - CORRECT ANSWER Because regulatory compliance is a significant effort,
some organizations engage full-time teams to collect, review, and report in an
attempt to demonstrate that regulations are being followed. However, creating
these full-time teams redirects business protection resources needlessly. A better
strategy is to create an IT policies framework that defines security controls that
aligns with policies and regulations.
The CISO should talk about how malware could prevent the service desk from
helping a customer. - CORRECT ANSWER If a CISO seeks to raise employees'
awareness of the dangers of malware in the organization, which of the following
approaches is recommended?
True - CORRECT ANSWER In the third line of defense, the auditor serves as an
advisor to the first and second lines of defense in matters concerning risk. The
,third line must preserve his or her independence but also offer input on risk
direction and strategies.
True - CORRECT ANSWER The operational risk committee has the ability to
determine which business activities are riskier than others. For example, if a
business wants to sell product on the Internet for the first time, then the risk
committee would need to understand the wide-ranging risks involved as well as
the organization's security capability.
This organization uses a layered approach that creates a separation of duties. -
CORRECT ANSWER In the financial services sector, some organizations have
implemented a three-lines-of defense model. What does the use of this model
suggest about an organization's structure?
True - CORRECT ANSWER Security frameworks establish behavior expectations
and define policy. Policies cannot address every scenario employees will face, but
strong training on the core principles that create those policies will equip
employees to do their jobs successfully.
True - CORRECT ANSWER If the governance and compliance framework is well-
defined, this means that the approach is structured around a common language
and is a foundation from which information security policies can be governed.
False - CORRECT ANSWER In the three-lines-of-defense model of risk
management, the second line of defense is the business unit (BU), which is
responsible for controlling risk on a daily basis. The BU locates risk, assesses the
impact, and mitigates the risk whenever possible.
, False - CORRECT ANSWER In the organizational structure, the vendor management
team is responsible for managing security concerns involving third parties and
vendors. This team conducts an assessment on a vendor before data leaves the
organization and is processed by a third party. The concept of separation of duties
is often put in place to ensure that data is verified before it leaves the
organization.
security event - CORRECT ANSWER A(n) __________________ is a term used to
indicate any unwanted event that takes places outside the normal daily security
operations. This type of event relates to a breakdown in controls as identified by
the security policies.
False - CORRECT ANSWER The security operations team has the responsibility of
monitoring intrusions and breaches in the form of firewalls and network traffic.
When the team finds a breach, they notify independent auditors who aid in the
recovery of the business and will provide an assessment of how the breach
occurred.
False - CORRECT ANSWER Of the different risks that can occur in an IT security
framework, events that transpire outside an organization's domain of control and
impact IT operations fall under the category of operational risks.
True - CORRECT ANSWER "Privilege creep" refers to individuals who retain access
privileges within an organization based on their previous jobs within the
organization. This is an undesirable situation because multiple access privileges
create the conditions for employees to engage in fraud.
lack of separation of duties - CORRECT ANSWER The Barings Bank collapsed in
1995 after it was found that an employee had lost over $1.3 billion of the bank's
