D488 | D488 Cybersecurity Architecture and
Engineering Exam 3 Version 3 Questions with
Correct Answers and Expert Explanation for Each
Question
1. Which component of a SIEM system is responsible for converting log data from
various formats into a common format for analysis?
A. Storage Layer
B. Normalization Engine
C. Correlation Engine
D. Reporting Dashboard
Correct Answer: B
Expert Explanation: The correct answer is B because normalization ensures that
log data from disparate sources can be compared and analyzed effectively. This
process converts logs into a standardized format, allowing the SIEM to recognize
specific events across the environment. Without normalization, the correlation
engine would struggle to identify patterns across different vendor formats. This step
is critical for building efficient search queries and automated alerts within the
security operations center. Standardizing data facilitates better compliance
reporting and incident investigation speed.
,2. In the NIST Incident Response lifecycle, which phase involves the actual removal of
the threat from the environment?
A. Eradication
B. Containment
C. Preparation
D. Recovery
Correct Answer: A
Expert Explanation: Eradication is the correct phase because it focuses on
eliminating the root cause of the incident and removing malicious components.
While containment stops the spread, eradication ensures the threat is no longer
present on affected systems. This stage often involves deleting malware, disabling
breached accounts, and patching vulnerabilities that were exploited. Architects must
plan for this phase to ensure that systems are clean before they return to
production. Following eradication, the recovery phase can begin to restore normal
operations and data.
3. What is the primary objective of a Continuous Monitoring strategy in cybersecurity
architecture?
A. To provide ongoing visibility into security posture and compliance
B. To eliminate all risks within the network infrastructure
,C. To replace the need for periodic vulnerability assessments
D. To automate the entire incident response process without human intervention
Correct Answer: A
Expert Explanation: The correct answer is B because continuous monitoring
provides real-time insights into an organization’s risk profile and security controls.
This approach allows security teams to detect anomalies and unauthorized changes
as they occur rather than waiting for an audit. By maintaining constant visibility,
organizations can respond more quickly to emerging threats and configuration drift.
It supports the Risk Management Framework by ensuring that security controls
remain effective over time. Continuous monitoring is a key requirement for modern
compliance frameworks and resilient architectures.
4. Which forensic principle dictates that digital evidence must be handled such that its
integrity is maintained from collection to the courtroom?
A. Order of Volatility
B. Root Cause Analysis
C. Evidence Seizure
D. Chain of Custody
Correct Answer: D
, Expert Explanation: Chain of custody is the correct answer because it documents
the chronological history of evidence handling to prevent tampering. Maintaining a
clear record of who accessed the evidence and when is vital for its admissibility in
legal proceedings. Architects must design logging and storage systems that support
the integrity and non-repudiation of forensic data. If the chain is broken, the
evidence may be deemed unreliable or invalid during a trial. This process is
fundamental to the forensic lifecycle in any cybersecurity investigation.
5. When prioritizing vulnerabilities for patching, what does a high CVSS environmental
score indicate?
A. The vulnerability is easy to exploit globally
B. The vulnerability is older and more well-known by attackers
C. The vulnerability has a significant impact based on the organization’s specific
context
D. The vulnerability only affects open-source software packages
Correct Answer: C
Expert Explanation: The correct answer is B because the environmental score
adjusts the base score based on factors unique to the specific implementation. This
score allows security engineers to prioritize patches for systems that are most
critical to their business operations. While the base score is static, the
Engineering Exam 3 Version 3 Questions with
Correct Answers and Expert Explanation for Each
Question
1. Which component of a SIEM system is responsible for converting log data from
various formats into a common format for analysis?
A. Storage Layer
B. Normalization Engine
C. Correlation Engine
D. Reporting Dashboard
Correct Answer: B
Expert Explanation: The correct answer is B because normalization ensures that
log data from disparate sources can be compared and analyzed effectively. This
process converts logs into a standardized format, allowing the SIEM to recognize
specific events across the environment. Without normalization, the correlation
engine would struggle to identify patterns across different vendor formats. This step
is critical for building efficient search queries and automated alerts within the
security operations center. Standardizing data facilitates better compliance
reporting and incident investigation speed.
,2. In the NIST Incident Response lifecycle, which phase involves the actual removal of
the threat from the environment?
A. Eradication
B. Containment
C. Preparation
D. Recovery
Correct Answer: A
Expert Explanation: Eradication is the correct phase because it focuses on
eliminating the root cause of the incident and removing malicious components.
While containment stops the spread, eradication ensures the threat is no longer
present on affected systems. This stage often involves deleting malware, disabling
breached accounts, and patching vulnerabilities that were exploited. Architects must
plan for this phase to ensure that systems are clean before they return to
production. Following eradication, the recovery phase can begin to restore normal
operations and data.
3. What is the primary objective of a Continuous Monitoring strategy in cybersecurity
architecture?
A. To provide ongoing visibility into security posture and compliance
B. To eliminate all risks within the network infrastructure
,C. To replace the need for periodic vulnerability assessments
D. To automate the entire incident response process without human intervention
Correct Answer: A
Expert Explanation: The correct answer is B because continuous monitoring
provides real-time insights into an organization’s risk profile and security controls.
This approach allows security teams to detect anomalies and unauthorized changes
as they occur rather than waiting for an audit. By maintaining constant visibility,
organizations can respond more quickly to emerging threats and configuration drift.
It supports the Risk Management Framework by ensuring that security controls
remain effective over time. Continuous monitoring is a key requirement for modern
compliance frameworks and resilient architectures.
4. Which forensic principle dictates that digital evidence must be handled such that its
integrity is maintained from collection to the courtroom?
A. Order of Volatility
B. Root Cause Analysis
C. Evidence Seizure
D. Chain of Custody
Correct Answer: D
, Expert Explanation: Chain of custody is the correct answer because it documents
the chronological history of evidence handling to prevent tampering. Maintaining a
clear record of who accessed the evidence and when is vital for its admissibility in
legal proceedings. Architects must design logging and storage systems that support
the integrity and non-repudiation of forensic data. If the chain is broken, the
evidence may be deemed unreliable or invalid during a trial. This process is
fundamental to the forensic lifecycle in any cybersecurity investigation.
5. When prioritizing vulnerabilities for patching, what does a high CVSS environmental
score indicate?
A. The vulnerability is easy to exploit globally
B. The vulnerability is older and more well-known by attackers
C. The vulnerability has a significant impact based on the organization’s specific
context
D. The vulnerability only affects open-source software packages
Correct Answer: C
Expert Explanation: The correct answer is B because the environmental score
adjusts the base score based on factors unique to the specific implementation. This
score allows security engineers to prioritize patches for systems that are most
critical to their business operations. While the base score is static, the
