1
WGU D430 Fundamentals of Information Security
Objective Assessment 2026 Complete exam questions
with verified detailed answers
Q1: CIA Triad, Governance, Risk, & Compliance (GRC)
A hospital’s electronic health-record system is being audited after several patient files were
altered without authorization. Which core security principle has been MOST directly violated?
A. Confidentiality
B. Integrity
C. Availability
D. Non-repudiation
Answer: B
Rationale: Integrity ensures that data has not been modified or tampered with in an
unauthorized manner (ISO 27001 A.8.1, NIST SP 800-53 SI-7). Because the files were changed
without permission, the hospital cannot trust the accuracy of the data—an integrity failure.
Confidentiality (A) relates to disclosure, Availability (C) to timely access, and Non-repudiation
(D) to undeniable proof of action; none were the primary issue here.
Q2: CIA Triad, Governance, Risk, & Compliance (GRC)
A U.S. state agency that processes driver’s-license data must comply with which federal law that
REQUIRES an annual privacy assessment and mandates safeguards for personally identifiable
information (PII)?
A. FISMA
B. HIPAA
C. GLBA
D. SOX
Answer: A
Rationale: The Federal Information Security Modernization Act (FISMA) requires federal
agencies and their contractors to conduct annual privacy-impact assessments and implement
NIST SP 800-53 controls to protect PII (44 U.S.C. § 3554). HIPAA (B) covers health data, GLBA (C)
financial institutions, and SOX (D) public-company financial reporting—none apply universally to
state DMV data.
, 2
Q3: Security Frameworks & Controls
Which NIST Cybersecurity Framework (CSF) category BEST describes the activity of creating and
maintaining a hardware inventory that records every router, switch, and firewall in an
enterprise?
A. ID.AM-1
B. PR.AC-3
C. DE.AE-2
D. RS.CO-1
Answer: A
Rationale: ID.AM-1 (Identify → Asset Management → “Physical devices and systems within the
organization are inventoried”) mandates maintaining a current list of hardware assets. PR.AC-3
(B) covers remote access, DE.AE-2 (C) anomaly analysis, and RS.CO-1 (D) response planning—
none directly address asset inventory.
Q4: Asset Security & Data Protection
A company tags all laptops with encrypted asset IDs and stores them in a bar-code database.
Which ISO 27001 control objective is PRIMARILY supported?
A. A.5 – Information security policies
B. A.8.1 – Inventory of assets
C. A.12.3 – Information backup
D. A.16.1 – Incident management
Answer: B
Rationale: ISO 27001 Annex A.8.1 requires an inventory of assets to maintain accountability and
traceability. Tagging laptops supports this objective by ensuring every physical asset is recorded
and tracked.
Q5: Network & Infrastructure Security
A network engineer wants to stop an attacker who has stolen valid VPN credentials from
accessing the corporate LAN at 02:00 a.m. from an unknown IP geolocation. Which control type
should be implemented?
, 3
A. Preventive
B. Detective
C. Corrective
D. Deterrent
Answer: A
Rationale: Geo-blocking and time-based access rules on the VPN gateway are preventive
controls (NIST SP 800-53 AC-2, AC-3) that stop the session before it enters the network.
Detective (B) would log it; corrective (C) would undo damage afterward; deterrent (D)
discourages but does not block.
Q6: Identity & Access Management (IAM)
Which authentication factor category is demonstrated when a user signs in by looking into an
infrared camera that maps retinal blood-vessel patterns?
A. Something you know
B. Something you have
C. Something you are
D. Something you do
Answer: C
Rationale: Biometric retina scanning is “something you are,” an inherence factor (NIST SP 800-
63B 4.2). It relies on a unique physiological characteristic rather than knowledge, possession, or
behavior.
Q7: Security Operations & Incident Response
During which NIST incident-response life-cycle phase is a lessons-learned report MOST
commonly drafted?
A. Preparation
B. Detection & Analysis
C. Containment, Eradication & Recovery
D. Post-Incident Activity
Answer: D
, 4
Rationale: NIST SP 800-61r2 labels “Post-Incident Activity” as the phase where teams
summarize what happened, document evidence, and produce a lessons-learned report to
improve future response.
Q8: CIA Triad, Governance, Risk, & Compliance (GRC)
A publicly traded retailer must file an annual report that includes an attestation on the
effectiveness of internal controls over financial reporting. Which SOX section mandates this
requirement?
A. Section 404
B. Section 302
C. Section 201
D. Section 802
Answer: A
Rationale: SOX §404 requires management and external auditors to report on the adequacy of
internal controls over financial reporting. Section 302 (B) covers quarterly certifications, while
201 & 802 address auditor independence and record retention.
Q9: Security Frameworks & Controls
An organization maps each CIS Critical Security Control to corresponding NIST SP 800-53
controls and documents the linkage. Which CIS control phase does this activity exemplify?
A. Inventory and Control of Hardware Assets
B. Continuous Vulnerability Management
C. Control Systems Design and Mapping
D. Governance and Risk Management
Answer: C
Rationale: CIS v8 “Implementation Group” guidance includes mapping CIS controls to other
frameworks (e.g., NIST) under the umbrella of control design and alignment, ensuring layered
coverage.
Q10: Asset Security & Data Protection
Data custodians are PRIMARILY responsible for which task within an information-governance
model?
WGU D430 Fundamentals of Information Security
Objective Assessment 2026 Complete exam questions
with verified detailed answers
Q1: CIA Triad, Governance, Risk, & Compliance (GRC)
A hospital’s electronic health-record system is being audited after several patient files were
altered without authorization. Which core security principle has been MOST directly violated?
A. Confidentiality
B. Integrity
C. Availability
D. Non-repudiation
Answer: B
Rationale: Integrity ensures that data has not been modified or tampered with in an
unauthorized manner (ISO 27001 A.8.1, NIST SP 800-53 SI-7). Because the files were changed
without permission, the hospital cannot trust the accuracy of the data—an integrity failure.
Confidentiality (A) relates to disclosure, Availability (C) to timely access, and Non-repudiation
(D) to undeniable proof of action; none were the primary issue here.
Q2: CIA Triad, Governance, Risk, & Compliance (GRC)
A U.S. state agency that processes driver’s-license data must comply with which federal law that
REQUIRES an annual privacy assessment and mandates safeguards for personally identifiable
information (PII)?
A. FISMA
B. HIPAA
C. GLBA
D. SOX
Answer: A
Rationale: The Federal Information Security Modernization Act (FISMA) requires federal
agencies and their contractors to conduct annual privacy-impact assessments and implement
NIST SP 800-53 controls to protect PII (44 U.S.C. § 3554). HIPAA (B) covers health data, GLBA (C)
financial institutions, and SOX (D) public-company financial reporting—none apply universally to
state DMV data.
, 2
Q3: Security Frameworks & Controls
Which NIST Cybersecurity Framework (CSF) category BEST describes the activity of creating and
maintaining a hardware inventory that records every router, switch, and firewall in an
enterprise?
A. ID.AM-1
B. PR.AC-3
C. DE.AE-2
D. RS.CO-1
Answer: A
Rationale: ID.AM-1 (Identify → Asset Management → “Physical devices and systems within the
organization are inventoried”) mandates maintaining a current list of hardware assets. PR.AC-3
(B) covers remote access, DE.AE-2 (C) anomaly analysis, and RS.CO-1 (D) response planning—
none directly address asset inventory.
Q4: Asset Security & Data Protection
A company tags all laptops with encrypted asset IDs and stores them in a bar-code database.
Which ISO 27001 control objective is PRIMARILY supported?
A. A.5 – Information security policies
B. A.8.1 – Inventory of assets
C. A.12.3 – Information backup
D. A.16.1 – Incident management
Answer: B
Rationale: ISO 27001 Annex A.8.1 requires an inventory of assets to maintain accountability and
traceability. Tagging laptops supports this objective by ensuring every physical asset is recorded
and tracked.
Q5: Network & Infrastructure Security
A network engineer wants to stop an attacker who has stolen valid VPN credentials from
accessing the corporate LAN at 02:00 a.m. from an unknown IP geolocation. Which control type
should be implemented?
, 3
A. Preventive
B. Detective
C. Corrective
D. Deterrent
Answer: A
Rationale: Geo-blocking and time-based access rules on the VPN gateway are preventive
controls (NIST SP 800-53 AC-2, AC-3) that stop the session before it enters the network.
Detective (B) would log it; corrective (C) would undo damage afterward; deterrent (D)
discourages but does not block.
Q6: Identity & Access Management (IAM)
Which authentication factor category is demonstrated when a user signs in by looking into an
infrared camera that maps retinal blood-vessel patterns?
A. Something you know
B. Something you have
C. Something you are
D. Something you do
Answer: C
Rationale: Biometric retina scanning is “something you are,” an inherence factor (NIST SP 800-
63B 4.2). It relies on a unique physiological characteristic rather than knowledge, possession, or
behavior.
Q7: Security Operations & Incident Response
During which NIST incident-response life-cycle phase is a lessons-learned report MOST
commonly drafted?
A. Preparation
B. Detection & Analysis
C. Containment, Eradication & Recovery
D. Post-Incident Activity
Answer: D
, 4
Rationale: NIST SP 800-61r2 labels “Post-Incident Activity” as the phase where teams
summarize what happened, document evidence, and produce a lessons-learned report to
improve future response.
Q8: CIA Triad, Governance, Risk, & Compliance (GRC)
A publicly traded retailer must file an annual report that includes an attestation on the
effectiveness of internal controls over financial reporting. Which SOX section mandates this
requirement?
A. Section 404
B. Section 302
C. Section 201
D. Section 802
Answer: A
Rationale: SOX §404 requires management and external auditors to report on the adequacy of
internal controls over financial reporting. Section 302 (B) covers quarterly certifications, while
201 & 802 address auditor independence and record retention.
Q9: Security Frameworks & Controls
An organization maps each CIS Critical Security Control to corresponding NIST SP 800-53
controls and documents the linkage. Which CIS control phase does this activity exemplify?
A. Inventory and Control of Hardware Assets
B. Continuous Vulnerability Management
C. Control Systems Design and Mapping
D. Governance and Risk Management
Answer: C
Rationale: CIS v8 “Implementation Group” guidance includes mapping CIS controls to other
frameworks (e.g., NIST) under the umbrella of control design and alignment, ensuring layered
coverage.
Q10: Asset Security & Data Protection
Data custodians are PRIMARILY responsible for which task within an information-governance
model?
