WGU D489 TASK 1 | CYBERSECURITY MANAGEMENT | 2026 UPDATE WITH
COMPLETE QUESTIONS AND CORRECT ANSWERS WITH RATIONALES | ALREADY
GRADED A+||BRAND NEW VERSION!!
Question 1
SAGE currently lacks a comprehensive approach to securing organizational assets and protecting
EU customer data. Which framework would be most appropriate for establishing a baseline for
information security management?
A) HIPAA
B) NIST SP 800-53
C) ISO/IEC 27001
D) FERPA
E) SOX
Correct Answer: C) ISO/IEC 27001
Rationale: ISO/IEC 27001 is a globally recognized standard for establishing, implementing,
maintaining, and continually improving an Information Security Management System
(ISMS). Since SAGE lacks a comprehensive approach and handles international data (EU),
ISO 27001 provides the most versatile and globally accepted framework to address these
multi-faceted gaps.
Question 2
According to the report, SAGE processes card payments but lacks documentation regarding
compliance. Which industry standard is SAGE required to follow due to these activities?
A) GDPR
B) HIPAA
C) PCI-DSS
D) GLBA
E) FISMA
Correct Answer: C) PCI-DSS
Rationale: The Payment Card Industry Data Security Standard (PCI-DSS) is a set of
security standards designed to ensure that ALL companies that accept, process, store, or
transmit credit card information maintain a secure environment. SAGE specifically
processes card payments, making this the direct regulatory requirement for their
transaction activities.
Question 3
SAGE’s GRC team is currently understaffed. What does the acronym GRC stand for in a
cybersecurity management context?
A) General Risk Controls
B) Governance, Risk, and Compliance
C) Global Regulatory Coordination
, 2
D) Government Risk and Contingency
E) Grouped Risk and Compliance
Correct Answer: B) Governance, Risk, and Compliance
Rationale: GRC is a strategy for managing an organization's overall governance, enterprise
risk management, and compliance with regulations. The scenario notes that while
operational goals are met, the GRC team is missing, leading to lapses in regulatory
adherence like GDPR and PCI-DSS.
Question 4
Only 10% of current employees at SAGE have taken Cybersecurity Awareness training. To
improve security posture, how should this training be administered going forward?
A) On an "as-needed" basis
B) Only to IT department staff
C) Voluntarily during lunch breaks
D) Mandated for all employees with periodic refreshers
E) Only during the initial hiring process
Correct Answer: D) Mandated for all employees with periodic refreshers
Rationale: Cybersecurity is a shared responsibility. Section B of the document specifies that
the training must be mandatory for all new hires and current employees, including periodic
refreshers, to mitigate social engineering and phishing risks which are high-risk areas for
SAGE.
Question 5
SAGE lacks a Business Continuity Plan (BCP). What is the primary purpose of a BCP?
A) To identify and prosecute hackers after a breach
B) To provide procedures for restoring operational capabilities after a disruption
C) To encrypt all customer data at rest
D) To manage the payroll during a company merger
E) To monitor employee internet usage
Correct Answer: B) To provide procedures for restoring operational capabilities after a
disruption
Rationale: A Business Continuity Plan (BCP) focuses on keeping business functions running
or restoring them quickly in the event of a major disruption, such as the natural disasters
SAGE is at risk for due to its distribution center locations.
Question 6
The scenario mentions that SAGE has an "incomplete Incident Response Plan (IRP)." What is a
critical missing element in their current IRP according to the report?
A) A list of all software licenses
, 3
B) Marketing strategies for post-incident PR
C) Clear roles and responsibilities for the incident response team
D) A list of competitors’ security flaws
E) The CEO’s personal home address
Correct Answer: C) Clear roles and responsibilities for the incident response team
Rationale: Effective incident response requires a structured approach. The report explicitly
states that SAGE’s IRP deviates from best practices because it lacks defined roles,
responsibilities, and minimum procedures for handling and analyzing attacks.
Question 7
Under GDPR, SAGE must implement measures to protect the use, collection, and storage of data
from EU consumers. Which principle requires that SAGE only collects data necessary for a
specific purpose?
A) Integrity and Confidentiality
B) Accuracy
C) Storage Limitation
D) Data Minimization
E) Accountability
Correct Answer: D) Data Minimization
Rationale: Data Minimization is a core GDPR principle stating that personal data shall be
adequate, relevant, and limited to what is necessary in relation to the purposes for which
they are processed. This directly addresses SAGE’s lack of specific measures for EU
consumer data storage.
Question 8
PCI-DSS requires that SAGE does not store "authentication data" after authorization. What is an
example of this data?
A) The cardholder's name
B) The 16-digit Primary Account Number (PAN)
C) The CVV or CID code
D) The card's expiration date
E) The customer's billing zip code
Correct Answer: C) The CVV or CID code
Rationale: Sensitive Authentication Data (SAD), which includes the full track data,
CVV/CVC codes, and PINs, must never be stored after authorization according to PCI-
DSS Requirement 3. SAGE is currently failing to document or implement these specific
storage controls.
, 4
Question 9
The report suggests SAGE needs a Qualified Security Assessor (QSA). What is the role of a
QSA?
A) To write the company’s software code
B) To perform annual evaluations of PCI-DSS compliance
C) To manage the company's social media accounts
D) To act as the company's legal counsel in the EU
E) To replace the Chief Information Officer (CIO)
Correct Answer: B) To perform annual evaluations of PCI-DSS compliance
Rationale: A QSA is an individual who has been certified by the PCI Security Standards
Council to audit merchants' and service providers' compliance with PCI-DSS. Section B,
point 3 of the SAGE report recommends a QSA for annual evaluations.
Question 10
SAGE distribution centers are at a "significantly higher risk of natural disasters." Which type of
risk assessment should be prioritized to address this?
A) Qualitative risk assessment based on employee opinions
B) Quantitative risk assessment regarding physical asset location
C) Competitive risk assessment against other retailers
D) Marketing risk assessment
E) Software version risk assessment
Correct Answer: B) Quantitative risk assessment regarding physical asset location
Rationale: Quantitative risk assessments use numerical values to determine the probability
and impact of risks. Given the geographical risk of natural disasters to distribution centers,
calculating the potential financial loss and downtime is critical for the BCP SAGE
currently lacks.
Question 11
SAGE needs to hire three employees specializing in GRC. Why is well-defined role definition
important for these new hires?
A) So they can take over the HR department
B) To ensure accountability and coverage of technological standards like GDPR and PCI-DSS
C) To allow them to work from home indefinitely
D) To reduce the salary requirements for the positions
E) To ensure they all report to the marketing manager
Correct Answer: B) To ensure accountability and coverage of technological standards like
GDPR and PCI-DSS
Rationale: Section B, point 1 emphasizes that these roles must be well-defined and well-
COMPLETE QUESTIONS AND CORRECT ANSWERS WITH RATIONALES | ALREADY
GRADED A+||BRAND NEW VERSION!!
Question 1
SAGE currently lacks a comprehensive approach to securing organizational assets and protecting
EU customer data. Which framework would be most appropriate for establishing a baseline for
information security management?
A) HIPAA
B) NIST SP 800-53
C) ISO/IEC 27001
D) FERPA
E) SOX
Correct Answer: C) ISO/IEC 27001
Rationale: ISO/IEC 27001 is a globally recognized standard for establishing, implementing,
maintaining, and continually improving an Information Security Management System
(ISMS). Since SAGE lacks a comprehensive approach and handles international data (EU),
ISO 27001 provides the most versatile and globally accepted framework to address these
multi-faceted gaps.
Question 2
According to the report, SAGE processes card payments but lacks documentation regarding
compliance. Which industry standard is SAGE required to follow due to these activities?
A) GDPR
B) HIPAA
C) PCI-DSS
D) GLBA
E) FISMA
Correct Answer: C) PCI-DSS
Rationale: The Payment Card Industry Data Security Standard (PCI-DSS) is a set of
security standards designed to ensure that ALL companies that accept, process, store, or
transmit credit card information maintain a secure environment. SAGE specifically
processes card payments, making this the direct regulatory requirement for their
transaction activities.
Question 3
SAGE’s GRC team is currently understaffed. What does the acronym GRC stand for in a
cybersecurity management context?
A) General Risk Controls
B) Governance, Risk, and Compliance
C) Global Regulatory Coordination
, 2
D) Government Risk and Contingency
E) Grouped Risk and Compliance
Correct Answer: B) Governance, Risk, and Compliance
Rationale: GRC is a strategy for managing an organization's overall governance, enterprise
risk management, and compliance with regulations. The scenario notes that while
operational goals are met, the GRC team is missing, leading to lapses in regulatory
adherence like GDPR and PCI-DSS.
Question 4
Only 10% of current employees at SAGE have taken Cybersecurity Awareness training. To
improve security posture, how should this training be administered going forward?
A) On an "as-needed" basis
B) Only to IT department staff
C) Voluntarily during lunch breaks
D) Mandated for all employees with periodic refreshers
E) Only during the initial hiring process
Correct Answer: D) Mandated for all employees with periodic refreshers
Rationale: Cybersecurity is a shared responsibility. Section B of the document specifies that
the training must be mandatory for all new hires and current employees, including periodic
refreshers, to mitigate social engineering and phishing risks which are high-risk areas for
SAGE.
Question 5
SAGE lacks a Business Continuity Plan (BCP). What is the primary purpose of a BCP?
A) To identify and prosecute hackers after a breach
B) To provide procedures for restoring operational capabilities after a disruption
C) To encrypt all customer data at rest
D) To manage the payroll during a company merger
E) To monitor employee internet usage
Correct Answer: B) To provide procedures for restoring operational capabilities after a
disruption
Rationale: A Business Continuity Plan (BCP) focuses on keeping business functions running
or restoring them quickly in the event of a major disruption, such as the natural disasters
SAGE is at risk for due to its distribution center locations.
Question 6
The scenario mentions that SAGE has an "incomplete Incident Response Plan (IRP)." What is a
critical missing element in their current IRP according to the report?
A) A list of all software licenses
, 3
B) Marketing strategies for post-incident PR
C) Clear roles and responsibilities for the incident response team
D) A list of competitors’ security flaws
E) The CEO’s personal home address
Correct Answer: C) Clear roles and responsibilities for the incident response team
Rationale: Effective incident response requires a structured approach. The report explicitly
states that SAGE’s IRP deviates from best practices because it lacks defined roles,
responsibilities, and minimum procedures for handling and analyzing attacks.
Question 7
Under GDPR, SAGE must implement measures to protect the use, collection, and storage of data
from EU consumers. Which principle requires that SAGE only collects data necessary for a
specific purpose?
A) Integrity and Confidentiality
B) Accuracy
C) Storage Limitation
D) Data Minimization
E) Accountability
Correct Answer: D) Data Minimization
Rationale: Data Minimization is a core GDPR principle stating that personal data shall be
adequate, relevant, and limited to what is necessary in relation to the purposes for which
they are processed. This directly addresses SAGE’s lack of specific measures for EU
consumer data storage.
Question 8
PCI-DSS requires that SAGE does not store "authentication data" after authorization. What is an
example of this data?
A) The cardholder's name
B) The 16-digit Primary Account Number (PAN)
C) The CVV or CID code
D) The card's expiration date
E) The customer's billing zip code
Correct Answer: C) The CVV or CID code
Rationale: Sensitive Authentication Data (SAD), which includes the full track data,
CVV/CVC codes, and PINs, must never be stored after authorization according to PCI-
DSS Requirement 3. SAGE is currently failing to document or implement these specific
storage controls.
, 4
Question 9
The report suggests SAGE needs a Qualified Security Assessor (QSA). What is the role of a
QSA?
A) To write the company’s software code
B) To perform annual evaluations of PCI-DSS compliance
C) To manage the company's social media accounts
D) To act as the company's legal counsel in the EU
E) To replace the Chief Information Officer (CIO)
Correct Answer: B) To perform annual evaluations of PCI-DSS compliance
Rationale: A QSA is an individual who has been certified by the PCI Security Standards
Council to audit merchants' and service providers' compliance with PCI-DSS. Section B,
point 3 of the SAGE report recommends a QSA for annual evaluations.
Question 10
SAGE distribution centers are at a "significantly higher risk of natural disasters." Which type of
risk assessment should be prioritized to address this?
A) Qualitative risk assessment based on employee opinions
B) Quantitative risk assessment regarding physical asset location
C) Competitive risk assessment against other retailers
D) Marketing risk assessment
E) Software version risk assessment
Correct Answer: B) Quantitative risk assessment regarding physical asset location
Rationale: Quantitative risk assessments use numerical values to determine the probability
and impact of risks. Given the geographical risk of natural disasters to distribution centers,
calculating the potential financial loss and downtime is critical for the BCP SAGE
currently lacks.
Question 11
SAGE needs to hire three employees specializing in GRC. Why is well-defined role definition
important for these new hires?
A) So they can take over the HR department
B) To ensure accountability and coverage of technological standards like GDPR and PCI-DSS
C) To allow them to work from home indefinitely
D) To reduce the salary requirements for the positions
E) To ensure they all report to the marketing manager
Correct Answer: B) To ensure accountability and coverage of technological standards like
GDPR and PCI-DSS
Rationale: Section B, point 1 emphasizes that these roles must be well-defined and well-
