WGU D489 Cybersecurity Management Final Exam 2025/2026 – Latest
Questions & Answers| Questions & Answers| Grade A+| 100% Correct (Verified
Solutions)-
Question 1
A Chief Information Security Officer (CISO) is presenting a new security strategy to the
Board of Directors. To ensure the board approves the budget, what is the most important
factor the CISO should demonstrate?
A) The technical specifications of the new firewalls.
B) How the security strategy aligns with and supports the organization's business goals.
C) The number of attacks blocked in the last month.
D) The specific NIST controls that will be implemented.
E) The cost of the software compared to competitors.
Correct Answer: B) How the security strategy aligns with and supports the organization's
business goals.
Rationale: In Cybersecurity Management, strategic alignment is paramount. Executives care
about business value, revenue protection, and risk reduction. Technical details (A, D) and
operational metrics (C) are less effective at the board level than demonstrating how security
enables the business to succeed.
Question 2
An organization has identified a risk where a server failure could cost $10,000 in lost
business. This failure is expected to happen once every 4 years. What is the Annualized
Loss Expectancy (ALE)?
A) $2,500
B) $10,000
C) $40,000
D) $2,000
E) $5,000
Correct Answer: A) $2,500
Rationale: ALE is calculated as Single Loss Expectancy (SLE) × Annualized Rate of
Occurrence (ARO).
• SLE = $10,000.
• ARO = 1 time / 4 years = 0.25.
• 10,000 × 0.25 =∗∗
2,500**.
Question 3
Which document specifically identifies critical business functions and calculates the
, 2
maximum tolerable downtime (MTD) for each?
A) Threat Assessment
B) Business Impact Analysis (BIA)
C) Incident Response Plan (IRP)
D) Vulnerability Scan Report
E) Service Level Agreement (SLA)
Correct Answer: B) Business Impact Analysis (BIA)
Rationale: The Business Impact Analysis (BIA) is the process used to determine the criticality
of business activities and associated resource requirements to ensure operational resilience. It
defines RTO, RPO, and MTD. The IRP (C) handles the response, but the BIA provides the data
to prioritize that response.
Question 4
A global company is updating its privacy policy to comply with GDPR. Which of the
following is a core requirement regarding data retention under GDPR?
A) Data must be kept indefinitely for historical analysis.
B) Data must be encrypted using only symmetric keys.
C) Data should not be kept longer than is necessary for the purposes for which it is processed.
D) Data must be stored on servers located within the US.
E) Data must be backed up to tape daily.
Correct Answer: C) Data should not be kept longer than is necessary for the purposes for
which it is processed.
Rationale: This is the principle of Storage Limitation. GDPR mandates that personal data must
not be retained once the original purpose for collection has been fulfilled, unless required by
other laws (e.g., tax records).
Question 5
During a security incident, the response team discovers an active malware infection on a
critical server. According to the PICERL (Preparation, Identification, Containment,
Eradication, Recovery, Lessons Learned) model, what should be the IMMEDIATE next
step?
A) Restore the server from backups.
B) Format the hard drive.
C) Contain the incident to prevent spread (e.g., disconnect from network).
D) Write a report for management.
E) Identifying the hacker's location.
Correct Answer: C) Contain the incident to prevent spread (e.g., disconnect from network).
Rationale: After Identification comes Containment. Before you fix the issue (Eradication) or
, 3
restore data (Recovery), you must stop the bleeding. If you try to restore while the virus is active,
the backup will just get infected.
Question 6
Management decides to purchase a cyber-insurance policy to cover potential financial
losses from data breaches. How is this risk management strategy classified?
A) Risk Avoidance
B) Risk Mitigation
C) Risk Acceptance
D) Risk Transfer (Sharing)
E) Risk Deterrence
Correct Answer: D) Risk Transfer (Sharing)
Rationale: Risk Transfer involves shifting the financial burden of a risk to a third party (like an
insurance company). Mitigation would be installing a firewall; Avoidance would be not
collecting the data at all; Acceptance would be doing nothing and budgeting for the loss.
Question 7
Which U.S. regulation specifically mandates security and privacy protections for Protected
Health Information (PHI)?
A) SOX (Sarbanes-Oxley)
B) FERPA
C) HIPAA
D) PCI DSS
E) GLBA (Gramm-Leach-Bliley Act)
Correct Answer: C) HIPAA
Rationale: The Health Insurance Portability and Accountability Act (HIPAA) governs the
security and privacy of medical records and other personal health information. SOX is for
corporate finance; FERPA is for education; PCI DSS is for credit cards; GLBA is for financial
institutions.
Question 8
A security manager is defining a "Standard" for password creation. How does a Standard
differ from a Guideline?
A) Standards are optional; Guidelines are mandatory.
B) Standards are mandatory; Guidelines are optional recommendations.
C) Standards are high-level goals; Guidelines are step-by-step instructions.
D) There is no difference.
E) Standards are external laws; Guidelines are internal.
, 4
Correct Answer: B) Standards are mandatory; Guidelines are optional recommendations.
Rationale: In the governance hierarchy: Policies are high-level requirements
(mandatory). Standards are specific metrics or rules (mandatory, e.g., "Passwords must be 12
chars"). Guidelines are advice or best practices (optional). Procedures are step-by-step
instructions.
Question 9
Which NIST Cybersecurity Framework (CSF) function involves the implementation of
safeguards to ensure delivery of critical infrastructure services (e.g., Access Control,
Awareness Training)?
A) Identify
B) Protect
C) Detect
D) Respond
E) Recover
Correct Answer: B) Protect
Rationale: The Protect function outlines appropriate safeguards to ensure delivery of critical
infrastructure services. It limits or contains the impact of a potential cybersecurity event.
Examples include Identity Management, Access Control, Awareness and Training, and Data
Security.
Question 10
An organization adopts a "Defense in Depth" strategy. Which of the following best
describes this approach?
A) Relying solely on a very strong perimeter firewall.
B) Using a single vendor for all security products to ensure compatibility.
C) Layering multiple security controls (physical, technical, administrative) so that if one fails,
another catches the threat.
D) Hiring former hackers to test the network.
E) Placing all servers in the cloud.
Correct Answer: C) Layering multiple security controls (physical, technical,
administrative) so that if one fails, another catches the threat.
Rationale: Defense in Depth (or layered security) ensures that there is no single point of failure.
It combines controls like firewalls, IDS, encryption, policies, and guards.
Question 11
When conducting a quantitative risk assessment, what does the "Exposure Factor" (EF)
represent?
A) The probability of the risk occurring.
B) The total value of the asset.
Questions & Answers| Questions & Answers| Grade A+| 100% Correct (Verified
Solutions)-
Question 1
A Chief Information Security Officer (CISO) is presenting a new security strategy to the
Board of Directors. To ensure the board approves the budget, what is the most important
factor the CISO should demonstrate?
A) The technical specifications of the new firewalls.
B) How the security strategy aligns with and supports the organization's business goals.
C) The number of attacks blocked in the last month.
D) The specific NIST controls that will be implemented.
E) The cost of the software compared to competitors.
Correct Answer: B) How the security strategy aligns with and supports the organization's
business goals.
Rationale: In Cybersecurity Management, strategic alignment is paramount. Executives care
about business value, revenue protection, and risk reduction. Technical details (A, D) and
operational metrics (C) are less effective at the board level than demonstrating how security
enables the business to succeed.
Question 2
An organization has identified a risk where a server failure could cost $10,000 in lost
business. This failure is expected to happen once every 4 years. What is the Annualized
Loss Expectancy (ALE)?
A) $2,500
B) $10,000
C) $40,000
D) $2,000
E) $5,000
Correct Answer: A) $2,500
Rationale: ALE is calculated as Single Loss Expectancy (SLE) × Annualized Rate of
Occurrence (ARO).
• SLE = $10,000.
• ARO = 1 time / 4 years = 0.25.
• 10,000 × 0.25 =∗∗
2,500**.
Question 3
Which document specifically identifies critical business functions and calculates the
, 2
maximum tolerable downtime (MTD) for each?
A) Threat Assessment
B) Business Impact Analysis (BIA)
C) Incident Response Plan (IRP)
D) Vulnerability Scan Report
E) Service Level Agreement (SLA)
Correct Answer: B) Business Impact Analysis (BIA)
Rationale: The Business Impact Analysis (BIA) is the process used to determine the criticality
of business activities and associated resource requirements to ensure operational resilience. It
defines RTO, RPO, and MTD. The IRP (C) handles the response, but the BIA provides the data
to prioritize that response.
Question 4
A global company is updating its privacy policy to comply with GDPR. Which of the
following is a core requirement regarding data retention under GDPR?
A) Data must be kept indefinitely for historical analysis.
B) Data must be encrypted using only symmetric keys.
C) Data should not be kept longer than is necessary for the purposes for which it is processed.
D) Data must be stored on servers located within the US.
E) Data must be backed up to tape daily.
Correct Answer: C) Data should not be kept longer than is necessary for the purposes for
which it is processed.
Rationale: This is the principle of Storage Limitation. GDPR mandates that personal data must
not be retained once the original purpose for collection has been fulfilled, unless required by
other laws (e.g., tax records).
Question 5
During a security incident, the response team discovers an active malware infection on a
critical server. According to the PICERL (Preparation, Identification, Containment,
Eradication, Recovery, Lessons Learned) model, what should be the IMMEDIATE next
step?
A) Restore the server from backups.
B) Format the hard drive.
C) Contain the incident to prevent spread (e.g., disconnect from network).
D) Write a report for management.
E) Identifying the hacker's location.
Correct Answer: C) Contain the incident to prevent spread (e.g., disconnect from network).
Rationale: After Identification comes Containment. Before you fix the issue (Eradication) or
, 3
restore data (Recovery), you must stop the bleeding. If you try to restore while the virus is active,
the backup will just get infected.
Question 6
Management decides to purchase a cyber-insurance policy to cover potential financial
losses from data breaches. How is this risk management strategy classified?
A) Risk Avoidance
B) Risk Mitigation
C) Risk Acceptance
D) Risk Transfer (Sharing)
E) Risk Deterrence
Correct Answer: D) Risk Transfer (Sharing)
Rationale: Risk Transfer involves shifting the financial burden of a risk to a third party (like an
insurance company). Mitigation would be installing a firewall; Avoidance would be not
collecting the data at all; Acceptance would be doing nothing and budgeting for the loss.
Question 7
Which U.S. regulation specifically mandates security and privacy protections for Protected
Health Information (PHI)?
A) SOX (Sarbanes-Oxley)
B) FERPA
C) HIPAA
D) PCI DSS
E) GLBA (Gramm-Leach-Bliley Act)
Correct Answer: C) HIPAA
Rationale: The Health Insurance Portability and Accountability Act (HIPAA) governs the
security and privacy of medical records and other personal health information. SOX is for
corporate finance; FERPA is for education; PCI DSS is for credit cards; GLBA is for financial
institutions.
Question 8
A security manager is defining a "Standard" for password creation. How does a Standard
differ from a Guideline?
A) Standards are optional; Guidelines are mandatory.
B) Standards are mandatory; Guidelines are optional recommendations.
C) Standards are high-level goals; Guidelines are step-by-step instructions.
D) There is no difference.
E) Standards are external laws; Guidelines are internal.
, 4
Correct Answer: B) Standards are mandatory; Guidelines are optional recommendations.
Rationale: In the governance hierarchy: Policies are high-level requirements
(mandatory). Standards are specific metrics or rules (mandatory, e.g., "Passwords must be 12
chars"). Guidelines are advice or best practices (optional). Procedures are step-by-step
instructions.
Question 9
Which NIST Cybersecurity Framework (CSF) function involves the implementation of
safeguards to ensure delivery of critical infrastructure services (e.g., Access Control,
Awareness Training)?
A) Identify
B) Protect
C) Detect
D) Respond
E) Recover
Correct Answer: B) Protect
Rationale: The Protect function outlines appropriate safeguards to ensure delivery of critical
infrastructure services. It limits or contains the impact of a potential cybersecurity event.
Examples include Identity Management, Access Control, Awareness and Training, and Data
Security.
Question 10
An organization adopts a "Defense in Depth" strategy. Which of the following best
describes this approach?
A) Relying solely on a very strong perimeter firewall.
B) Using a single vendor for all security products to ensure compatibility.
C) Layering multiple security controls (physical, technical, administrative) so that if one fails,
another catches the threat.
D) Hiring former hackers to test the network.
E) Placing all servers in the cloud.
Correct Answer: C) Layering multiple security controls (physical, technical,
administrative) so that if one fails, another catches the threat.
Rationale: Defense in Depth (or layered security) ensures that there is no single point of failure.
It combines controls like firewalls, IDS, encryption, policies, and guards.
Question 11
When conducting a quantitative risk assessment, what does the "Exposure Factor" (EF)
represent?
A) The probability of the risk occurring.
B) The total value of the asset.
