WGU D488 Cybersecurity Architecture
and Engineering Questions and Correct
Answers Exam 2026
What could cause Business Continuity and Disaster Recovery (BCDR) development
work to come to a halt, even if plans are in place?
A. Lack of leadership support for dedicating resources to testing activities
B. Incomplete system inventory
C. Unavailable staff resources
D. Inadequate metrics
A. Lack of leadership support for dedicating resources to testing activities
What must key strategic objectives and metrics development include to measure
operational success effectively?
A. Testing activities
B. Staff resources
C. Leadership support
D. Business Continuity and Disaster Recovery (BCDR) activities
D. Business Continuity and Disaster Recovery (BCDR) activities
A major retail company needs to set up alternate sites so that despite any unforeseen
circumstances, the business has as little impact on its operation as possible. Which of
the following would be the best setup?
A. Cold site
B. Warm site
C. Hot site
D. Mobile site
C. Hot site
Which type of alternate site provides close to real-time activation with little to no service
disruption but is the most expensive and complicated to implement?
A. Cold site
B. Warm site
C. Hot site
D. Mobile site
C. Hot site
What type of alternate site is simply a facility under the organization's control but lacks
pre-established information system capability?
Cybersecurity
,Cybersecurity
A. Warm site
B. Cold site
C. Hot site
D. Mobile site
B. Cold site
Which type of alternate site includes a scaled-down data center that can run critical
systems and software but is not as immediately operational as a hot site?
A. Cold site
B. Warm site
C. Hot site
D. Mobile site
B. Warm site
What type of alternate site can be described as a "data center in a box" and is
commonly used by the military?
A. Hot site
B. Warm site
C. Cold site
D. Mobile site
D. Mobile site
A military unit is going into a foreign country and setting up a small data center for their
operations but wants to have an alternate option that is flexible and versatile. Which of
the following options would best suit their needs?
A. Cold site
B. Warm site
C. Hot site
D. Mobile site
D. Mobile site
A disaster recovery planner needs to focus prioritization efforts around operational
impact. The disaster recovery planner should focus on which system?
A. Demilitarized Zone
B. External systems
C. Systems with critical vulnerabilities
D. Mission critical systems
D. Mission critical systems
Which systems are most important for operational continuity and should be prioritized in
disaster recovery planning?
A. External systems
B. Systems with critical vulnerabilities
C. Demilitarized Zone (DMZ) systems
D. Mission critical systems
D. Mission critical systems
Cybersecurity
,Cybersecurity
Why is it important to collaborate with business units when identifying mission critical
systems?
A. To determine the most critical vulnerabilities
B. To ensure that DMZ systems are prioritized
C. To gauge the operational impacts of an outage
D. To properly categorize external systems
C. To gauge the operational impacts of an outage
Why might Demilitarized Zone (DMZ) systems, despite their extra risk factor, not be
prioritized over mission critical systems in disaster recovery planning?
A. They are always more secure than mission critical systems
B. They are not essential for keeping operations running
C. They are external systems and not part of the internal network
D. They have fewer critical vulnerabilities
B. They are not essential for keeping operations running
What should be the top priority in disaster recovery planning over systems with critical
vulnerabilities?
A. Demilitarized Zone (DMZ) systems
B. Mission critical systems
C. External systems
D. Less critical vulnerabilities
B. Mission critical systems
A security architect is looking for examples of standards and regulations with
descriptions of Business Continuity and Disaster Recovery (BCDR) capabilities. Which
of the following are examples? (Select all that apply.)
1. SOX (Sarbanes-Oxley Act)
2. GLBA (Gramm-Leach-Bliley Act)
3. DRaaS (Disaster Recovery as a Service)
4. FFIEC (Federal Financial Institutions Examination Council)
A) 1, 2, 3
B) 1, 2, 4
C) 1, 3, 4
D) 2, 3, 4
B) 1, 2, 4
Which act related to fraudulent accounting includes descriptions of Business Continuity
and Disaster Recovery (BCDR) capabilities?
A. GLBA (Gramm-Leach-Bliley Act)
B. DRaaS (Disaster Recovery as a Service)
C. SOX (Sarbanes-Oxley Act)
D. FFIEC (Federal Financial Institutions Examination Council)
C. SOX (Sarbanes-Oxley Act)
Cybersecurity
, Cybersecurity
Which act related to personal financial information includes requirements for Business
Continuity and Disaster Recovery (BCDR) capabilities?
A. SOX (Sarbanes-Oxley Act)
B. GLBA (Gramm-Leach-Bliley Act)
C. DRaaS (Disaster Recovery as a Service)
D. FFIEC (Federal Financial Institutions Examination Council)
B. GLBA (Gramm-Leach-Bliley Act)
Which council provides guidelines and standards for financial institutions, including
Business Continuity and Disaster Recovery (BCDR) capabilities?
A. SOX (Sarbanes-Oxley Act)
B. GLBA (Gramm-Leach-Bliley Act)
C. DRaaS (Disaster Recovery as a Service)
D. FFIEC (Federal Financial Institutions Examination Council)
D. FFIEC (Federal Financial Institutions Examination Council)
Which of the following is not a standard or regulation but a mechanism to achieve
Business Continuity and Disaster Recovery (BCDR) capabilities using public cloud
services?
A. SOX (Sarbanes-Oxley Act)
B. GLBA (Gramm-Leach-Bliley Act)
C. FFIEC (Federal Financial Institutions Examination Council)
D. DRaaS (Disaster Recovery as a Service)
D. DRaaS (Disaster Recovery as a Service)
A security analyst is setting up documents for the outputs of the test or incident, along
with recommendations based on the outputs and findings. Which standard should the
analyst reference?
A. NIST 800-53 (Security and Privacy Controls for Information Systems)
B. NIST 800-61 (Computer Security Incident Handling Guide)
C. NIST 800-84
D. ISO standard 15408
C. NIST 800-84
Which NIST Special Publication provides a guide to test, training, and exercise
programs for IT plans and includes an after-action report template to help with
documentation and findings?
A. NIST 800-53 (Security and Privacy Controls for Information Systems)
B. NIST 800-61 (Computer Security Incident Handling Guide)
C. NIST 800-84
D. ISO standard 15408
C. NIST 800-84
Which NIST Special Publication outlines necessary controls for audits of information
systems used for certification, focusing on security and privacy?
Cybersecurity