Written by students who passed Immediately available after payment Read online or as PDF Wrong document? Swap it for free 4.6 TrustPilot
logo-home
Exam (elaborations)

WGU D488 Cybersecurity Architecture Engineering CASP+ Comprehensive Final Exam Official Practice Exam Actual Exam 2026/2027 with Detailed Rationales | Complete Exam-Style Questions | Pass Guaranteed – A+ Graded

Rating
-
Sold
-
Pages
27
Grade
A+
Uploaded on
30-06-2026
Written in
2025/2026

WGU D488 Cybersecurity Architecture Engineering CASP+ Comprehensive Final Exam Official Practice Exam Actual Exam 2026/2027 – Real-Style Exam Questions | 100% Correct Answers | Enterprise Security Architecture | Risk Management | Cryptography | Zero Trust | Cloud Security | Incident Response | Security Operations | Threat Intelligence | Governance Compliance | Detailed Rationales | Graded A+ Verified – Pass Guaranteed – Instant Download

Show more Read less
Institution
WGU D488
Course
WGU D488

Content preview

WGU D488 Cybersecurity Architecture
Engineering CASP+ Comprehensive Final
Exam Official Practice Exam Actual Exam
2026/2027 with Detailed Rationales |
Complete Exam-Style Questions | Pass
Guaranteed – A+ Graded
══════════════════════════════════════
SECTION 1: SECURITY ARCHITECTURE & ENGINEERING FOUNDATIONS Q1 – Q10
══════════════════════════════════════

Question 1 of 50

A healthcare organization is migrating its EHR system to a hybrid cloud model. The security
architect must ensure that patient data encrypted at rest in the cloud remains inaccessible to
the cloud provider's administrators while still supporting indexed database queries for clinical
workflows. Which approach satisfies both requirements?

A. Bring Your Own Key (BYOK) with the cloud provider managing key storage and rotation
B. Database-level transparent data encryption using the provider's native key management
service
C. Client-side encryption with deterministic encryption for queryable fields and randomized
encryption for sensitive attributes ✓ CORRECT
D. Tokenization of all PHI fields with an on-premises tokenization server and batch
de-tokenization

Correct Answer: C
Rationale: Client-side encryption with deterministic encryption preserves queryability for
exact-match operations while ensuring the cloud provider never possesses decryption keys,
satisfying both confidentiality and functional requirements. BYOK often still permits the
provider to access keys for operational purposes, which violates the requirement for
exclusive customer control. In regulated hybrid cloud architectures, searchable encryption
techniques are increasingly used to maintain security without sacrificing clinical workflow
functionality.

Question 2 of 50

,A manufacturing company adopts DevSecOps and wants to integrate security testing into the
CI/CD pipeline without creating excessive build delays. The architect recommends a tool that
analyzes source code for vulnerabilities during the compilation phase without executing the
application. Which tool category matches this requirement?

A. Dynamic application security testing (DAST) with automated spidering and form
submission
B. Static application security testing (SAST) with data flow analysis and taint tracking ✓
CORRECT
C. Interactive application security testing (IAST) with runtime instrumentation and
agent-based monitoring
D. Runtime application self-protection (RASP) with embedded policy enforcement and attack
blocking

Correct Answer: B
Rationale: SAST examines source code, bytecode, or binaries without executing the
application, making it ideal for early integration into build pipelines where speed and
developer feedback loops are critical. DAST requires a running application and is typically
deployed in staging or production environments, introducing delays unsuitable for build-phase
integration. CASP+ exam scenarios frequently test the distinction between SAST (white-box,
pre-deployment) and DAST (black-box, runtime) deployment contexts.

Question 3 of 50

A defense contractor is designing a secure facility network that must enforce mandatory
access control (MAC) for all systems processing classified data. The architect needs to
ensure that data classification labels flow automatically between interconnected systems
without manual relabeling at each boundary. Which security architecture best supports this
requirement?

A. Bell-LaPadula with simple security property and *-property for confidentiality enforcement
B. Biba integrity model with strict integrity and invocation properties for data quality
assurance
C. Lattice-based access control with label-based mandatory access control (LBAC) and
trusted label export/import protocols ✓ CORRECT
D. Clark-Wilson model with constrained data items, transformation procedures, and
separation of duties

Correct Answer: C
Rationale: LBAC with trusted label export/import protocols ensures that security labels
propagate consistently across interconnected systems, maintaining MAC enforcement
without manual intervention at network boundaries. The Bell-LaPadula model defines
confidentiality rules but does not inherently specify cross-system label propagation
mechanisms, making it insufficient for this distributed architecture. In classified multi-system

, environments, label interoperability is typically implemented through trusted operating
systems and cross-domain guards that understand lattice-based label semantics.

Question 4 of 50

An e-commerce platform experiences seasonal traffic spikes that require rapid infrastructure
scaling. The security team must ensure that newly provisioned virtual instances
automatically inherit the organization's hardened baseline configuration, vulnerability scan
compliance, and continuous monitoring agent deployment. Which architectural control best
achieves this?

A. Immutable infrastructure with pre-hardened golden images and automated blue-green
deployments
B. Configuration management using agent-based pull models with scheduled enforcement
intervals
C. Infrastructure as Code (IaC) templates with embedded security group rules and user data
scripts
D. Automated image pipeline with CIS benchmarks, vulnerability validation, and orchestrator
integration ✓ CORRECT

Correct Answer: D
Rationale: An automated image pipeline that bakes CIS benchmarks, vulnerability validation,
and monitoring agents into golden images ensures that every provisioned instance starts
from a known-secure state rather than relying on post-deployment configuration. Immutable
infrastructure focuses on deployment strategy rather than image security provenance, and
configuration management alone cannot guarantee initial instance compliance at
provisioning time. Enterprise security architecture for elastic workloads increasingly relies
on secure image factories that integrate with cloud orchestrators to enforce security
baselines before instances accept traffic.

Question 5 of 50

A multinational bank is implementing a zero-trust architecture across its global branches.
The security architect needs to verify device health and user identity before granting access
to the treasury management system, regardless of whether the connection originates from
inside the corporate network or a remote location. Which foundational zero-trust principle
does this scenario best exemplify?

A. Never trust, always verify with dynamic risk-based access decisions ✓ CORRECT
B. Microsegmentation with software-defined perimeters for east-west traffic isolation
C. Least privilege with just-in-time administrative access controls and privilege elevation
workflows
D. Assume breach with continuous monitoring, deception technology, and threat detection
integration

Written for

Institution
WGU D488
Course
WGU D488

Document information

Uploaded on
June 30, 2026
Number of pages
27
Written in
2025/2026
Type
Exam (elaborations)
Contains
Questions & answers
$15.49
Get access to the full document:

Wrong document? Swap it for free Within 14 days of purchase and before downloading, you can choose a different document. You can simply spend the amount again.
Written by students who passed
Immediately available after payment
Read online or as PDF

Get to know the seller

Seller avatar
Reputation scores are based on the amount of documents a seller has sold for a fee and the reviews they have received for those documents. There are three levels: Bronze, Silver and Gold. The better the reputation, the more your can rely on the quality of the sellers work.
STUDYACEFILES (self)
View profile
Follow You need to be logged in order to follow users or courses
Sold
83
Member since
2 year
Number of followers
5
Documents
2001
Last sold
6 days ago
STUDYACEFILES

Welcome toSTUDYACEFILES store! We specialize in reliable test banks, exam questions with verified answers, practice exams, study guides, and complete exam review materials to help students pass on the first try. Our uploads support Nursing programs, professional certifications, business courses, accounting classes, and college-level exams. All documents are well-organized, accurate, exam-focused, and easy to follow, making them ideal for quizzes, midterms, finals, ATI & HESI prep, NCLEX-style practice, certification exams, and last-minute reviews. If you’re looking for trusted test banks, comprehensive exam prep, and time-saving study resources.

Read more Read less
3.9

14 reviews

5
5
4
4
3
4
2
1
1
0

Why students choose Stuvia

Created by fellow students, verified by reviews

Quality you can trust: written by students who passed their tests and reviewed by others who've used these notes.

Didn't get what you expected? Choose another document

No worries! You can instantly pick a different document that better fits what you're looking for.

Pay as you like, start learning right away

No subscription, no commitments. Pay the way you're used to via credit card and download your PDF document instantly.

Student with book image

“Bought, downloaded, and aced it. It really can be that simple.”

Alisha Student

Working on your references?

Create accurate citations in APA, MLA and Harvard with our free citation generator.

Working on your references?

Frequently asked questions