WGU D488 OA Prep Test Bank 4 With 70
Questions And Correct Answers With Rationales
/ D488 Cybersecurity Architecture And
Engineering OA Test Bank 4 (Brand New!)
A security engineer at a software company is currently analyzing its supply chain.
What would the company's supply chain most likely involve? Select 3 answers.
A - Chips
B - Source code repositories
C - Development language
D - Third-party libraries
B, C, & D; Source code repositories, development language, and third party
libraries
Platforms where developers store and manage their code play a significant role.
Examples like GitHub, GitLab, and Bitbucket are vital components of many
modern software supply chains. Events such as Microsoft's acquisition of GitHub
highlight the importance of these repositories in the software supply chain.
The programming language can have various implications, such as the libraries and
frameworks a company might use and their target platforms.
Third-party libraries are often integrated into software projects to expedite
development. They can also represent security risks if they aren't updated regularly
or originate from untrusted sources.
Chips are not as likely to be involved in software company supply chains but are
much more likely to be part of companies that sell hardware.
A U.S. government agency has contracted a risk auditor to conduct a risk
assessment. Which of the following frameworks should the auditor use?
A - ISO 31000
B - COBIT
pg. 1
,C - NIST RMF
D - COSO
C - NIST RMF (Risk Management Framework)
The National Institute of Standards and Technology Risk Management Framework
(NIST RMF) defines standards that US Federal Agencies must use to assess and
manage cybersecurity risks.
The International Organization for Standardization (ISO) is one of the world's
largest developers of standards. Many international organizations have adopted
ISO standards to establish a common taxonomy among diverse industries.
The Control Objectives for Information and Related Technologies (COBIT) is a
framework created and maintained by Information Systems Audit and Control
Association (ISACA). COBIT frames IT risk from a business leadership
viewpoint.
The Committee of Sponsoring Organizations of the Treadway Commission
(COSO) is an initiative of five private sector organizations collaborating on the
development of risk management frameworks.
A security project manager is considering transitioning to a cloud-based strategy
for a company. The company currently operates with a minimal team in their data
center services and aims to reduce their responsibilities while maintaining service
quality. Which cloud solution would require the least amount of management and
maintenance from this team?
A - IaaS
B - PaaS
C - SaaS
D - On-site
C - SaaS
Software as a Service (SaaS) represents the lowest amount of responsibility for the
customer as the facilities, utilities, physical security, platform, and applications are
the provider's responsibility.
pg. 2
,Infrastructure as a Service (IaaS) provides hardware hosted at a provider facility,
using the provider's physical security controls and utilities, such as power.
Platform as a Service (PaaS) provides a selection of operating systems loaded and
configured by the customer. The underlying infrastructure, facilities, utilities, and
physical security are the provider's responsibility.
On-premise would not alleviate the company's workload since it would still remain
on-site, and they would be responsible for everything.
A security architect for an organization is conducting an internal assessment on
current policies, processes, and procedures to ensure protection for the businesses'
technology and financial operations. Which of the following would be best suited
to support this assessment?
A - STAR
B - SOC
C - ISO
D - CMMC
B - SOC
System and Organization Controls (SOC) uses standards established by the
American Institute of Certified Public Accountants (AICPA) to evaluate policies,
processes, and procedures to protect technology and financial operations.
The Cloud Security Alliance (CSA) Security Trust and Risk (STAR) program
demonstrate a cloud service provider's adherence to key principles of transparency,
auditing, and best practice security operations.
International Organization for Standardization (ISO) audits can evaluate many
aspects of an organization. However, in terms of cybersecurity, an audit for
compliance with the ISO 27k standard is most relevant.
Cybersecurity Maturity Model Certification (CMMC) is a set of cybersecurity
standards developed and designed by the United States Department of Defense
(DoD) to help fortify the DoD supply chain.
pg. 3
, A vulnerability management lead for a major company is working with various
teams to keep their company secure, but there are a significant amount of legacy
systems the company worries about, so the management lead recommends
purchasing an insurance policy. What type of risk strategy is this?
A - Risk avoidance
B - Risk acceptance
C - Risk mitigation
D - Risk transference
D - Risk transference
Risk transference (or sharing) refers to assigning risk to a third party. Purchasing
an insurance policy most typically exemplifies risk transference.
Risk avoidance means to stop doing the activity considered to be risk-bearing.
Risk acceptance means that an identified risk area has been evaluated and results in
an agreement to continue operating the software, hardware, processes, actions, or
other types of similar tasks, despite the identified risks.
Risk mitigation is the overall process of reducing exposure to, or the effects of, risk
factors. This is where the work of risk management really comes into focus.
A security architect is planning a Statement of Work to perform services at various
levels of the Risk Management Lifecycle. The security architect should allocate the
most hours to which phase?
A - Identify
B - Assess
C - Control
D - Review
C - Control
The control phase identifies effective ways to reduce identified risks. The effective
identification and implementation of these controls represent a significant amount
of the work effort undertaken by security practitioners.
The identify phase includes the identification of risk items. In accordance with the
pg. 4
Questions And Correct Answers With Rationales
/ D488 Cybersecurity Architecture And
Engineering OA Test Bank 4 (Brand New!)
A security engineer at a software company is currently analyzing its supply chain.
What would the company's supply chain most likely involve? Select 3 answers.
A - Chips
B - Source code repositories
C - Development language
D - Third-party libraries
B, C, & D; Source code repositories, development language, and third party
libraries
Platforms where developers store and manage their code play a significant role.
Examples like GitHub, GitLab, and Bitbucket are vital components of many
modern software supply chains. Events such as Microsoft's acquisition of GitHub
highlight the importance of these repositories in the software supply chain.
The programming language can have various implications, such as the libraries and
frameworks a company might use and their target platforms.
Third-party libraries are often integrated into software projects to expedite
development. They can also represent security risks if they aren't updated regularly
or originate from untrusted sources.
Chips are not as likely to be involved in software company supply chains but are
much more likely to be part of companies that sell hardware.
A U.S. government agency has contracted a risk auditor to conduct a risk
assessment. Which of the following frameworks should the auditor use?
A - ISO 31000
B - COBIT
pg. 1
,C - NIST RMF
D - COSO
C - NIST RMF (Risk Management Framework)
The National Institute of Standards and Technology Risk Management Framework
(NIST RMF) defines standards that US Federal Agencies must use to assess and
manage cybersecurity risks.
The International Organization for Standardization (ISO) is one of the world's
largest developers of standards. Many international organizations have adopted
ISO standards to establish a common taxonomy among diverse industries.
The Control Objectives for Information and Related Technologies (COBIT) is a
framework created and maintained by Information Systems Audit and Control
Association (ISACA). COBIT frames IT risk from a business leadership
viewpoint.
The Committee of Sponsoring Organizations of the Treadway Commission
(COSO) is an initiative of five private sector organizations collaborating on the
development of risk management frameworks.
A security project manager is considering transitioning to a cloud-based strategy
for a company. The company currently operates with a minimal team in their data
center services and aims to reduce their responsibilities while maintaining service
quality. Which cloud solution would require the least amount of management and
maintenance from this team?
A - IaaS
B - PaaS
C - SaaS
D - On-site
C - SaaS
Software as a Service (SaaS) represents the lowest amount of responsibility for the
customer as the facilities, utilities, physical security, platform, and applications are
the provider's responsibility.
pg. 2
,Infrastructure as a Service (IaaS) provides hardware hosted at a provider facility,
using the provider's physical security controls and utilities, such as power.
Platform as a Service (PaaS) provides a selection of operating systems loaded and
configured by the customer. The underlying infrastructure, facilities, utilities, and
physical security are the provider's responsibility.
On-premise would not alleviate the company's workload since it would still remain
on-site, and they would be responsible for everything.
A security architect for an organization is conducting an internal assessment on
current policies, processes, and procedures to ensure protection for the businesses'
technology and financial operations. Which of the following would be best suited
to support this assessment?
A - STAR
B - SOC
C - ISO
D - CMMC
B - SOC
System and Organization Controls (SOC) uses standards established by the
American Institute of Certified Public Accountants (AICPA) to evaluate policies,
processes, and procedures to protect technology and financial operations.
The Cloud Security Alliance (CSA) Security Trust and Risk (STAR) program
demonstrate a cloud service provider's adherence to key principles of transparency,
auditing, and best practice security operations.
International Organization for Standardization (ISO) audits can evaluate many
aspects of an organization. However, in terms of cybersecurity, an audit for
compliance with the ISO 27k standard is most relevant.
Cybersecurity Maturity Model Certification (CMMC) is a set of cybersecurity
standards developed and designed by the United States Department of Defense
(DoD) to help fortify the DoD supply chain.
pg. 3
, A vulnerability management lead for a major company is working with various
teams to keep their company secure, but there are a significant amount of legacy
systems the company worries about, so the management lead recommends
purchasing an insurance policy. What type of risk strategy is this?
A - Risk avoidance
B - Risk acceptance
C - Risk mitigation
D - Risk transference
D - Risk transference
Risk transference (or sharing) refers to assigning risk to a third party. Purchasing
an insurance policy most typically exemplifies risk transference.
Risk avoidance means to stop doing the activity considered to be risk-bearing.
Risk acceptance means that an identified risk area has been evaluated and results in
an agreement to continue operating the software, hardware, processes, actions, or
other types of similar tasks, despite the identified risks.
Risk mitigation is the overall process of reducing exposure to, or the effects of, risk
factors. This is where the work of risk management really comes into focus.
A security architect is planning a Statement of Work to perform services at various
levels of the Risk Management Lifecycle. The security architect should allocate the
most hours to which phase?
A - Identify
B - Assess
C - Control
D - Review
C - Control
The control phase identifies effective ways to reduce identified risks. The effective
identification and implementation of these controls represent a significant amount
of the work effort undertaken by security practitioners.
The identify phase includes the identification of risk items. In accordance with the
pg. 4
