1 | Page
WGU C725 QUESTIONS AND ANSWERS
2025
Code of Ethics Canons' described under 'Protect society, the
commonwealth, and the infrastructure - correct answer- 1.
Promote and preserve public trust and confidence in
information and systems. 2. Promote the understanding and
acceptance of prudent information security measures. 3.
Preserve and strengthen the integrity of the public
infrastructure. 4. Discourage unsafe practice.
Role Based Access Control (RBAC) - correct answer- A Role
Based Access Control (RBAC) model can group users into
roles based on the organization's hierarchy, and it is a
nondiscretionary access control model. A nondiscretionary
access control model uses a central authority to determine
which objects that subjects can access.
The preventions to reduce the potential for data breach are: -
correct answer- 1. Support for controls from management 2.
Policies based on business objectives 3. A complete
understanding of the types of control required 4. A cost analysis
of controls and cost assessment of a potential breach 5.
Employee security education, training, and awareness
,2 | Page
Capability tables - correct answer- Capability tables are created
for each subject, and they identify the objects that the subject
can access. It includes the authorization rights of the access
control subject such as read, write, execute, and so on.
ACLs (access control lists) - correct answer- ACLs (access
control lists) are lists of subjects that are authorized to access a
specific object.
access control matrix - correct answer- An access control
matrix is a table that includes subjects, objects, and assigned
privileges.
Aggregation - correct answer- Aggregation is a process in
which a user collects and combines information from various
sources to obtain complete information. The individual parts of
information are at the correct sensitivity, but the combined
information is not. A user can combine information available at
a lower privilege, thereby reducing the information at a higher
privilege level.
inference attacks - correct answer- inference attacks, where the
subject deduces the complete information about an object from
the bits of information collected through aggregation. Therefore,
inference is the ability of a subject to derive implicit information.
A protection mechanism to limit inferencing of information in
,3 | Page
statistical database queries is specifying a minimum query set
size, but prohibiting the querying of all but one of the records in
the database.
Polyinstantiation - correct answer- Polyinstantiation, also known
as data contamination, is used to conceal classified information
that exists in a database and to fool intruders. Polyinstantiation
ensures that users with lower access level are not able to
access and modify data categorized for a higher level of access
in a multi-level database. Polyinstantiation can be used to
reduce data inference violations. When polyinstantiation is
implemented, two objects are created by using the same
primary keys. One object is filled with incorrect information and
is deemed unclassified, and the other object contains the
original classified information. When a user with lower level
privileges attempts to access the object, the user is directed to
the object containing incorrect information. Polyinstantiation is
concerned with the same primary key existing at different
classification levels in the same database.
Scavenging - correct answer- Scavenging, also referred to as
browsing, involves looking for information without knowing its
format. Scavenging is searching the data residue in a system to
gain unauthorized knowledge of sensitive data.
Identification - correct answer- Identification is the method used
by a user or process to claim who they are or to assert who
they claim to be. Identification involved supplying your user
, 4 | Page
name, account number, or some other form of personal
identification. It is the means by which a user provides a claim
of his or her identity to a system.
Authentication - correct answer- Authentication is the process
of being recognized by a system. Authentication involves
supplying a second piece of information, such as a password,
that is checked against a database for accuracy. If this piece of
information matches the stored information, the subject is
authenticated. It is the testing or reconciliation of evidence of a
user's identity.
Components of the Common Criteria protection profile - correct
answer- The protection profile contains a set of security
requirements including functionality and assurance criteria for a
product and the rationale behind such requirements. The
corresponding evaluation assurance level (EAL) rating intended
for the product is also specified. The environmental conditions,
the expected functional, the assurance levels, and the product
objectives are also included in the protection profile when the
product is evaluated by the Common Criteria for a target
evaluation rating. Evaluation tests are performed for the
targeted rating awarded to the target of evaluation, and the
results are verified before granting an EAL rating to the
intended product. Components of the Common Criteria
protection profile include Target of Evaluation (TOE)
description, threats against the product that must be
addressed, and security objectives.
WGU C725 QUESTIONS AND ANSWERS
2025
Code of Ethics Canons' described under 'Protect society, the
commonwealth, and the infrastructure - correct answer- 1.
Promote and preserve public trust and confidence in
information and systems. 2. Promote the understanding and
acceptance of prudent information security measures. 3.
Preserve and strengthen the integrity of the public
infrastructure. 4. Discourage unsafe practice.
Role Based Access Control (RBAC) - correct answer- A Role
Based Access Control (RBAC) model can group users into
roles based on the organization's hierarchy, and it is a
nondiscretionary access control model. A nondiscretionary
access control model uses a central authority to determine
which objects that subjects can access.
The preventions to reduce the potential for data breach are: -
correct answer- 1. Support for controls from management 2.
Policies based on business objectives 3. A complete
understanding of the types of control required 4. A cost analysis
of controls and cost assessment of a potential breach 5.
Employee security education, training, and awareness
,2 | Page
Capability tables - correct answer- Capability tables are created
for each subject, and they identify the objects that the subject
can access. It includes the authorization rights of the access
control subject such as read, write, execute, and so on.
ACLs (access control lists) - correct answer- ACLs (access
control lists) are lists of subjects that are authorized to access a
specific object.
access control matrix - correct answer- An access control
matrix is a table that includes subjects, objects, and assigned
privileges.
Aggregation - correct answer- Aggregation is a process in
which a user collects and combines information from various
sources to obtain complete information. The individual parts of
information are at the correct sensitivity, but the combined
information is not. A user can combine information available at
a lower privilege, thereby reducing the information at a higher
privilege level.
inference attacks - correct answer- inference attacks, where the
subject deduces the complete information about an object from
the bits of information collected through aggregation. Therefore,
inference is the ability of a subject to derive implicit information.
A protection mechanism to limit inferencing of information in
,3 | Page
statistical database queries is specifying a minimum query set
size, but prohibiting the querying of all but one of the records in
the database.
Polyinstantiation - correct answer- Polyinstantiation, also known
as data contamination, is used to conceal classified information
that exists in a database and to fool intruders. Polyinstantiation
ensures that users with lower access level are not able to
access and modify data categorized for a higher level of access
in a multi-level database. Polyinstantiation can be used to
reduce data inference violations. When polyinstantiation is
implemented, two objects are created by using the same
primary keys. One object is filled with incorrect information and
is deemed unclassified, and the other object contains the
original classified information. When a user with lower level
privileges attempts to access the object, the user is directed to
the object containing incorrect information. Polyinstantiation is
concerned with the same primary key existing at different
classification levels in the same database.
Scavenging - correct answer- Scavenging, also referred to as
browsing, involves looking for information without knowing its
format. Scavenging is searching the data residue in a system to
gain unauthorized knowledge of sensitive data.
Identification - correct answer- Identification is the method used
by a user or process to claim who they are or to assert who
they claim to be. Identification involved supplying your user
, 4 | Page
name, account number, or some other form of personal
identification. It is the means by which a user provides a claim
of his or her identity to a system.
Authentication - correct answer- Authentication is the process
of being recognized by a system. Authentication involves
supplying a second piece of information, such as a password,
that is checked against a database for accuracy. If this piece of
information matches the stored information, the subject is
authenticated. It is the testing or reconciliation of evidence of a
user's identity.
Components of the Common Criteria protection profile - correct
answer- The protection profile contains a set of security
requirements including functionality and assurance criteria for a
product and the rationale behind such requirements. The
corresponding evaluation assurance level (EAL) rating intended
for the product is also specified. The environmental conditions,
the expected functional, the assurance levels, and the product
objectives are also included in the protection profile when the
product is evaluated by the Common Criteria for a target
evaluation rating. Evaluation tests are performed for the
targeted rating awarded to the target of evaluation, and the
results are verified before granting an EAL rating to the
intended product. Components of the Common Criteria
protection profile include Target of Evaluation (TOE)
description, threats against the product that must be
addressed, and security objectives.
