WGU C836 - Fundamentals of Information Security | 2025/2026
Study Guide
How to Use This Guide: Use these questions to test your knowledge. The "ANSWER ✓"
format is designed for quick review. Cover the answers, attempt the question, and then
check your understanding.
Module 1: The Information Security Environment
1. What is the core objective of information security?
ANSWER ✓ To protect the confidentiality, integrity, and availability of information and
information systems. This is known as the CIA Triad.
2. Define Confidentiality in the CIA Triad.
ANSWER ✓ Ensuring that information is not disclosed to unauthorized individuals,
entities, or processes.
3. Define Integrity in the CIA Triad.
ANSWER ✓ Guarding against improper information modification or destruction,
ensuring information non-repudiation and authenticity.
4. Define Availability in the CIA Triad.
ANSWER ✓ Ensuring timely and reliable access to and use of information by authorized
users.
5. What is the difference between a threat, a vulnerability, and a risk?
ANSWER ✓ A threat is any event that can cause harm. A vulnerability is a weakness
that can be exploited. Risk is the potential for loss or damage when a threat exploits a
vulnerability.
6. What is the primary purpose of a risk management program?
ANSWER ✓ To identify, assess, and mitigate risks to an acceptable level, thereby
protecting the organization's assets and operations.
7. What are the common categories of threats?
ANSWER ✓ Natural, human (intentional/unintentional), and environmental.
, 8. What is the difference between quantitative and qualitative risk assessment?
ANSWER ✓ Quantitative uses numerical values (e.g., monetary costs,
probabilities). Qualitative uses subjective measures like "High," "Medium," or "Low"
based on expert opinion.
9. What are the four standard risk response strategies?
ANSWER ✓ Accept, Avoid, Mitigate, and Transfer.
10. What is the purpose of an organization's security policy?
ANSWER ✓ To define the strategic security goals, assign responsibilities, and establish
the organization's stance on security.
Module 2: Security Operations
11. What is the principle of Least Privilege?
ANSWER ✓ Users and processes should be granted only the minimum levels of access
necessary to perform their authorized functions.
12. What is the purpose of an Incident Response Plan (IRP)?
ANSWER ✓ To provide a structured methodology for handling a security incident in
order to limit damage and reduce recovery time and costs.
13. What are the six phases of the NIST Incident Response Lifecycle?
ANSWER ✓ Preparation, Detection & Analysis, Containment, Eradication & Recovery,
and Post-Incident Activity.
14. What is the difference between a disaster recovery plan (DRP) and a business
continuity plan (BCP)?
ANSWER ✓ A DRP focuses on restoring IT systems and operations after a disaster.
A BCP is broader and focuses on maintaining all essential business functions during and
after a disaster.
15. What is the purpose of a Business Impact Analysis (BIA)?
ANSWER ✓ To identify and prioritize critical business functions and the potential impact
of a disruption, which informs the BCP and DRP.
16. What are the three main types of security controls?
ANSWER ✓ Administrative, Technical, and Physical.
Study Guide
How to Use This Guide: Use these questions to test your knowledge. The "ANSWER ✓"
format is designed for quick review. Cover the answers, attempt the question, and then
check your understanding.
Module 1: The Information Security Environment
1. What is the core objective of information security?
ANSWER ✓ To protect the confidentiality, integrity, and availability of information and
information systems. This is known as the CIA Triad.
2. Define Confidentiality in the CIA Triad.
ANSWER ✓ Ensuring that information is not disclosed to unauthorized individuals,
entities, or processes.
3. Define Integrity in the CIA Triad.
ANSWER ✓ Guarding against improper information modification or destruction,
ensuring information non-repudiation and authenticity.
4. Define Availability in the CIA Triad.
ANSWER ✓ Ensuring timely and reliable access to and use of information by authorized
users.
5. What is the difference between a threat, a vulnerability, and a risk?
ANSWER ✓ A threat is any event that can cause harm. A vulnerability is a weakness
that can be exploited. Risk is the potential for loss or damage when a threat exploits a
vulnerability.
6. What is the primary purpose of a risk management program?
ANSWER ✓ To identify, assess, and mitigate risks to an acceptable level, thereby
protecting the organization's assets and operations.
7. What are the common categories of threats?
ANSWER ✓ Natural, human (intentional/unintentional), and environmental.
, 8. What is the difference between quantitative and qualitative risk assessment?
ANSWER ✓ Quantitative uses numerical values (e.g., monetary costs,
probabilities). Qualitative uses subjective measures like "High," "Medium," or "Low"
based on expert opinion.
9. What are the four standard risk response strategies?
ANSWER ✓ Accept, Avoid, Mitigate, and Transfer.
10. What is the purpose of an organization's security policy?
ANSWER ✓ To define the strategic security goals, assign responsibilities, and establish
the organization's stance on security.
Module 2: Security Operations
11. What is the principle of Least Privilege?
ANSWER ✓ Users and processes should be granted only the minimum levels of access
necessary to perform their authorized functions.
12. What is the purpose of an Incident Response Plan (IRP)?
ANSWER ✓ To provide a structured methodology for handling a security incident in
order to limit damage and reduce recovery time and costs.
13. What are the six phases of the NIST Incident Response Lifecycle?
ANSWER ✓ Preparation, Detection & Analysis, Containment, Eradication & Recovery,
and Post-Incident Activity.
14. What is the difference between a disaster recovery plan (DRP) and a business
continuity plan (BCP)?
ANSWER ✓ A DRP focuses on restoring IT systems and operations after a disaster.
A BCP is broader and focuses on maintaining all essential business functions during and
after a disaster.
15. What is the purpose of a Business Impact Analysis (BIA)?
ANSWER ✓ To identify and prioritize critical business functions and the potential impact
of a disruption, which informs the BCP and DRP.
16. What are the three main types of security controls?
ANSWER ✓ Administrative, Technical, and Physical.
