WGU D430 Fundamentals of Information Security OA
Actual Exam 2026 | Questions with Verified Answers |
100% Correct | Pass Guaranteed
SECTION 1: Security Concepts & Governance
Q1: Which component of the CIA triad ensures that information cannot be modified by
unauthorized parties?
A. Availability
B. Integrity
C. Confidentiality
D. Non-repudiation
Correct Answer: B
Rationale: Integrity guarantees that data remains accurate and unaltered unless
changed by authorized users. Confidentiality (C) focuses on preventing disclosure, while
Availability (A) ensures timely access; Non-repudiation (D) prevents denial of actions
but does not address modification.
Q2: A company is classifying data to comply with GDPR. Which GDPR principle requires
that only the minimum necessary personal data be collected?
A. Accuracy
B. Storage limitation
C. Data minimization
,D. Purpose limitation
Correct Answer: C
Rationale: Data minimization mandates collecting only what is adequate, relevant, and
limited to the purposes of processing. Purpose limitation (D) restricts secondary use,
Storage limitation (B) governs retention, and Accuracy (A) concerns correctness.
Q3: During a risk assessment, a threat exploits a vulnerability that has no existing
control. Which Risk Management Framework step should be performed NEXT?
A. Identify
B. Assess
C. Respond
D. Monitor
Correct Answer: C
Rationale: After identifying and assessing risk, the Respond step selects mitigations
(accept, avoid, mitigate, transfer). Monitor (D) occurs after controls are implemented.
Q4: Which document provides senior-management approval and outlines the scope and
objectives of an information security program?
A. Information-security policy
B. Security-awareness training plan
C. Business-impact analysis
D. Risk register
Correct Answer: A
, Rationale: A high-level policy establishes management intent, scope, and
responsibilities. A training plan (B) is tactical; BIA (C) supports BC/DR; the risk register
(D) tracks specific risks, not program charter.
Q5: A U.S. federal agency must implement controls categorized under FIPS 200. Which
document defines the control catalog referenced by FIPS 200?
A. NIST SP 800-37
B. NIST SP 800-53
C. NIST SP 800-30
D. NIST SP 800-171
Correct Answer: B
Rationale: SP 800-53 Rev 5 contains the control catalog mapped by FIPS 200. SP
800-37 (A) is the RMF process; 800-30 (C) covers risk assessment; 800-171 (D) applies
to CUI in non-federal systems.
Q6: An organization adopts ISO 27001. Which phase concludes with management
reviewing the ISMS for adequacy and effectiveness?
A. Plan
B. Do
C. Check
D. Act
Correct Answer: D
Actual Exam 2026 | Questions with Verified Answers |
100% Correct | Pass Guaranteed
SECTION 1: Security Concepts & Governance
Q1: Which component of the CIA triad ensures that information cannot be modified by
unauthorized parties?
A. Availability
B. Integrity
C. Confidentiality
D. Non-repudiation
Correct Answer: B
Rationale: Integrity guarantees that data remains accurate and unaltered unless
changed by authorized users. Confidentiality (C) focuses on preventing disclosure, while
Availability (A) ensures timely access; Non-repudiation (D) prevents denial of actions
but does not address modification.
Q2: A company is classifying data to comply with GDPR. Which GDPR principle requires
that only the minimum necessary personal data be collected?
A. Accuracy
B. Storage limitation
C. Data minimization
,D. Purpose limitation
Correct Answer: C
Rationale: Data minimization mandates collecting only what is adequate, relevant, and
limited to the purposes of processing. Purpose limitation (D) restricts secondary use,
Storage limitation (B) governs retention, and Accuracy (A) concerns correctness.
Q3: During a risk assessment, a threat exploits a vulnerability that has no existing
control. Which Risk Management Framework step should be performed NEXT?
A. Identify
B. Assess
C. Respond
D. Monitor
Correct Answer: C
Rationale: After identifying and assessing risk, the Respond step selects mitigations
(accept, avoid, mitigate, transfer). Monitor (D) occurs after controls are implemented.
Q4: Which document provides senior-management approval and outlines the scope and
objectives of an information security program?
A. Information-security policy
B. Security-awareness training plan
C. Business-impact analysis
D. Risk register
Correct Answer: A
, Rationale: A high-level policy establishes management intent, scope, and
responsibilities. A training plan (B) is tactical; BIA (C) supports BC/DR; the risk register
(D) tracks specific risks, not program charter.
Q5: A U.S. federal agency must implement controls categorized under FIPS 200. Which
document defines the control catalog referenced by FIPS 200?
A. NIST SP 800-37
B. NIST SP 800-53
C. NIST SP 800-30
D. NIST SP 800-171
Correct Answer: B
Rationale: SP 800-53 Rev 5 contains the control catalog mapped by FIPS 200. SP
800-37 (A) is the RMF process; 800-30 (C) covers risk assessment; 800-171 (D) applies
to CUI in non-federal systems.
Q6: An organization adopts ISO 27001. Which phase concludes with management
reviewing the ISMS for adequacy and effectiveness?
A. Plan
B. Do
C. Check
D. Act
Correct Answer: D
