WGU D489 TASK 1 | CYBERSECURITY MANAGEMENT | 2026 UPDATE
Question 1
Which of the following best describes the primary goal of cybersecurity governance within an
organization?
A) To implement the most expensive technical controls available.
B) To ensure that security activities align with business objectives and risk appetite.
C) To eliminate all possible risks to the information systems.
D) To focus solely on complying with international laws.
E) To manage the daily operations of the firewall and IDS.
Correct Answer: B) To ensure that security activities align with business objectives and risk
appetite.
Rationale: Governance is the high-level oversight that ensures security supports the
business goals rather than hindering them. It involves setting the strategic direction,
ensuring objectives are achieved, and verifying that risks are managed appropriately
according to the organization's tolerance.
Question 2
When creating a Cybersecurity Management Plan for Sage Books, why is it critical to identify
"Gaps" in the current security posture?
A) To justify the firing of the current IT staff.
B) To fulfill a requirement for the marketing department.
C) To determine where the organization fails to meet standards like NIST or PCI DSS.
D) To increase the budget for the following fiscal year without evidence.
E) To ensure that the company can sue its vendors for negligence.
Correct Answer: C) To determine where the organization fails to meet standards like NIST
or PCI DSS.
Rationale: Gap analysis is a fundamental step in cybersecurity management. By comparing
the current state to a desired future state (often defined by frameworks like NIST CSF or
regulatory standards like PCI DSS), management can prioritize investments and
remediation efforts.
Question 3
Which NIST Cybersecurity Framework (CSF) function is primarily concerned with developing
the organizational understanding to manage cybersecurity risk to systems, assets, data, and
capabilities?
A) Protect
B) Detect
C) Respond
D) Identify
E) Recover
, 2
Correct Answer: D) Identify
Rationale: The "Identify" function focuses on the foundational understanding of the
business context, the resources that support critical functions, and the related cybersecurity
risks. This allows an organization to focus and prioritize its efforts.
Question 4
Under PCI DSS requirements, what is the minimum frequency for performing external
vulnerability scans?
A) Monthly
B) Bi-annually
C) At least quarterly
D) Every two years
E) Once a week
Correct Answer: C) At least quarterly
Rationale: PCI DSS Requirement 11.2 specifically mandates that organizations perform
internal and external network vulnerability scans at least quarterly and after any
significant change in the network (such as new system component installations, changes in
network topology, etc.).
Question 5
In the context of the GDPR, what is the primary role of a Data Protection Officer (DPO)?
A) To write the code for data encryption.
B) To serve as the primary salesperson for data privacy software.
C) To monitor compliance with GDPR and act as a point of contact for data subjects and
authorities.
D) To manage the physical security of the data center.
E) To authorize the sale of personal data to third-party marketing firms.
Correct Answer: C) To monitor compliance with GDPR and act as a point of contact for data
subjects and authorities.
Rationale: The DPO is a mandatory role for certain organizations under GDPR. Their task
is to inform and advise the organization about their obligations, monitor compliance, and
serve as a liaison between the company and regulatory bodies.
Question 6
Which of the following is an example of an "Administrative Control"?
A) A firewall rule blocking port 80.
B) An Acceptable Use Policy (AUP) signed by all employees.
C) A biometric scanner at the entrance of the server room.
D) Data encryption at rest using AES-256.
E) An Intrusion Prevention System (IPS).
, 3
Correct Answer: B) An Acceptable Use Policy (AUP) signed by all employees.
Rationale: Administrative controls (also known as managerial controls) are the policies,
procedures, and guidelines defined by management to direct employee behavior and ensure
the organization's security goals are met.
Question 7
What is the primary purpose of a "Security Steering Committee"?
A) To perform daily log analysis.
B) To provide high-level oversight and ensure cross-functional collaboration on security
initiatives.
C) To repair broken hardware in the data center.
D) To conduct penetration testing on web applications.
E) To handle customer support tickets related to forgotten passwords.
Correct Answer: B) To provide high-level oversight and ensure cross-functional
collaboration on security initiatives.
Rationale: A Security Steering Committee typically includes leaders from various
departments (IT, Legal, HR, Finance). This ensures that security is integrated into all
business units and that the security strategy has executive buy-in.
Question 8
In risk management, "Residual Risk" is defined as:
A) The total risk present before any controls are implemented.
B) The risk that is transferred to an insurance company.
C) The risk that remains after management has implemented security controls.
D) The risk associated with natural disasters only.
E) The financial cost of a potential data breach.
Correct Answer: C) The risk that remains after management has implemented security
controls.
Rationale: Residual risk is what is left over once you have applied mitigation strategies. It is
important for management to determine if this remaining risk is within the organization's
acceptable risk appetite.
Question 9
Which of the following best describes the principle of "Least Privilege"?
A) Giving all users administrative access to ensure they can do their jobs without interruption.
B) Restricting user access to only the data and systems necessary for their specific job functions.
C) Granting access based on the seniority of the employee.
D) Sharing a single password among a department to simplify access.
E) Disabling all access to systems during non-business hours.
, 4
Correct Answer: B) Restricting user access to only the data and systems necessary for their
specific job functions.
Rationale: Least privilege is a core security principle that minimizes the potential damage
from a compromised account or an insider threat by ensuring users have the bare
minimum access required for their tasks.
Question 10
In the "Preparation" phase of Incident Response, which activity is most appropriate?
A) Shutting down a compromised server to prevent further data loss.
) Wiping a hard drive and restoring from a clean backup.
C) Training the Incident Response Team (IRT) and defining communication channels.
D) Identifying the entry point of a malware infection.
E) Notifying the media about a data breach.
Correct Answer: C) Training the Incident Response Team (IRT) and defining
communication channels.
Rationale: Preparation is the first phase of incident response. It involves building the
capability to respond to incidents, which includes policy development, team training, and
acquiring the necessary tools.
Question 11
Which standard provides a comprehensive framework for an Information Security Management
System (ISMS)?
A) ISO/IEC 27001
B) PCI DSS
C) HIPAA
D) NIST SP 800-53
E) IEEE 802.11
Correct Answer: A) ISO/IEC 27001
Rationale: ISO/IEC 27001 is the international standard that describes the requirements for
establishing, implementing, maintaining, and continually improving an ISMS.
Question 12
Which type of control is a "Security Camera" in a server room?
A) Detective Physical Control
B) Preventive Technical Control
C) Administrative Policy Control
D) Corrective Logical Control
E) Deterrent Administrative Control
Question 1
Which of the following best describes the primary goal of cybersecurity governance within an
organization?
A) To implement the most expensive technical controls available.
B) To ensure that security activities align with business objectives and risk appetite.
C) To eliminate all possible risks to the information systems.
D) To focus solely on complying with international laws.
E) To manage the daily operations of the firewall and IDS.
Correct Answer: B) To ensure that security activities align with business objectives and risk
appetite.
Rationale: Governance is the high-level oversight that ensures security supports the
business goals rather than hindering them. It involves setting the strategic direction,
ensuring objectives are achieved, and verifying that risks are managed appropriately
according to the organization's tolerance.
Question 2
When creating a Cybersecurity Management Plan for Sage Books, why is it critical to identify
"Gaps" in the current security posture?
A) To justify the firing of the current IT staff.
B) To fulfill a requirement for the marketing department.
C) To determine where the organization fails to meet standards like NIST or PCI DSS.
D) To increase the budget for the following fiscal year without evidence.
E) To ensure that the company can sue its vendors for negligence.
Correct Answer: C) To determine where the organization fails to meet standards like NIST
or PCI DSS.
Rationale: Gap analysis is a fundamental step in cybersecurity management. By comparing
the current state to a desired future state (often defined by frameworks like NIST CSF or
regulatory standards like PCI DSS), management can prioritize investments and
remediation efforts.
Question 3
Which NIST Cybersecurity Framework (CSF) function is primarily concerned with developing
the organizational understanding to manage cybersecurity risk to systems, assets, data, and
capabilities?
A) Protect
B) Detect
C) Respond
D) Identify
E) Recover
, 2
Correct Answer: D) Identify
Rationale: The "Identify" function focuses on the foundational understanding of the
business context, the resources that support critical functions, and the related cybersecurity
risks. This allows an organization to focus and prioritize its efforts.
Question 4
Under PCI DSS requirements, what is the minimum frequency for performing external
vulnerability scans?
A) Monthly
B) Bi-annually
C) At least quarterly
D) Every two years
E) Once a week
Correct Answer: C) At least quarterly
Rationale: PCI DSS Requirement 11.2 specifically mandates that organizations perform
internal and external network vulnerability scans at least quarterly and after any
significant change in the network (such as new system component installations, changes in
network topology, etc.).
Question 5
In the context of the GDPR, what is the primary role of a Data Protection Officer (DPO)?
A) To write the code for data encryption.
B) To serve as the primary salesperson for data privacy software.
C) To monitor compliance with GDPR and act as a point of contact for data subjects and
authorities.
D) To manage the physical security of the data center.
E) To authorize the sale of personal data to third-party marketing firms.
Correct Answer: C) To monitor compliance with GDPR and act as a point of contact for data
subjects and authorities.
Rationale: The DPO is a mandatory role for certain organizations under GDPR. Their task
is to inform and advise the organization about their obligations, monitor compliance, and
serve as a liaison between the company and regulatory bodies.
Question 6
Which of the following is an example of an "Administrative Control"?
A) A firewall rule blocking port 80.
B) An Acceptable Use Policy (AUP) signed by all employees.
C) A biometric scanner at the entrance of the server room.
D) Data encryption at rest using AES-256.
E) An Intrusion Prevention System (IPS).
, 3
Correct Answer: B) An Acceptable Use Policy (AUP) signed by all employees.
Rationale: Administrative controls (also known as managerial controls) are the policies,
procedures, and guidelines defined by management to direct employee behavior and ensure
the organization's security goals are met.
Question 7
What is the primary purpose of a "Security Steering Committee"?
A) To perform daily log analysis.
B) To provide high-level oversight and ensure cross-functional collaboration on security
initiatives.
C) To repair broken hardware in the data center.
D) To conduct penetration testing on web applications.
E) To handle customer support tickets related to forgotten passwords.
Correct Answer: B) To provide high-level oversight and ensure cross-functional
collaboration on security initiatives.
Rationale: A Security Steering Committee typically includes leaders from various
departments (IT, Legal, HR, Finance). This ensures that security is integrated into all
business units and that the security strategy has executive buy-in.
Question 8
In risk management, "Residual Risk" is defined as:
A) The total risk present before any controls are implemented.
B) The risk that is transferred to an insurance company.
C) The risk that remains after management has implemented security controls.
D) The risk associated with natural disasters only.
E) The financial cost of a potential data breach.
Correct Answer: C) The risk that remains after management has implemented security
controls.
Rationale: Residual risk is what is left over once you have applied mitigation strategies. It is
important for management to determine if this remaining risk is within the organization's
acceptable risk appetite.
Question 9
Which of the following best describes the principle of "Least Privilege"?
A) Giving all users administrative access to ensure they can do their jobs without interruption.
B) Restricting user access to only the data and systems necessary for their specific job functions.
C) Granting access based on the seniority of the employee.
D) Sharing a single password among a department to simplify access.
E) Disabling all access to systems during non-business hours.
, 4
Correct Answer: B) Restricting user access to only the data and systems necessary for their
specific job functions.
Rationale: Least privilege is a core security principle that minimizes the potential damage
from a compromised account or an insider threat by ensuring users have the bare
minimum access required for their tasks.
Question 10
In the "Preparation" phase of Incident Response, which activity is most appropriate?
A) Shutting down a compromised server to prevent further data loss.
) Wiping a hard drive and restoring from a clean backup.
C) Training the Incident Response Team (IRT) and defining communication channels.
D) Identifying the entry point of a malware infection.
E) Notifying the media about a data breach.
Correct Answer: C) Training the Incident Response Team (IRT) and defining
communication channels.
Rationale: Preparation is the first phase of incident response. It involves building the
capability to respond to incidents, which includes policy development, team training, and
acquiring the necessary tools.
Question 11
Which standard provides a comprehensive framework for an Information Security Management
System (ISMS)?
A) ISO/IEC 27001
B) PCI DSS
C) HIPAA
D) NIST SP 800-53
E) IEEE 802.11
Correct Answer: A) ISO/IEC 27001
Rationale: ISO/IEC 27001 is the international standard that describes the requirements for
establishing, implementing, maintaining, and continually improving an ISMS.
Question 12
Which type of control is a "Security Camera" in a server room?
A) Detective Physical Control
B) Preventive Technical Control
C) Administrative Policy Control
D) Corrective Logical Control
E) Deterrent Administrative Control
