WGU E010 Objective Assessment Final Exam
Questions And Answers Practice Questions with
Solutions Newest | Already Graded A+
1. In a zero trust architecture, which of the following best describes the role of a policy decision
point (PDP) relative to a policy enforcement point (PEP)?
A. The PDP makes access decisions based on identity and context, while the PEP executes those decisions.
B. The PDP enforces network segmentation, while the PEP logs all traffic.
C. The PDP and PEP are combined into a single gateway that performs both functions.
D. The PDP monitors user behavior, while the PEP issues authentication tokens.
Answer: A
Rationale: In zero trust, the PDP is the logical component that evaluates policies and renders access
decisions, while the PEP is the enforcement point that allows or blocks traffic. Separating these
functions enables centralized policy management and distributed enforcement.
2. A multinational corporation must comply with both GDPR and CCPA for its data processing
activities. Under GDPR, a data subject requests erasure of personal data. The company also has a
legal obligation under U.S. securities law to retain certain financial records. How should the
company respond?
A. Immediately delete all personal data of the requestor, as GDPR right to erasure is absolute.
B. Retain only the data required by securities law and delete the rest, citing legitimate interest.
C. Deny the erasure request entirely because CCPA does not require erasure for business records.
D. Seek a binding corporate decision from the lead supervisory authority before taking any action.
Answer: B
Rationale: GDPR Article 17(3)(e) allows retention when necessary for compliance with a legal
obligation. The company should delete data not subject to retention, balancing both regulations. Option
A is incorrect because the right is not absolute; C is incorrect as CCPA also has exceptions; D is
unnecessary and impractical.
3. During a tabletop exercise, the incident response team discovers that their disaster recovery plan
assumes a maximum tolerable downtime (MTD) of 4 hours for the customer portal, but the
recovery time objective (RTO) currently achievable is 6 hours. Which of the following is the most
appropriate remediation?
A. Increase the MTD to 6 hours to match current capabilities.
B. Decrease the RTO to 4 hours by allocating additional standby resources.
C. Accept the risk and document the gap in the risk register.
D. Implement a warm site with daily data replication to meet the RTO.
Answer: B
Page 1
,Rationale: MTD is a business requirement; RTO is a technical capability. The goal is to align RTO with MTD. Option B
reduces RTO to meet business needs. Option A changes the requirement arbitrarily; C is passive; D might be overkill if other
solutions can achieve the RTO.
4. A security engineer is designing a cryptographic solution for a system that requires data to be
encrypted at rest and in transit, with the ability to share encrypted files with external parties
without sharing the private key. Which combination of cryptographic primitives best achieves
this?
A. Symmetric encryption for data at rest and asymmetric encryption for key exchange in transit.
B. Asymmetric encryption for both at rest and in transit, using the recipient's public key.
C. Hybrid encryption: symmetric encryption for bulk data, asymmetric encryption to wrap the symmetric key.
D. Use only TLS for transit and full disk encryption for at rest, sharing the disk encryption key.
Answer: C
Rationale: Hybrid encryption combines efficiency of symmetric encryption with key management benefits
of asymmetric encryption. The sender encrypts the data with a random symmetric key, then encrypts that
key with the recipient's public key. This allows secure sharing without exposing the private key. Option A
doesn't address sharing; B is inefficient for bulk data; D exposes the key.
5. In the context of COBIT 2019, which governance objective is primarily concerned with ensuring
that the enterprise's risk appetite is aligned with its business strategy?
A. EDM01 – Ensure Governance Framework Setting and Maintenance.
B. EDM03 – Ensure Risk Optimization.
C. APO12 – Manage Risk.
D. MEA01 – Monitor, Evaluate and Assess Performance and Conformance.
Answer: B
Rationale: EDM03 (Ensure Risk Optimization) directly addresses aligning risk appetite with strategy and
ensuring that risk management is integrated into the enterprise's strategic decisions. APO12 is a
management objective for risk management processes. EDM01 is about the governance framework itself.
6. A security analyst is reviewing logs and notices that a user's account has been locked due to
multiple failed login attempts from a foreign IP address. However, the user is currently logged in
from a different IP and has not reported any issues. Which type of attack is most likely occurring?
A. Password spraying
B. Brute force attack
C. Credential stuffing
D. Pass-the-hash
Answer: C
Rationale: Credential stuffing uses previously breached username/password pairs to attempt login. The
lockout indicates many attempts, but the user's own login is unaffected because the attacker is trying
different credentials. Password spraying uses a few common passwords across many accounts; brute
force targets one account with many passwords; pass-the-hash reuses hashed credentials.
Page 2
,7. A company wants to implement a secure software development lifecycle (SSDLC). Which of the
following activities should occur during the requirements phase to best mitigate security risks
early?
A. Conduct a static application security testing (SAST) scan.
B. Perform a threat model using STRIDE.
C. Execute a penetration test on a prototype.
D. Review code for common vulnerabilities like SQL injection.
Answer: B
Rationale: Threat modeling (e.g., STRIDE) is performed early, during design or requirements, to identify
potential threats and guide security requirements. SAST and code review happen during development;
penetration testing occurs later. Early threat modeling reduces cost of fixes.
8. An organization is migrating its on-premises data center to a public cloud IaaS provider. Which
of the following is a shared responsibility between the cloud provider and the customer?
A. Physical security of the data center.
B. Encryption of data at rest in the customer's virtual machines.
C. Patching the hypervisor that hosts the customer's VMs.
D. Network segmentation and firewall rules for the customer's VPC.
Answer: D
Rationale: In IaaS, the provider is responsible for physical security and hypervisor patching, while the
customer manages data encryption and guest OS. However, network segmentation (e.g., VPC
configuration) is often a shared responsibility: the provider offers the capability, but the customer must
configure it correctly.
9. A company's internal audit reveals that employees frequently share passwords for accessing a
critical application. Which control would be most effective in mitigating this risk while
maintaining operational efficiency?
A. Implement a password manager with role-based access and audit logging.
B. Enforce a policy requiring passwords to be changed every 30 days.
C. Disable shared accounts and require individual accounts with MFA.
D. Use biometric authentication exclusively for the application.
Answer: A
Rationale: A password manager allows centralized, secure storage and sharing of credentials without
exposing the actual password. It also provides audit trails. Option B may increase password fatigue; C
is ideal but may not be practical if the application does not support individual accounts; D is expensive
and may have usability issues.
10. During a security assessment, a penetration tester discovers that a web application is
vulnerable to XML External Entity (XXE) injection. Which of the following is the most effective
long-term remediation?
A. Disable external entity processing in the XML parser.
B. Implement a web application firewall (WAF) to block XXE payloads.
Page 3
, C. Use JSON instead of XML for all data interchange.
D. Sanitize all user input before passing it to the XML parser.
Answer: A
Rationale: Disabling external entity processing at the parser level eliminates the vulnerability entirely. A
WAF can be bypassed; switching to JSON may not be feasible for legacy systems; input sanitization is
difficult to implement correctly for XML. The most robust fix is to configure the parser securely.
11. A multinational corporation is evaluating a capital budgeting project in a foreign country with
high political risk. The project has a high net present value (NPV) under stable conditions, but the
host government may impose capital controls or expropriate assets. Which of the following
approaches best captures the appropriate method to adjust for this risk?
A. Increase the project's cost of capital by adding a country risk premium to the discount rate, and use the
adjusted NPV.
B. Use the risk-free rate for discounting and adjust expected cash flows for the probability of adverse political
events.
C. Apply a higher discount rate to all cash flows and also reduce expected cash flows by a uniform percentage
for political risk.
D. Ignore political risk in the NPV calculation because it is diversifiable for the multinational firm.
Answer: B
Rationale: Theoretically, adjusting cash flows for the probability of adverse events is more precise than
adjusting the discount rate, which penalizes all cash flows equally regardless of timing. The risk-free
rate is appropriate if cash flows are certainty-equivalent. Option A double-counts risk if the cost of
capital already includes systematic risk. Option C also double-counts. Option D is incorrect because
political risk is often non-diversifiable for the firm.
12. In a decentralized organization, a division manager is evaluated based on residual income (RI).
The division's current return on investment (ROI) is 18%, and the required rate of return is 12%.
The manager has the opportunity to invest in a project with an ROI of 14%. Which of the
following statements is correct regarding the manager's likely decision and the goal congruence
issue?
A. The manager will accept the project because it increases RI, and this aligns with the firm's goal of
maximizing overall value.
B. The manager will reject the project because it decreases divisional ROI, creating a conflict with the firm's
goal.
C. The manager will accept the project only if the project's RI is positive, but this may not align with the firm's
goal if the firm uses ROI for evaluation.
D. The manager will reject the project because RI will decrease, and this aligns with the firm's goal of
maximizing residual income.
Answer: B
Rationale: Since the project's ROI (14%) is below the division's current ROI (18%) but above the
required rate (12%), accepting it would reduce the division's average ROI, potentially harming the
manager's performance measure if evaluated on ROI. However, the project has a positive residual
income (14% > 12%), so it would increase the division's RI and firm value. Thus, there is a goal
conflict: the manager may reject a value-adding project to protect ROI. Option A is false because the
manager may reject it. Option C is incorrect because RI would increase. Option D is false because RI
Page 4
Questions And Answers Practice Questions with
Solutions Newest | Already Graded A+
1. In a zero trust architecture, which of the following best describes the role of a policy decision
point (PDP) relative to a policy enforcement point (PEP)?
A. The PDP makes access decisions based on identity and context, while the PEP executes those decisions.
B. The PDP enforces network segmentation, while the PEP logs all traffic.
C. The PDP and PEP are combined into a single gateway that performs both functions.
D. The PDP monitors user behavior, while the PEP issues authentication tokens.
Answer: A
Rationale: In zero trust, the PDP is the logical component that evaluates policies and renders access
decisions, while the PEP is the enforcement point that allows or blocks traffic. Separating these
functions enables centralized policy management and distributed enforcement.
2. A multinational corporation must comply with both GDPR and CCPA for its data processing
activities. Under GDPR, a data subject requests erasure of personal data. The company also has a
legal obligation under U.S. securities law to retain certain financial records. How should the
company respond?
A. Immediately delete all personal data of the requestor, as GDPR right to erasure is absolute.
B. Retain only the data required by securities law and delete the rest, citing legitimate interest.
C. Deny the erasure request entirely because CCPA does not require erasure for business records.
D. Seek a binding corporate decision from the lead supervisory authority before taking any action.
Answer: B
Rationale: GDPR Article 17(3)(e) allows retention when necessary for compliance with a legal
obligation. The company should delete data not subject to retention, balancing both regulations. Option
A is incorrect because the right is not absolute; C is incorrect as CCPA also has exceptions; D is
unnecessary and impractical.
3. During a tabletop exercise, the incident response team discovers that their disaster recovery plan
assumes a maximum tolerable downtime (MTD) of 4 hours for the customer portal, but the
recovery time objective (RTO) currently achievable is 6 hours. Which of the following is the most
appropriate remediation?
A. Increase the MTD to 6 hours to match current capabilities.
B. Decrease the RTO to 4 hours by allocating additional standby resources.
C. Accept the risk and document the gap in the risk register.
D. Implement a warm site with daily data replication to meet the RTO.
Answer: B
Page 1
,Rationale: MTD is a business requirement; RTO is a technical capability. The goal is to align RTO with MTD. Option B
reduces RTO to meet business needs. Option A changes the requirement arbitrarily; C is passive; D might be overkill if other
solutions can achieve the RTO.
4. A security engineer is designing a cryptographic solution for a system that requires data to be
encrypted at rest and in transit, with the ability to share encrypted files with external parties
without sharing the private key. Which combination of cryptographic primitives best achieves
this?
A. Symmetric encryption for data at rest and asymmetric encryption for key exchange in transit.
B. Asymmetric encryption for both at rest and in transit, using the recipient's public key.
C. Hybrid encryption: symmetric encryption for bulk data, asymmetric encryption to wrap the symmetric key.
D. Use only TLS for transit and full disk encryption for at rest, sharing the disk encryption key.
Answer: C
Rationale: Hybrid encryption combines efficiency of symmetric encryption with key management benefits
of asymmetric encryption. The sender encrypts the data with a random symmetric key, then encrypts that
key with the recipient's public key. This allows secure sharing without exposing the private key. Option A
doesn't address sharing; B is inefficient for bulk data; D exposes the key.
5. In the context of COBIT 2019, which governance objective is primarily concerned with ensuring
that the enterprise's risk appetite is aligned with its business strategy?
A. EDM01 – Ensure Governance Framework Setting and Maintenance.
B. EDM03 – Ensure Risk Optimization.
C. APO12 – Manage Risk.
D. MEA01 – Monitor, Evaluate and Assess Performance and Conformance.
Answer: B
Rationale: EDM03 (Ensure Risk Optimization) directly addresses aligning risk appetite with strategy and
ensuring that risk management is integrated into the enterprise's strategic decisions. APO12 is a
management objective for risk management processes. EDM01 is about the governance framework itself.
6. A security analyst is reviewing logs and notices that a user's account has been locked due to
multiple failed login attempts from a foreign IP address. However, the user is currently logged in
from a different IP and has not reported any issues. Which type of attack is most likely occurring?
A. Password spraying
B. Brute force attack
C. Credential stuffing
D. Pass-the-hash
Answer: C
Rationale: Credential stuffing uses previously breached username/password pairs to attempt login. The
lockout indicates many attempts, but the user's own login is unaffected because the attacker is trying
different credentials. Password spraying uses a few common passwords across many accounts; brute
force targets one account with many passwords; pass-the-hash reuses hashed credentials.
Page 2
,7. A company wants to implement a secure software development lifecycle (SSDLC). Which of the
following activities should occur during the requirements phase to best mitigate security risks
early?
A. Conduct a static application security testing (SAST) scan.
B. Perform a threat model using STRIDE.
C. Execute a penetration test on a prototype.
D. Review code for common vulnerabilities like SQL injection.
Answer: B
Rationale: Threat modeling (e.g., STRIDE) is performed early, during design or requirements, to identify
potential threats and guide security requirements. SAST and code review happen during development;
penetration testing occurs later. Early threat modeling reduces cost of fixes.
8. An organization is migrating its on-premises data center to a public cloud IaaS provider. Which
of the following is a shared responsibility between the cloud provider and the customer?
A. Physical security of the data center.
B. Encryption of data at rest in the customer's virtual machines.
C. Patching the hypervisor that hosts the customer's VMs.
D. Network segmentation and firewall rules for the customer's VPC.
Answer: D
Rationale: In IaaS, the provider is responsible for physical security and hypervisor patching, while the
customer manages data encryption and guest OS. However, network segmentation (e.g., VPC
configuration) is often a shared responsibility: the provider offers the capability, but the customer must
configure it correctly.
9. A company's internal audit reveals that employees frequently share passwords for accessing a
critical application. Which control would be most effective in mitigating this risk while
maintaining operational efficiency?
A. Implement a password manager with role-based access and audit logging.
B. Enforce a policy requiring passwords to be changed every 30 days.
C. Disable shared accounts and require individual accounts with MFA.
D. Use biometric authentication exclusively for the application.
Answer: A
Rationale: A password manager allows centralized, secure storage and sharing of credentials without
exposing the actual password. It also provides audit trails. Option B may increase password fatigue; C
is ideal but may not be practical if the application does not support individual accounts; D is expensive
and may have usability issues.
10. During a security assessment, a penetration tester discovers that a web application is
vulnerable to XML External Entity (XXE) injection. Which of the following is the most effective
long-term remediation?
A. Disable external entity processing in the XML parser.
B. Implement a web application firewall (WAF) to block XXE payloads.
Page 3
, C. Use JSON instead of XML for all data interchange.
D. Sanitize all user input before passing it to the XML parser.
Answer: A
Rationale: Disabling external entity processing at the parser level eliminates the vulnerability entirely. A
WAF can be bypassed; switching to JSON may not be feasible for legacy systems; input sanitization is
difficult to implement correctly for XML. The most robust fix is to configure the parser securely.
11. A multinational corporation is evaluating a capital budgeting project in a foreign country with
high political risk. The project has a high net present value (NPV) under stable conditions, but the
host government may impose capital controls or expropriate assets. Which of the following
approaches best captures the appropriate method to adjust for this risk?
A. Increase the project's cost of capital by adding a country risk premium to the discount rate, and use the
adjusted NPV.
B. Use the risk-free rate for discounting and adjust expected cash flows for the probability of adverse political
events.
C. Apply a higher discount rate to all cash flows and also reduce expected cash flows by a uniform percentage
for political risk.
D. Ignore political risk in the NPV calculation because it is diversifiable for the multinational firm.
Answer: B
Rationale: Theoretically, adjusting cash flows for the probability of adverse events is more precise than
adjusting the discount rate, which penalizes all cash flows equally regardless of timing. The risk-free
rate is appropriate if cash flows are certainty-equivalent. Option A double-counts risk if the cost of
capital already includes systematic risk. Option C also double-counts. Option D is incorrect because
political risk is often non-diversifiable for the firm.
12. In a decentralized organization, a division manager is evaluated based on residual income (RI).
The division's current return on investment (ROI) is 18%, and the required rate of return is 12%.
The manager has the opportunity to invest in a project with an ROI of 14%. Which of the
following statements is correct regarding the manager's likely decision and the goal congruence
issue?
A. The manager will accept the project because it increases RI, and this aligns with the firm's goal of
maximizing overall value.
B. The manager will reject the project because it decreases divisional ROI, creating a conflict with the firm's
goal.
C. The manager will accept the project only if the project's RI is positive, but this may not align with the firm's
goal if the firm uses ROI for evaluation.
D. The manager will reject the project because RI will decrease, and this aligns with the firm's goal of
maximizing residual income.
Answer: B
Rationale: Since the project's ROI (14%) is below the division's current ROI (18%) but above the
required rate (12%), accepting it would reduce the division's average ROI, potentially harming the
manager's performance measure if evaluated on ROI. However, the project has a positive residual
income (14% > 12%), so it would increase the division's RI and firm value. Thus, there is a goal
conflict: the manager may reject a value-adding project to protect ROI. Option A is false because the
manager may reject it. Option C is incorrect because RI would increase. Option D is false because RI
Page 4