WGU C845 VUN1 Task 1, Task 2 & Task 3 –
Complete Study Guide & Verified Answers
(2026/2027)
This comprehensive guide covers all three Performance Tasks for WGU C845 Information
Systems Security (VUN1) based on the 2026/2027 curriculum. Each section includes
detailed solutions, rationales, and formatting aligned with WGU rubric requirements .
Part 1: TASK 1 – MANAGING SECURITY OPERATIONS AND ACCESS CONTROLS
A. Apply an Access Control Model
A.1. Chosen Access Control Model
I have chosen the Role-Based Access Control (RBAC) model. The principles of RBAC
are :
Principle Description
Role Assignment A user is assigned to a role based on their job function
(e.g., "Finance Analyst")
Permission Permissions to perform operations on systems are
Assignment assigned to roles, not to individual users
Session A user activates a role to gain the associated
Management permissions for a session
Least Privilege Users should only have the minimum level of access
necessary to perform their job duties
The organization's access control structure, as seen in the user matrix, is implicitly role-
based (e.g., "Finance manager," "HR coordinator"). Applying a formal RBAC model would
streamline this by ensuring permissions are strictly tied to business functions, reducing
complexity and the potential for user error when assigning permissions .
A.2. Four Misalignments with RBAC Principles
Misalignment 1: Privilege Escalation Beyond Role Scope
, Description: The "Junior system admin" (J. Lopez) has "Domain admin" privileges.
A junior role should not have the highest level of access in a Windows environment.
Conflict with RBAC: This violates the principle of least privilege. The role "Junior
system admin" implies a subset of administrative duties, not unrestricted domain-
wide control .
Misalignment 2: Unnecessary Access Across Departments
Description: The "Finance analyst" (L. Cheng) has "Full access" to the CRM, a
system primarily for Sales and Support. A finance role typically does not require full
modification rights in a customer relationship system.
Conflict with RBAC: This violates least privilege and separation of duties. It allows
for potential data manipulation outside the user's core business function .
Misalignment 3: Violation of User-Role Assignment Post-Termination
Description: The "HR assistant" (P. Ellis), who was terminated on 2025-05-20, has
an "Active" account status and successfully logged in on 2025-06-29.
Conflict with RBAC: RBAC requires timely revocation of role assignments upon a
change in employment status. An active session for a terminated user completely
bypasses the security provided by the role structure .
Misalignment 4: Overly Broad Privileged Access
Description: The "IT administrator" (T. Miller) has "Full admin" access to "All internal
systems," and the log shows they made a firewall rule change without a ticket_id.
Conflict with RBAC: While some access is necessary, blanket "Full admin" access
violates least privilege and impedes accountability. It does not segment duties within
the IT department itself .
A.3. Recommended Changes to Resolve Misalignments
Recommendation 1: Implement Privilege Tiering for Administrative Roles
Justification: Following the CIS Control 5 (Account Management) and the principle
of least privilege, administrative accounts should be segregated. The "Junior system
admin" role should be assigned a more restricted set of privileges, such as "Server
Operator" or "Help Desk Administrator," which allows for daily tasks without granting
domain-wide control (NIST SP 800-53, AC-6) .
Complete Study Guide & Verified Answers
(2026/2027)
This comprehensive guide covers all three Performance Tasks for WGU C845 Information
Systems Security (VUN1) based on the 2026/2027 curriculum. Each section includes
detailed solutions, rationales, and formatting aligned with WGU rubric requirements .
Part 1: TASK 1 – MANAGING SECURITY OPERATIONS AND ACCESS CONTROLS
A. Apply an Access Control Model
A.1. Chosen Access Control Model
I have chosen the Role-Based Access Control (RBAC) model. The principles of RBAC
are :
Principle Description
Role Assignment A user is assigned to a role based on their job function
(e.g., "Finance Analyst")
Permission Permissions to perform operations on systems are
Assignment assigned to roles, not to individual users
Session A user activates a role to gain the associated
Management permissions for a session
Least Privilege Users should only have the minimum level of access
necessary to perform their job duties
The organization's access control structure, as seen in the user matrix, is implicitly role-
based (e.g., "Finance manager," "HR coordinator"). Applying a formal RBAC model would
streamline this by ensuring permissions are strictly tied to business functions, reducing
complexity and the potential for user error when assigning permissions .
A.2. Four Misalignments with RBAC Principles
Misalignment 1: Privilege Escalation Beyond Role Scope
, Description: The "Junior system admin" (J. Lopez) has "Domain admin" privileges.
A junior role should not have the highest level of access in a Windows environment.
Conflict with RBAC: This violates the principle of least privilege. The role "Junior
system admin" implies a subset of administrative duties, not unrestricted domain-
wide control .
Misalignment 2: Unnecessary Access Across Departments
Description: The "Finance analyst" (L. Cheng) has "Full access" to the CRM, a
system primarily for Sales and Support. A finance role typically does not require full
modification rights in a customer relationship system.
Conflict with RBAC: This violates least privilege and separation of duties. It allows
for potential data manipulation outside the user's core business function .
Misalignment 3: Violation of User-Role Assignment Post-Termination
Description: The "HR assistant" (P. Ellis), who was terminated on 2025-05-20, has
an "Active" account status and successfully logged in on 2025-06-29.
Conflict with RBAC: RBAC requires timely revocation of role assignments upon a
change in employment status. An active session for a terminated user completely
bypasses the security provided by the role structure .
Misalignment 4: Overly Broad Privileged Access
Description: The "IT administrator" (T. Miller) has "Full admin" access to "All internal
systems," and the log shows they made a firewall rule change without a ticket_id.
Conflict with RBAC: While some access is necessary, blanket "Full admin" access
violates least privilege and impedes accountability. It does not segment duties within
the IT department itself .
A.3. Recommended Changes to Resolve Misalignments
Recommendation 1: Implement Privilege Tiering for Administrative Roles
Justification: Following the CIS Control 5 (Account Management) and the principle
of least privilege, administrative accounts should be segregated. The "Junior system
admin" role should be assigned a more restricted set of privileges, such as "Server
Operator" or "Help Desk Administrator," which allows for daily tasks without granting
domain-wide control (NIST SP 800-53, AC-6) .
