Fundamentals of Information Security
WGU 430 Assessment Guide Exam with
Questions and Verified Rationalized Answers 2025/2026
1. information security: "protecting information and information systems from unaut
z z z z z z z z
horized access, use, disclosure, disruption, modification, or destruction." - US law
z z z z z z z z z z
protection of digital assets. z z z
2. secure: it's difficult to define when you're truly secure. when you can spot inse-
z z z z z z z z z z z z z
zcurities, you can take steps to mitigate these issues. although you'll never get to a trul
z z z z z z z z z z z z z z z
y secure state, you can take steps in the right direction.
z z z z z z z z z z
m; as you increase the level of security, you decrease the level of productivity. the cost o
z z z z z z z z z z z z z z z z
f security should never outstrip the value of what it's protecting.
z z z z z z z z z z
3. data at rest and in motion (and in use): data at rest is stored data not in the proce
z z z z z z z z z z z z z z z z z z
ss of being moved; usually protected with encryption at the level of the file or the entire
z z z z z z z z z z z z z z z z z
storage device. z
data in motion is data that is in the process of being moved; usually protected with enc
z z z z z z z z z z z z z z z z
ryption, but in this case the encryption protects the network protocol or the path of the d
z z z z z z z z z z z z z z z z
ata.
data in use is the data that is actively being accessed at the moment. protection include
z z z z z z z z z z z z z z z
s permissions and authentication of users. could be conflated with data in motion.
z z z z z z z z z z z z
1z/z63
,4. defense by layer: the layers of your defense-in- z z z z z z z
depth strategy will vary depending on situation and environment.
z z z z z z z z
logical (nonphysical) layers: external network, network perimeter, internal network, h
z z z z z z z z z
ost, application, and data layers as areas to place your defenses.
z z z z z z z z z z
m; defenses for layers can appear in more than one area. penetration testing, for exam
z z z z z z z z z z z z z z
ple, can and should be used in all layers.
z z z z z z z z
5. payment card industry data security standard (PCI DSS): a widely accepted se
z z z z z z z z z z z
t of policies and procedures intended to optimize the security of credit, debit and cash
z z z z z z z z z z z z z z z
card transactions and protect cardholders against misuse of their personal informatio
z z z z z z z z z z
n.
6. health insurance portability and accountability act of 1996 (HIPAA): a federal la
z z z z z z z z z z z
w that required the creation of national standards to protect sensitive patient health infor
z z z z z z z z z z z z z
mation from being disclosed without the patient's consent or knowledge.
z z z z z z z z z
7. federal information security management act (FISMA): requires each federal a
z z z z z z z z z
gency to develop, document, and implement an information security program to
z z z z z z z z z z
2z/z63
,protect its information and information systems.
z z z z z
m; applies to US federal government agencies, all state agencies that administer fede
z z z z z z z z z z z z
ral programs, and private companies that support, sell to, or receive grant money from th
z z z z z z z z z z z z z z
e federal government.
z z
8. federal risk and authorization management program (FedRAMP): defines rule
z z z z z z z z
s for government agencies contracting with cloud providers; applies to both cloud platfor
z z z z z z z z z z z z
m providers and companies providing software as a service (SaaS) tools that are base
z z z z z z z z z z z z z
d in the cloud.
z z z
9. sarbanes-
oxley act (SOX): regulates the financial practice and governance for publicly held co
z z z z z z z z z z z z
mpanies.
m; designed to protect investors and the general public by establishing requirements reg
z z z z z z z z z z z z
arding reporting and disclosure practices.
z z z z
places specific requirements on an organization's electronic recordkeeping, includ-
z z z z z z z z
zing the integrity of records, retention periods for certain kinds of information, and meth
z z z z z z z z z z z z z
ods of storing electronic communications.
z z z z
10. gramm-leach-
bliley act (GLBA): requires financial institutions to safeguard their customers fina
z z z z z z z z z z
ncial data and identifiable information.
z z z z
m; mandates the disclosure of an institution's information collection and information sh
z z z z z z z z z z z
aring practices and establishes requirements for providing privacy notices and opt-
z z z z z z z z z z
outs to consumers. z z
11. children's internet protection act (CIPA): requires schools and libraries to pr
z z z z z z z z z z
3z/z63
, event children from accessing obscene or harmful content over the internet.
z z z z z z z z z z
12. children's online privacy protection act (COPPA): protects the privacy of mino
z z z z z z z z z z
rs younger than 13 by restricting organizations from collecting their PII (per-
z z z z z z z z z z z
z sonally identifiable information), requiring the organizations to post a privacy policy o
z z z z z z z z z z z
nline, make reasonable efforts to obtain parental consent, and notify parents that infor
z z z z z z z z z z z z
mation is being collected. z z z
13. family educational rights and privacy act (FERPA): defines how institutions m
z z z z z z z z z z
ust handle student records to protect their privacy and how people can view or share
z z z z z z z z z z z z z z z
them.
14. international organization for standardization (ISO): a body first created in 1
z z z z z z z z z z
926 to set standards between nations.
z z z z z
the 27000/27k series of THIS covers information security; 27000, 27001, 27002.
z z z z z z z z z z
4z/z63
WGU 430 Assessment Guide Exam with
Questions and Verified Rationalized Answers 2025/2026
1. information security: "protecting information and information systems from unaut
z z z z z z z z
horized access, use, disclosure, disruption, modification, or destruction." - US law
z z z z z z z z z z
protection of digital assets. z z z
2. secure: it's difficult to define when you're truly secure. when you can spot inse-
z z z z z z z z z z z z z
zcurities, you can take steps to mitigate these issues. although you'll never get to a trul
z z z z z z z z z z z z z z z
y secure state, you can take steps in the right direction.
z z z z z z z z z z
m; as you increase the level of security, you decrease the level of productivity. the cost o
z z z z z z z z z z z z z z z z
f security should never outstrip the value of what it's protecting.
z z z z z z z z z z
3. data at rest and in motion (and in use): data at rest is stored data not in the proce
z z z z z z z z z z z z z z z z z z
ss of being moved; usually protected with encryption at the level of the file or the entire
z z z z z z z z z z z z z z z z z
storage device. z
data in motion is data that is in the process of being moved; usually protected with enc
z z z z z z z z z z z z z z z z
ryption, but in this case the encryption protects the network protocol or the path of the d
z z z z z z z z z z z z z z z z
ata.
data in use is the data that is actively being accessed at the moment. protection include
z z z z z z z z z z z z z z z
s permissions and authentication of users. could be conflated with data in motion.
z z z z z z z z z z z z
1z/z63
,4. defense by layer: the layers of your defense-in- z z z z z z z
depth strategy will vary depending on situation and environment.
z z z z z z z z
logical (nonphysical) layers: external network, network perimeter, internal network, h
z z z z z z z z z
ost, application, and data layers as areas to place your defenses.
z z z z z z z z z z
m; defenses for layers can appear in more than one area. penetration testing, for exam
z z z z z z z z z z z z z z
ple, can and should be used in all layers.
z z z z z z z z
5. payment card industry data security standard (PCI DSS): a widely accepted se
z z z z z z z z z z z
t of policies and procedures intended to optimize the security of credit, debit and cash
z z z z z z z z z z z z z z z
card transactions and protect cardholders against misuse of their personal informatio
z z z z z z z z z z
n.
6. health insurance portability and accountability act of 1996 (HIPAA): a federal la
z z z z z z z z z z z
w that required the creation of national standards to protect sensitive patient health infor
z z z z z z z z z z z z z
mation from being disclosed without the patient's consent or knowledge.
z z z z z z z z z
7. federal information security management act (FISMA): requires each federal a
z z z z z z z z z
gency to develop, document, and implement an information security program to
z z z z z z z z z z
2z/z63
,protect its information and information systems.
z z z z z
m; applies to US federal government agencies, all state agencies that administer fede
z z z z z z z z z z z z
ral programs, and private companies that support, sell to, or receive grant money from th
z z z z z z z z z z z z z z
e federal government.
z z
8. federal risk and authorization management program (FedRAMP): defines rule
z z z z z z z z
s for government agencies contracting with cloud providers; applies to both cloud platfor
z z z z z z z z z z z z
m providers and companies providing software as a service (SaaS) tools that are base
z z z z z z z z z z z z z
d in the cloud.
z z z
9. sarbanes-
oxley act (SOX): regulates the financial practice and governance for publicly held co
z z z z z z z z z z z z
mpanies.
m; designed to protect investors and the general public by establishing requirements reg
z z z z z z z z z z z z
arding reporting and disclosure practices.
z z z z
places specific requirements on an organization's electronic recordkeeping, includ-
z z z z z z z z
zing the integrity of records, retention periods for certain kinds of information, and meth
z z z z z z z z z z z z z
ods of storing electronic communications.
z z z z
10. gramm-leach-
bliley act (GLBA): requires financial institutions to safeguard their customers fina
z z z z z z z z z z
ncial data and identifiable information.
z z z z
m; mandates the disclosure of an institution's information collection and information sh
z z z z z z z z z z z
aring practices and establishes requirements for providing privacy notices and opt-
z z z z z z z z z z
outs to consumers. z z
11. children's internet protection act (CIPA): requires schools and libraries to pr
z z z z z z z z z z
3z/z63
, event children from accessing obscene or harmful content over the internet.
z z z z z z z z z z
12. children's online privacy protection act (COPPA): protects the privacy of mino
z z z z z z z z z z
rs younger than 13 by restricting organizations from collecting their PII (per-
z z z z z z z z z z z
z sonally identifiable information), requiring the organizations to post a privacy policy o
z z z z z z z z z z z
nline, make reasonable efforts to obtain parental consent, and notify parents that infor
z z z z z z z z z z z z
mation is being collected. z z z
13. family educational rights and privacy act (FERPA): defines how institutions m
z z z z z z z z z z
ust handle student records to protect their privacy and how people can view or share
z z z z z z z z z z z z z z z
them.
14. international organization for standardization (ISO): a body first created in 1
z z z z z z z z z z
926 to set standards between nations.
z z z z z
the 27000/27k series of THIS covers information security; 27000, 27001, 27002.
z z z z z z z z z z
4z/z63
