WGU D487 OA 2025 TEST BANK 2 WITH 420
QUESTIONS AND CORRECT ANSWERS
(100% CORRECT VERIFIED ANSWERS) D487
SECURE SOFTWARE DESIGN OBJECTIVE
ASSESSMENT 2025 TEST BANK V2
A project team is documenting software requirements, including security controls.
Which of the following should be prioritized in this documentation process?
A) Listing only functional requirements to speed up the SDL
B) Documenting all security controls necessary to address identified risks and
compliance needs
C) Avoiding detailed documentation to maintain flexibility
D) Limiting documentation to the testing phase
B) Documenting all security controls necessary to address identified risks and
compliance needs
During the SDL, a project manager stresses the importance of documenting
security requirements. What is one primary reason for documenting security
requirements?
A) To limit security requirements to only the development team
B) To provide a clear, trackable record of security controls that helps ensure all
requirements are met
C) To reduce the need for security assessments
D) To allow security requirements to be adjusted informally without oversight
B) To provide a clear, trackable record of security controls that helps ensure all
requirements are met
The security team uses a Requirements Traceability Matrix (RTM) to track
requirements. What is the main benefit of using an RTM for security
documentation?
pg. 1
,A) It allows stakeholders to change requirements at any point without impact
B) It enables the team to trace each security requirement throughout the SDL to
verify compliance and coverage
C) It limits the number of security requirements for a project
D) It eliminates the need to communicate with stakeholders
B) It enables the team to trace each security requirement throughout the SDL to
verify compliance and coverage
Why is it essential to obtain formal acceptance from management for documented
security requirements?
A) To bypass the need for further security assessments
B) To ensure management acknowledges and commits to the security
requirements, securing necessary resources and support
C) To allow for the reduction of security requirements
D) To ensure that only the development team is accountable for security
B) To ensure management acknowledges and commits to the security
requirements, securing necessary resources and support
What is the primary purpose of thoroughly documenting software requirements,
including security controls, in secure software development?
A) To meet auditing requirements and provide a reference for compliance
B) To restrict changes to the software design
C) To delay security planning until the final stages
D) To reduce the involvement of stakeholders
A) To meet auditing requirements and provide a reference for compliance
A company is outsourcing software development to a third-party vendor. Which of
the following should be included in the contract to ensure data security?
A) A provision allowing the third party to bypass security requirements
B) Specific security controls, compliance obligations, and access restrictions that
the third party must follow
C) A clause stating the third party is responsible for all regulatory compliance
D) A provision allowing unrestricted data access by the third party
pg. 2
,B) Specific security controls, compliance obligations, and access restrictions that
the third party must follow
A project team is developing software that processes sensitive customer
information. To secure this data, the team decides to categorize it based on
sensitivity levels. Why is this categorization essential in data protection?
A) It allows the team to ignore security requirements for low-sensitivity data
B) It enables the team to apply appropriate security controls based on data
sensitivity, ensuring high-risk data is more protected
C) It removes the need for data access controls
D) It minimizes the importance of encrypting sensitive data
B) It enables the team to apply appropriate security controls based on data
sensitivity, ensuring high-risk data is more protected
As part of a data protection strategy, a security analyst suggests classifying data to
determine ownership and access levels. Why is identifying data ownership
important?
A) It allows only the development team to access data
B) It clarifies accountability for data security and helps set permissions based on
data ownership
C) It eliminates the need to monitor data access logs
D) It restricts data handling to a single user
B) It clarifies accountability for data security and helps set permissions based on
data ownership
The development team is required to implement data protection for both structured
and unstructured data. What is one critical reason for protecting unstructured data,
such as documents or emails?
A) Unstructured data is less valuable, so protection is optional
B) Unstructured data often contains sensitive information that, if exposed, could
lead to security breaches
C) Structured data alone requires protection for regulatory compliance
D) Data protection applies only to structured formats
pg. 3
, B) Unstructured data often contains sensitive information that, if exposed, could
lead to security breaches
A software application requires access controls to limit data access to authorized
users. What is the primary purpose of implementing access controls as part of data
protection?
A) To simplify the data access process for all users
B) To restrict data access to individuals based on their role and need, ensuring
sensitive data remains protected
C) To allow unrestricted data access for internal users
D) To ensure that all users have equal access to data
B) To restrict data access to individuals based on their role and need, ensuring
sensitive data remains protected
As part of data protection efforts, the team is tasked with establishing guidelines
for sensitive data. Which guideline is most critical for protecting sensitive data?
A) Limiting all users from accessing data
B) Encrypting sensitive data to prevent unauthorized access
C) Allowing sensitive data to be shared freely within the organization
D) Storing all sensitive data in plaintext for easy access
B) Encrypting sensitive data to prevent unauthorized access
As part of a secure data lifecycle strategy, the team is instructed to apply
protections to data from its creation to its disposal. Why is it essential to manage
data protection throughout its entire lifecycle?
A) To ensure data protection only during high-use phases
B) To provide continuous security and compliance at each stage, from creation to
disposal
C) To limit data protection efforts to storage phases only
D) To allow data to be securely deleted at any time without additional processes
B) To provide continuous security and compliance at each stage, from creation to
disposal
A development team is tasked with implementing "right to be forgotten" features in
compliance with data privacy laws. At which stage of the data lifecycle is this
pg. 4
QUESTIONS AND CORRECT ANSWERS
(100% CORRECT VERIFIED ANSWERS) D487
SECURE SOFTWARE DESIGN OBJECTIVE
ASSESSMENT 2025 TEST BANK V2
A project team is documenting software requirements, including security controls.
Which of the following should be prioritized in this documentation process?
A) Listing only functional requirements to speed up the SDL
B) Documenting all security controls necessary to address identified risks and
compliance needs
C) Avoiding detailed documentation to maintain flexibility
D) Limiting documentation to the testing phase
B) Documenting all security controls necessary to address identified risks and
compliance needs
During the SDL, a project manager stresses the importance of documenting
security requirements. What is one primary reason for documenting security
requirements?
A) To limit security requirements to only the development team
B) To provide a clear, trackable record of security controls that helps ensure all
requirements are met
C) To reduce the need for security assessments
D) To allow security requirements to be adjusted informally without oversight
B) To provide a clear, trackable record of security controls that helps ensure all
requirements are met
The security team uses a Requirements Traceability Matrix (RTM) to track
requirements. What is the main benefit of using an RTM for security
documentation?
pg. 1
,A) It allows stakeholders to change requirements at any point without impact
B) It enables the team to trace each security requirement throughout the SDL to
verify compliance and coverage
C) It limits the number of security requirements for a project
D) It eliminates the need to communicate with stakeholders
B) It enables the team to trace each security requirement throughout the SDL to
verify compliance and coverage
Why is it essential to obtain formal acceptance from management for documented
security requirements?
A) To bypass the need for further security assessments
B) To ensure management acknowledges and commits to the security
requirements, securing necessary resources and support
C) To allow for the reduction of security requirements
D) To ensure that only the development team is accountable for security
B) To ensure management acknowledges and commits to the security
requirements, securing necessary resources and support
What is the primary purpose of thoroughly documenting software requirements,
including security controls, in secure software development?
A) To meet auditing requirements and provide a reference for compliance
B) To restrict changes to the software design
C) To delay security planning until the final stages
D) To reduce the involvement of stakeholders
A) To meet auditing requirements and provide a reference for compliance
A company is outsourcing software development to a third-party vendor. Which of
the following should be included in the contract to ensure data security?
A) A provision allowing the third party to bypass security requirements
B) Specific security controls, compliance obligations, and access restrictions that
the third party must follow
C) A clause stating the third party is responsible for all regulatory compliance
D) A provision allowing unrestricted data access by the third party
pg. 2
,B) Specific security controls, compliance obligations, and access restrictions that
the third party must follow
A project team is developing software that processes sensitive customer
information. To secure this data, the team decides to categorize it based on
sensitivity levels. Why is this categorization essential in data protection?
A) It allows the team to ignore security requirements for low-sensitivity data
B) It enables the team to apply appropriate security controls based on data
sensitivity, ensuring high-risk data is more protected
C) It removes the need for data access controls
D) It minimizes the importance of encrypting sensitive data
B) It enables the team to apply appropriate security controls based on data
sensitivity, ensuring high-risk data is more protected
As part of a data protection strategy, a security analyst suggests classifying data to
determine ownership and access levels. Why is identifying data ownership
important?
A) It allows only the development team to access data
B) It clarifies accountability for data security and helps set permissions based on
data ownership
C) It eliminates the need to monitor data access logs
D) It restricts data handling to a single user
B) It clarifies accountability for data security and helps set permissions based on
data ownership
The development team is required to implement data protection for both structured
and unstructured data. What is one critical reason for protecting unstructured data,
such as documents or emails?
A) Unstructured data is less valuable, so protection is optional
B) Unstructured data often contains sensitive information that, if exposed, could
lead to security breaches
C) Structured data alone requires protection for regulatory compliance
D) Data protection applies only to structured formats
pg. 3
, B) Unstructured data often contains sensitive information that, if exposed, could
lead to security breaches
A software application requires access controls to limit data access to authorized
users. What is the primary purpose of implementing access controls as part of data
protection?
A) To simplify the data access process for all users
B) To restrict data access to individuals based on their role and need, ensuring
sensitive data remains protected
C) To allow unrestricted data access for internal users
D) To ensure that all users have equal access to data
B) To restrict data access to individuals based on their role and need, ensuring
sensitive data remains protected
As part of data protection efforts, the team is tasked with establishing guidelines
for sensitive data. Which guideline is most critical for protecting sensitive data?
A) Limiting all users from accessing data
B) Encrypting sensitive data to prevent unauthorized access
C) Allowing sensitive data to be shared freely within the organization
D) Storing all sensitive data in plaintext for easy access
B) Encrypting sensitive data to prevent unauthorized access
As part of a secure data lifecycle strategy, the team is instructed to apply
protections to data from its creation to its disposal. Why is it essential to manage
data protection throughout its entire lifecycle?
A) To ensure data protection only during high-use phases
B) To provide continuous security and compliance at each stage, from creation to
disposal
C) To limit data protection efforts to storage phases only
D) To allow data to be securely deleted at any time without additional processes
B) To provide continuous security and compliance at each stage, from creation to
disposal
A development team is tasked with implementing "right to be forgotten" features in
compliance with data privacy laws. At which stage of the data lifecycle is this
pg. 4
