1
Cybersecurity Architecture and
Engineering (D488) – WGU – Final
Exam Test Bank (2025/2026)
Exam Overview
• Course: WGU D488 Cybersecurity Architecture and Engineering
• Exam Type: Objective Assessment (Final Exam)
• Topics Covered:
o Architecture Frameworks: Secure network design, cloud infrastructure, and
enterprise architecture (e.g., TOGAF, SABSA).
o Secure Protocols: TLS, IPsec, DNSSEC, and key exchange mechanisms.
o Encryption: Symmetric/asymmetric algorithms, block ciphers, and authenticated
encryption.
o Risk不适用
Risk Management: Strategies to mitigate vulnerabilities, threat surfaces, and
compliance (e.g., PCI DSS, GDPR).
o Cyber Defense: Firewalls, IDS/IPS, WAF, endpoint protection, and incident
response.
• Format: 150 questions, multiple-choice, scenario-based, testing practical application of
cybersecurity concepts.
Question Bank
Architecture Frameworks (30 Questions)
1. A company is designing a secure network to protect sensitive data. Which
architecture framework emphasizes aligning security with business goals?
A. NIST Cybersecurity Framework
B. SABSA
C. Zachman Framework
D. COBIT
Correct Answer: B. SABSA
Rationale: SABSA (Sherwood Applied Business Security Architecture) focuses on
aligning security with business objectives, ensuring security measures support
organizational goals, unlike NIST (risk management), Zachman (enterprise architecture),
or COBIT (IT governance).
2. What is the primary purpose of a demilitarized zone (DMZ) in network
architecture?
A. Encrypting internal network traffic
B. Providing a buffer zone for public-facing services
, 2
C. Blocking all external traffic
D. Managing user authentication
Correct Answer: B. Providing a buffer zone for public-facing services
Rationale: A DMZ isolates public-facing services (e.g., web servers) from the internal
network, reducing the risk of unauthorized access to sensitive systems.
3. A company implements a zero-trust architecture. What is a core principle of this
model?
A. Trust all internal network devices
B. Verify every access request regardless of location
C. Allow unrestricted access within the network
D. Use a single firewall for protection
Correct Answer: B. Verify every access request regardless of location
Rationale: Zero-trust architecture requires continuous verification of all access requests,
assuming no device or user is inherently trusted, per NIST SP 800-207.
4. Which component in a cloud VPC enables communication with the internet?
A. Network Address Translation (NAT)
B. Internet Gateway (IGW)
C. Virtual Private Network (VPN)
D. Web Application Firewall (WAF)
Correct Answer: B. Internet Gateway (IGW)
Rationale: An IGW is a VPC component that allows communication between the cloud
VPC and the internet, enabling public access to resources.
5. What is the role of a load balancer in network architecture?
A. Encrypts data in transit
B. Distributes traffic across multiple servers
C. Blocks malicious traffic
D. Authenticates user credentials
Correct Answer: B. Distributes traffic across multiple servers
Rationale: A load balancer distributes incoming network traffic across multiple servers
to ensure scalability, reliability, and performance.
6. A company uses a TOGAF framework for enterprise architecture. What is its
primary focus?
A. Cybersecurity risk assessment
B. Aligning IT with business strategy
C. Hardware security implementation
D. Real-time threat detection
Correct Answer: B. Aligning IT with business strategy
Rationale: TOGAF (The Open Group Architecture Framework) focuses on aligning IT
systems with business goals, providing a structured approach to enterprise architecture.
7. Which architecture design principle minimizes the attack surface?
A. Network segmentation
B. Full network access
C. Single-layer security
D. Unrestricted API access
Correct Answer: A. Network segmentation
, 3
Rationale: Network segmentation divides the network into smaller zones, limiting lateral
movement by attackers and reducing the attack surface.
8. What is a key benefit of micro-segmentation in a software-defined network?
A. Increases network latency
B. Enhances granular access control
C. Simplifies firewall rules
D. Reduces encryption needs
Correct Answer: B. Enhances granular access control
Rationale: Micro-segmentation applies fine-grained security policies to individual
workloads, improving access control and limiting attack spread.
9. A company implements a defense-in-depth strategy. What does this involve?
A. Relying on a single firewall
B. Using multiple layers of security controls
C. Disabling all external access
D. Encrypting only sensitive data
Correct Answer: B. Using multiple layers of security controls
Rationale: Defense-in-depth uses multiple security controls (e.g., firewalls, IDS,
encryption) to provide redundancy and mitigate risks if one layer fails.
10. Which cloud architecture model ensures complete isolation of resources?
A. Public cloud
B. Private cloud
C. Hybrid cloud
D. Community cloud
Correct Answer: B. Private cloud
Rationale: A private cloud provides dedicated resources for a single organization,
ensuring isolation and enhanced security compared to public or hybrid clouds.
11. What is the purpose of a security group in a cloud VPC?
A. Encrypts data at rest
B. Acts as a virtual firewall for instances
C. Manages user authentication
D. Balances network traffic
Correct Answer: B. Acts as a virtual firewall for instances
Rationale: Security groups in a VPC control inbound and outbound traffic to instances,
functioning as a virtual firewall for access control.
12. A company uses a hub-and-spoke network model. What is its primary advantage?
A. Simplifies encryption
B. Centralizes traffic management
C. Increases network latency
D. Eliminates firewalls
Correct Answer: B. Centralizes traffic management
Rationale: The hub-and-spoke model centralizes traffic through a hub, enabling
consistent security policies and monitoring across spokes.
13. Which framework helps assess an organization’s cybersecurity maturity?
A. CMMI
B. NIST Cybersecurity Framework
C. ITIL
Cybersecurity Architecture and
Engineering (D488) – WGU – Final
Exam Test Bank (2025/2026)
Exam Overview
• Course: WGU D488 Cybersecurity Architecture and Engineering
• Exam Type: Objective Assessment (Final Exam)
• Topics Covered:
o Architecture Frameworks: Secure network design, cloud infrastructure, and
enterprise architecture (e.g., TOGAF, SABSA).
o Secure Protocols: TLS, IPsec, DNSSEC, and key exchange mechanisms.
o Encryption: Symmetric/asymmetric algorithms, block ciphers, and authenticated
encryption.
o Risk不适用
Risk Management: Strategies to mitigate vulnerabilities, threat surfaces, and
compliance (e.g., PCI DSS, GDPR).
o Cyber Defense: Firewalls, IDS/IPS, WAF, endpoint protection, and incident
response.
• Format: 150 questions, multiple-choice, scenario-based, testing practical application of
cybersecurity concepts.
Question Bank
Architecture Frameworks (30 Questions)
1. A company is designing a secure network to protect sensitive data. Which
architecture framework emphasizes aligning security with business goals?
A. NIST Cybersecurity Framework
B. SABSA
C. Zachman Framework
D. COBIT
Correct Answer: B. SABSA
Rationale: SABSA (Sherwood Applied Business Security Architecture) focuses on
aligning security with business objectives, ensuring security measures support
organizational goals, unlike NIST (risk management), Zachman (enterprise architecture),
or COBIT (IT governance).
2. What is the primary purpose of a demilitarized zone (DMZ) in network
architecture?
A. Encrypting internal network traffic
B. Providing a buffer zone for public-facing services
, 2
C. Blocking all external traffic
D. Managing user authentication
Correct Answer: B. Providing a buffer zone for public-facing services
Rationale: A DMZ isolates public-facing services (e.g., web servers) from the internal
network, reducing the risk of unauthorized access to sensitive systems.
3. A company implements a zero-trust architecture. What is a core principle of this
model?
A. Trust all internal network devices
B. Verify every access request regardless of location
C. Allow unrestricted access within the network
D. Use a single firewall for protection
Correct Answer: B. Verify every access request regardless of location
Rationale: Zero-trust architecture requires continuous verification of all access requests,
assuming no device or user is inherently trusted, per NIST SP 800-207.
4. Which component in a cloud VPC enables communication with the internet?
A. Network Address Translation (NAT)
B. Internet Gateway (IGW)
C. Virtual Private Network (VPN)
D. Web Application Firewall (WAF)
Correct Answer: B. Internet Gateway (IGW)
Rationale: An IGW is a VPC component that allows communication between the cloud
VPC and the internet, enabling public access to resources.
5. What is the role of a load balancer in network architecture?
A. Encrypts data in transit
B. Distributes traffic across multiple servers
C. Blocks malicious traffic
D. Authenticates user credentials
Correct Answer: B. Distributes traffic across multiple servers
Rationale: A load balancer distributes incoming network traffic across multiple servers
to ensure scalability, reliability, and performance.
6. A company uses a TOGAF framework for enterprise architecture. What is its
primary focus?
A. Cybersecurity risk assessment
B. Aligning IT with business strategy
C. Hardware security implementation
D. Real-time threat detection
Correct Answer: B. Aligning IT with business strategy
Rationale: TOGAF (The Open Group Architecture Framework) focuses on aligning IT
systems with business goals, providing a structured approach to enterprise architecture.
7. Which architecture design principle minimizes the attack surface?
A. Network segmentation
B. Full network access
C. Single-layer security
D. Unrestricted API access
Correct Answer: A. Network segmentation
, 3
Rationale: Network segmentation divides the network into smaller zones, limiting lateral
movement by attackers and reducing the attack surface.
8. What is a key benefit of micro-segmentation in a software-defined network?
A. Increases network latency
B. Enhances granular access control
C. Simplifies firewall rules
D. Reduces encryption needs
Correct Answer: B. Enhances granular access control
Rationale: Micro-segmentation applies fine-grained security policies to individual
workloads, improving access control and limiting attack spread.
9. A company implements a defense-in-depth strategy. What does this involve?
A. Relying on a single firewall
B. Using multiple layers of security controls
C. Disabling all external access
D. Encrypting only sensitive data
Correct Answer: B. Using multiple layers of security controls
Rationale: Defense-in-depth uses multiple security controls (e.g., firewalls, IDS,
encryption) to provide redundancy and mitigate risks if one layer fails.
10. Which cloud architecture model ensures complete isolation of resources?
A. Public cloud
B. Private cloud
C. Hybrid cloud
D. Community cloud
Correct Answer: B. Private cloud
Rationale: A private cloud provides dedicated resources for a single organization,
ensuring isolation and enhanced security compared to public or hybrid clouds.
11. What is the purpose of a security group in a cloud VPC?
A. Encrypts data at rest
B. Acts as a virtual firewall for instances
C. Manages user authentication
D. Balances network traffic
Correct Answer: B. Acts as a virtual firewall for instances
Rationale: Security groups in a VPC control inbound and outbound traffic to instances,
functioning as a virtual firewall for access control.
12. A company uses a hub-and-spoke network model. What is its primary advantage?
A. Simplifies encryption
B. Centralizes traffic management
C. Increases network latency
D. Eliminates firewalls
Correct Answer: B. Centralizes traffic management
Rationale: The hub-and-spoke model centralizes traffic through a hub, enabling
consistent security policies and monitoring across spokes.
13. Which framework helps assess an organization’s cybersecurity maturity?
A. CMMI
B. NIST Cybersecurity Framework
C. ITIL
