NEW WGU D488-CYBERSECURITY ARCHITECTURE AND
ENGINEERING EXAM 2025|CURRENTLY TESTING
VERSION|ALREADY GRADED A+|GUARANTEED PASS
An organization has leased office space that is suitable for its computer equipment so personnel
and systems can be relocated if the main office location is unavailable. It currently has some
equipment. Which type of site is the organization using?
A - Cold site
B - Warm site
C - Hot site
D - Mobile site
A warm site is a disaster recovery site that provides a partially equipped facility that can be
used to restore critical operations faster than having no equipment at all.
A risk assessment consultant is discussing segmentation options with a client. What are a few
standard options the consultant could offer? Select the best 2 answers.
A - VLANs
B - Transmission Control
C - Physical
D - Access control lists
A network device can perform segmentation logically, for example, implementing virtual
local area networks (VLANs). A system can bypass VLANs if an attacker gains access to a
trunk port where all VLANs can talk.
Physical segmentation is another type of segmentation more commonly found in industrial
control systems (ICS) and supervisory control and data acquisition (SCADA) networks.
This is where, traditionally, there is an IT and OT (operational technology) network.
A disaster recovery manager wants to perform a qualitative analysis on intangible assets but is
unsure how to perform the calculations. Which departments should the manager bring on to help
determine metrics? Select 3 answers.
A - Marketing
B - Sales
C - Human Resources
D - Communications
Marketing is one of the departments that should help the manager with the metrics.
Qualitative risk assessment is well-suited to the analysis of intangible assets, for example,
an organization's reputation or brand image.
1
,Sales is another department brought on to assist the manager with metrics. These groups
are best-suited to provide input based on their unique insights.
Communications is another department that can help the manager assess the value of many
intangible business assets and the impacts that various risk events can have on them.
A security analyst is performing a security assessment and is recommending ways to manage risk
relating to personnel. Which of the following should the analyst recommend? Select 3 answers.
A - Mandatory vacation
B - Least privilege
C - Email protection
D - Auditing requirements
Mandatory vacation is one way of helping to manage personnel risk. An administrator
forces employees to take their vacation time, during which someone else fulfills their duties.
The principle of least privilege is a practice in which an administrator only gives users
account privileges they need to perform their duties. This practice serves in various
capacities, such as helping against both insider threats and compromised accounts.
Auditing requirements describe the capability for auditing account creation, modification,
deletion, and account activity for all accounts. Auditing is a way to help manage personnel
risk.
A security engineer is considering moving his organization's IT services to the cloud but is
concerned whether the vendor they are considering will be in business on an ongoing basis. What
type of vendor assessment is this?
A - Vendor viability
B - Source code escrow
C - Vendor lock-in
D - Vendor lockout
Vendor viability considers whether a vendor will remain in business on an ongoing basis,
that they have a viable and in-demand product, and the financial means to stay afloat.
A security manager is standing up a risk management program at a company. What should the
security manager set up that might be considered the most recognized output?
A - Processes
B - Key Performance Indicators
C - Key Risk Indicators
D - Risk Register
2
,The risk register can be the most recognized output of the risk management program. It
includes metadata such as threat, impact, likelihood, plan, and risk level.
A security architect for an organization is conducting an internal assessment on current policies,
processes, and procedures to ensure protection for the businesses' technology and financial
operations. Which of the following would be best suited to support this assessment?
A - STAR
B - SOC
C - ISO
D - CMMC
System and Organization Controls (SOC) uses standards established by the American
Institute of Certified Public Accountants (AICPA) to evaluate policies, processes, and
procedures to protect technology and financial operations.
A vulnerability management lead for a major company is working with various teams to keep
their company secure, but there are a significant amount of legacy systems the company worries
about, so the management lead recommends purchasing an insurance policy. What type of risk
strategy is this?
A - Risk avoidance
B - Risk acceptance
C - Risk mitigation
D - Risk transference
Risk transference (or sharing) refers to assigning risk to a third party. Purchasing an
insurance policy most typically exemplifies risk transference.
A security architect is planning a Statement of Work to perform services at various levels of the
Risk Management Lifecycle. The security architect should allocate the most hours to which
phase?
A - Identify
B - Assess
C - Control
D - Review
The control phase identifies effective ways to reduce identified risks. The effective
identification and implementation of these controls represent a significant amount of the
work effort undertaken by security practitioners.
A security engineer works for a mid-sized retail company on the systems administration team.
The company wants to estimate the potential financial impact of a single occurrence of a web
server going down, which could lead to lost sales. What is this estimated financial impact per
incident called?
A -SLE
3
, B - ALE
C - ARO
D - EF
Single Loss Expectancy (SLE) is the amount lost in a single occurrence of the risk factor,
such as the cost during downtime.
A security project manager is considering transitioning to a cloud-based strategy for a company.
The company currently operates with a minimal team in their data center services and aims to
reduce their responsibilities while maintaining service quality. Which cloud solution would
require the least amount of management and maintenance from this team?
A - IaaS
B - PaaS
C - SaaS
D - On-site
Software as a Service (SaaS) represents the lowest amount of responsibility for the
customer as the facilities, utilities, physical security, platform, and applications are the
provider's responsibility.
A security consultant is conducting a security assessment and is trying to communicate reasons
that flaws may exist. What are the primary categories in which these flaws exist? Select 3
answers.
A - Communication
B - People
C - Process
D - Technology
People ultimately are most directly impacted by technology. This is one of the major
categories for finding flaws and the reason phishing is the most common form of breaches.
Process is another major area where flaws occur. An ambiguous process might exist that
allows attacks to use fraudulent emails to request wire transfers.
Technological controls also provide effective defenses against many security threats, but
they also rely on people and processes.
A disaster recovery manager is trying to assess the residual risk when comparing it to the
company's inherent risk. What measures should the manager look at to determine this? Select 3
answers.
A - Risk transference
B - Risk acceptance
C - Risk appetite
D - Risk mitigation
Risk transference is one component of finding residual risk compared to inherent risk. It
means assigning risk to a third party, typically exemplified through the purchase of an
insurance policy.
4
ENGINEERING EXAM 2025|CURRENTLY TESTING
VERSION|ALREADY GRADED A+|GUARANTEED PASS
An organization has leased office space that is suitable for its computer equipment so personnel
and systems can be relocated if the main office location is unavailable. It currently has some
equipment. Which type of site is the organization using?
A - Cold site
B - Warm site
C - Hot site
D - Mobile site
A warm site is a disaster recovery site that provides a partially equipped facility that can be
used to restore critical operations faster than having no equipment at all.
A risk assessment consultant is discussing segmentation options with a client. What are a few
standard options the consultant could offer? Select the best 2 answers.
A - VLANs
B - Transmission Control
C - Physical
D - Access control lists
A network device can perform segmentation logically, for example, implementing virtual
local area networks (VLANs). A system can bypass VLANs if an attacker gains access to a
trunk port where all VLANs can talk.
Physical segmentation is another type of segmentation more commonly found in industrial
control systems (ICS) and supervisory control and data acquisition (SCADA) networks.
This is where, traditionally, there is an IT and OT (operational technology) network.
A disaster recovery manager wants to perform a qualitative analysis on intangible assets but is
unsure how to perform the calculations. Which departments should the manager bring on to help
determine metrics? Select 3 answers.
A - Marketing
B - Sales
C - Human Resources
D - Communications
Marketing is one of the departments that should help the manager with the metrics.
Qualitative risk assessment is well-suited to the analysis of intangible assets, for example,
an organization's reputation or brand image.
1
,Sales is another department brought on to assist the manager with metrics. These groups
are best-suited to provide input based on their unique insights.
Communications is another department that can help the manager assess the value of many
intangible business assets and the impacts that various risk events can have on them.
A security analyst is performing a security assessment and is recommending ways to manage risk
relating to personnel. Which of the following should the analyst recommend? Select 3 answers.
A - Mandatory vacation
B - Least privilege
C - Email protection
D - Auditing requirements
Mandatory vacation is one way of helping to manage personnel risk. An administrator
forces employees to take their vacation time, during which someone else fulfills their duties.
The principle of least privilege is a practice in which an administrator only gives users
account privileges they need to perform their duties. This practice serves in various
capacities, such as helping against both insider threats and compromised accounts.
Auditing requirements describe the capability for auditing account creation, modification,
deletion, and account activity for all accounts. Auditing is a way to help manage personnel
risk.
A security engineer is considering moving his organization's IT services to the cloud but is
concerned whether the vendor they are considering will be in business on an ongoing basis. What
type of vendor assessment is this?
A - Vendor viability
B - Source code escrow
C - Vendor lock-in
D - Vendor lockout
Vendor viability considers whether a vendor will remain in business on an ongoing basis,
that they have a viable and in-demand product, and the financial means to stay afloat.
A security manager is standing up a risk management program at a company. What should the
security manager set up that might be considered the most recognized output?
A - Processes
B - Key Performance Indicators
C - Key Risk Indicators
D - Risk Register
2
,The risk register can be the most recognized output of the risk management program. It
includes metadata such as threat, impact, likelihood, plan, and risk level.
A security architect for an organization is conducting an internal assessment on current policies,
processes, and procedures to ensure protection for the businesses' technology and financial
operations. Which of the following would be best suited to support this assessment?
A - STAR
B - SOC
C - ISO
D - CMMC
System and Organization Controls (SOC) uses standards established by the American
Institute of Certified Public Accountants (AICPA) to evaluate policies, processes, and
procedures to protect technology and financial operations.
A vulnerability management lead for a major company is working with various teams to keep
their company secure, but there are a significant amount of legacy systems the company worries
about, so the management lead recommends purchasing an insurance policy. What type of risk
strategy is this?
A - Risk avoidance
B - Risk acceptance
C - Risk mitigation
D - Risk transference
Risk transference (or sharing) refers to assigning risk to a third party. Purchasing an
insurance policy most typically exemplifies risk transference.
A security architect is planning a Statement of Work to perform services at various levels of the
Risk Management Lifecycle. The security architect should allocate the most hours to which
phase?
A - Identify
B - Assess
C - Control
D - Review
The control phase identifies effective ways to reduce identified risks. The effective
identification and implementation of these controls represent a significant amount of the
work effort undertaken by security practitioners.
A security engineer works for a mid-sized retail company on the systems administration team.
The company wants to estimate the potential financial impact of a single occurrence of a web
server going down, which could lead to lost sales. What is this estimated financial impact per
incident called?
A -SLE
3
, B - ALE
C - ARO
D - EF
Single Loss Expectancy (SLE) is the amount lost in a single occurrence of the risk factor,
such as the cost during downtime.
A security project manager is considering transitioning to a cloud-based strategy for a company.
The company currently operates with a minimal team in their data center services and aims to
reduce their responsibilities while maintaining service quality. Which cloud solution would
require the least amount of management and maintenance from this team?
A - IaaS
B - PaaS
C - SaaS
D - On-site
Software as a Service (SaaS) represents the lowest amount of responsibility for the
customer as the facilities, utilities, physical security, platform, and applications are the
provider's responsibility.
A security consultant is conducting a security assessment and is trying to communicate reasons
that flaws may exist. What are the primary categories in which these flaws exist? Select 3
answers.
A - Communication
B - People
C - Process
D - Technology
People ultimately are most directly impacted by technology. This is one of the major
categories for finding flaws and the reason phishing is the most common form of breaches.
Process is another major area where flaws occur. An ambiguous process might exist that
allows attacks to use fraudulent emails to request wire transfers.
Technological controls also provide effective defenses against many security threats, but
they also rely on people and processes.
A disaster recovery manager is trying to assess the residual risk when comparing it to the
company's inherent risk. What measures should the manager look at to determine this? Select 3
answers.
A - Risk transference
B - Risk acceptance
C - Risk appetite
D - Risk mitigation
Risk transference is one component of finding residual risk compared to inherent risk. It
means assigning risk to a third party, typically exemplified through the purchase of an
insurance policy.
4
