WGU C725 - Information Security and Assurance Study Guide
This guide breaks down the core domains of the C725 course into digestible sections
with over 100 key concepts presented as questions and answers.
Domain 1: Foundational Security Concepts
1. What is the core objective of Information Security (InfoSec)?
ANSWER ✓ To protect the confidentiality, integrity, and availability of information and
information systems, known as the CIA Triad.
2. Define Confidentiality.
ANSWER ✓ The principle of ensuring that information is not disclosed to unauthorized
individuals, processes, or devices. (e.g., Encryption, access controls).
3. Define Integrity.
ANSWER ✓ The principle of guarding against improper information modification or
destruction to ensure information non-repudiation and authenticity. (e.g., Hashing,
digital signatures).
4. Define Availability.
ANSWER ✓ The principle of ensuring timely and reliable access to and use of
information for authorized users. (e.g., Redundancy, fault tolerance, backups).
5. What is Non-repudiation?
ANSWER ✓ A security service that provides proof of the origin and integrity of data,
preventing a party from denying having sent a message or performed an action. (e.g.,
Digital signatures).
6. What is the difference between a Threat, a Vulnerability, and a Risk?
ANSWER ✓ A Threat is any potential danger to an asset. A Vulnerability is a weakness
in a system that can be exploited by a threat. Risk is the likelihood that a threat will
exploit a vulnerability and the resulting impact.
7. What is the purpose of a Risk Assessment?
, ANSWER ✓ To identify, estimate, and prioritize risks to organizational operations, assets,
and individuals.
8. What are the four common Risk Response strategies?
ANSWER ✓ Acceptance (acknowledge the risk), Avoidance (stop the activity causing
the risk), Mitigation (implement controls to reduce the risk), Transference (shift the risk
to a third party, e.g., insurance).
9. What is the principle of Least Privilege?
ANSWER ✓ Granting users only the minimum levels of access—or permissions—
necessary to perform their job functions.
10. What is Defense in Depth (Layered Defense)?
ANSWER ✓ A security strategy that employs multiple, layered defensive mechanisms to
protect assets. If one mechanism fails, another steps up. (e.g., Firewall, IPS, antivirus, user
training).
Domain 2: Security Governance and Compliance
11. What is a Security Policy?
ANSWER ✓ A formal, high-level document that defines an organization's security goals,
culture, and expectations for secure behavior. It is mandatory.
12. What is the difference between a Standard, a Guideline, and a Procedure?
ANSWER ✓ A Standard is a mandatory rule supporting a policy. A Guideline is a
recommended, non-mandatory action. A Procedure is a detailed, step-by-step
instruction for accomplishing a specific task.
13. What are the three main types of security controls?
ANSWER ✓ Administrative (policies, procedures), Technical (firewalls, encryption),
and Physical (locks, guards).
14. What is the purpose of a Business Impact Analysis (BIA)?
This guide breaks down the core domains of the C725 course into digestible sections
with over 100 key concepts presented as questions and answers.
Domain 1: Foundational Security Concepts
1. What is the core objective of Information Security (InfoSec)?
ANSWER ✓ To protect the confidentiality, integrity, and availability of information and
information systems, known as the CIA Triad.
2. Define Confidentiality.
ANSWER ✓ The principle of ensuring that information is not disclosed to unauthorized
individuals, processes, or devices. (e.g., Encryption, access controls).
3. Define Integrity.
ANSWER ✓ The principle of guarding against improper information modification or
destruction to ensure information non-repudiation and authenticity. (e.g., Hashing,
digital signatures).
4. Define Availability.
ANSWER ✓ The principle of ensuring timely and reliable access to and use of
information for authorized users. (e.g., Redundancy, fault tolerance, backups).
5. What is Non-repudiation?
ANSWER ✓ A security service that provides proof of the origin and integrity of data,
preventing a party from denying having sent a message or performed an action. (e.g.,
Digital signatures).
6. What is the difference between a Threat, a Vulnerability, and a Risk?
ANSWER ✓ A Threat is any potential danger to an asset. A Vulnerability is a weakness
in a system that can be exploited by a threat. Risk is the likelihood that a threat will
exploit a vulnerability and the resulting impact.
7. What is the purpose of a Risk Assessment?
, ANSWER ✓ To identify, estimate, and prioritize risks to organizational operations, assets,
and individuals.
8. What are the four common Risk Response strategies?
ANSWER ✓ Acceptance (acknowledge the risk), Avoidance (stop the activity causing
the risk), Mitigation (implement controls to reduce the risk), Transference (shift the risk
to a third party, e.g., insurance).
9. What is the principle of Least Privilege?
ANSWER ✓ Granting users only the minimum levels of access—or permissions—
necessary to perform their job functions.
10. What is Defense in Depth (Layered Defense)?
ANSWER ✓ A security strategy that employs multiple, layered defensive mechanisms to
protect assets. If one mechanism fails, another steps up. (e.g., Firewall, IPS, antivirus, user
training).
Domain 2: Security Governance and Compliance
11. What is a Security Policy?
ANSWER ✓ A formal, high-level document that defines an organization's security goals,
culture, and expectations for secure behavior. It is mandatory.
12. What is the difference between a Standard, a Guideline, and a Procedure?
ANSWER ✓ A Standard is a mandatory rule supporting a policy. A Guideline is a
recommended, non-mandatory action. A Procedure is a detailed, step-by-step
instruction for accomplishing a specific task.
13. What are the three main types of security controls?
ANSWER ✓ Administrative (policies, procedures), Technical (firewalls, encryption),
and Physical (locks, guards).
14. What is the purpose of a Business Impact Analysis (BIA)?
