WGU D430 Fundamentals of Information Security OA
Actual Exam 2026 | Questions with Verified Answers |
100% Correct | Pass Guaranteed
SECTION 1: Security Concepts & Governance
Q1: Which objective of the CIA Triad ensures that data has not been altered or destroyed in an
unauthorized manner?
A. Confidentiality
B. Integrity
C. Availability
D. Non-repudiation
Correct Answer: B
Rationale: Integrity guarantees that information remains accurate and unaltered unless modified
by authorized users; this is typically enforced through hashing, digital signatures, and version
controls. Confidentiality (A) focuses on preventing unauthorized disclosure, while Availability
(C) ensures timely access to data. Non-repudiation (D) provides undeniable proof of an action
but is not part of the classic CIA triad.
Q2: A hospital must comply with a U.S. regulation that mandates administrative, physical, and
technical safeguards for Protected Health Information (PHI). Which standard/law is applicable?
A. HIPAA
B. SOX
C. GLBA
D. FERPA
,Correct Answer: A
Rationale: The Health Insurance Portability & Accountability Act (HIPAA) Security Rule
requires covered entities to implement specific safeguards for PHI. SOX (B) governs corporate
financial reporting, GLBA (C) addresses consumer financial data held by banks, and FERPA (D)
protects student education records—none of which focus on health data.
Q3: During a risk assessment, a manager rates a threat as "high" because it could exploit a
vulnerability once per month and potentially cost $100k in lost sales. Which risk methodology
step does this represent?
A. Risk identification
B. Risk likelihood & impact analysis
C. Risk mitigation
D. Risk acceptance
Correct Answer: B
Rationale: Estimating how often a threat may occur (likelihood) and the monetary or operational
damage it could cause (impact) defines qualitative/quantitative risk analysis. Identification (A)
catalogs assets, threats, and vulnerabilities; mitigation (C) selects controls; acceptance (D) is a
management decision to live with the risk.
Q4: Which document provides senior leadership's written commitment to information security,
assigns responsibilities, and aligns security with business objectives?
A. Procedure
B. Guideline
C. Information Security Policy
D. Standard
Correct Answer: C
, Rationale: A policy is a high-level, mandatory statement that reflects management's intent and
sets the security tone across the organization. Procedures (A) are step-by-step instructions,
guidelines (B) are recommendations, and standards (D) specify minimum requirements for
hardware, software, or configurations.
Q5: A control that restores critical systems within 4 hours after a disruption and fully recovers
operations within 24 hours is best described as which type of control?
A. Preventive
B. Deterrent
C. Corrective
D. Detective
Correct Answer: C
Rationale: Corrective controls reduce the impact of an incident and restore operations (e.g.,
business continuity plans, backups). Preventive (A) blocks incidents, deterrent (B) discourages
violations, and detective (D) identifies occurrences after the fact.
Q6: A company adopts the NIST Cybersecurity Framework. After identifying and protecting
assets, which function comes next in the continuous cycle?
A. Recover
B. Detect
C. Respond
D. Govern
Correct Answer: B
Rationale: The NIST CSF sequence is Identify → Protect → Detect → Respond → Recover.
"Detect" encompasses monitoring and anomaly detection. Recover (A) is the final phase;
Respond (C) follows Detect; Govern (D) is a cross-cutting activity, not a sequential function.
Actual Exam 2026 | Questions with Verified Answers |
100% Correct | Pass Guaranteed
SECTION 1: Security Concepts & Governance
Q1: Which objective of the CIA Triad ensures that data has not been altered or destroyed in an
unauthorized manner?
A. Confidentiality
B. Integrity
C. Availability
D. Non-repudiation
Correct Answer: B
Rationale: Integrity guarantees that information remains accurate and unaltered unless modified
by authorized users; this is typically enforced through hashing, digital signatures, and version
controls. Confidentiality (A) focuses on preventing unauthorized disclosure, while Availability
(C) ensures timely access to data. Non-repudiation (D) provides undeniable proof of an action
but is not part of the classic CIA triad.
Q2: A hospital must comply with a U.S. regulation that mandates administrative, physical, and
technical safeguards for Protected Health Information (PHI). Which standard/law is applicable?
A. HIPAA
B. SOX
C. GLBA
D. FERPA
,Correct Answer: A
Rationale: The Health Insurance Portability & Accountability Act (HIPAA) Security Rule
requires covered entities to implement specific safeguards for PHI. SOX (B) governs corporate
financial reporting, GLBA (C) addresses consumer financial data held by banks, and FERPA (D)
protects student education records—none of which focus on health data.
Q3: During a risk assessment, a manager rates a threat as "high" because it could exploit a
vulnerability once per month and potentially cost $100k in lost sales. Which risk methodology
step does this represent?
A. Risk identification
B. Risk likelihood & impact analysis
C. Risk mitigation
D. Risk acceptance
Correct Answer: B
Rationale: Estimating how often a threat may occur (likelihood) and the monetary or operational
damage it could cause (impact) defines qualitative/quantitative risk analysis. Identification (A)
catalogs assets, threats, and vulnerabilities; mitigation (C) selects controls; acceptance (D) is a
management decision to live with the risk.
Q4: Which document provides senior leadership's written commitment to information security,
assigns responsibilities, and aligns security with business objectives?
A. Procedure
B. Guideline
C. Information Security Policy
D. Standard
Correct Answer: C
, Rationale: A policy is a high-level, mandatory statement that reflects management's intent and
sets the security tone across the organization. Procedures (A) are step-by-step instructions,
guidelines (B) are recommendations, and standards (D) specify minimum requirements for
hardware, software, or configurations.
Q5: A control that restores critical systems within 4 hours after a disruption and fully recovers
operations within 24 hours is best described as which type of control?
A. Preventive
B. Deterrent
C. Corrective
D. Detective
Correct Answer: C
Rationale: Corrective controls reduce the impact of an incident and restore operations (e.g.,
business continuity plans, backups). Preventive (A) blocks incidents, deterrent (B) discourages
violations, and detective (D) identifies occurrences after the fact.
Q6: A company adopts the NIST Cybersecurity Framework. After identifying and protecting
assets, which function comes next in the continuous cycle?
A. Recover
B. Detect
C. Respond
D. Govern
Correct Answer: B
Rationale: The NIST CSF sequence is Identify → Protect → Detect → Respond → Recover.
"Detect" encompasses monitoring and anomaly detection. Recover (A) is the final phase;
Respond (C) follows Detect; Govern (D) is a cross-cutting activity, not a sequential function.
