WGU D430 Fundamentals of Information Security OA
Actual Exam 2026 | Questions with Verified Answers |
100% Correct | Pass Guaranteed
SECTION 1: Security Concepts & Governance
Q1: Which primary goal of the CIA triad is violated when a database record is modified by an
unauthorized user?
A. Confidentiality
B. Integrity
C. Availability
D. Non-repudiation
Correct Answer: B
Rationale: Integrity ensures that data remains accurate and unaltered without authorization;
unauthorized modification directly violates this principle. Confidentiality (A) is concerned with
disclosure, not alteration. Availability (C) relates to timely access. Non-repudiation (D) prevents
denial of an action but does not address data alteration.
Q2: A company must decide whether to accept, transfer, mitigate, or avoid a risk with an
annualized loss expectancy (ALE) of $45,000 and mitigation cost of $60,000. Which risk
response is MOST aligned with NIST SP 800-30 guidance?
A. Accept the risk
B. Transfer the risk
C. Avoid the risk
D. Mitigate the risk
Correct Answer: A
Rationale: When mitigation cost exceeds the ALE, accepting the risk is usually justified unless
regulatory or reputational factors dictate otherwise. Transfer (B) via insurance still costs
premiums near or above ALE. Avoid (C) would eliminate the asset/process, which is extreme.
Mitigate (D) is uneconomical here.
Q3: Which governance document is MOST appropriate for high-level statements such as “All
customer PII must be encrypted at rest”?
A. Policy
B. Standard
C. Procedure
D. Guideline
Correct Answer: A
Rationale: Policies are executive-level documents that set mandatory requirements. Standards
(B) define specific technologies or parameters, procedures (C) give step-by-step instructions,
and guidelines (D) are non-mandatory recommendations.
, Q4: The ISO 27001 certification process requires which phase to be completed BEFORE
conducting the Stage 2 audit?
A. Risk assessment
B. Statement of Applicability
C. Management review
D. Stage 1 audit (readiness review)
Correct Answer: D
Rationale: ISO 27001 mandates a Stage 1 readiness review to verify that the ISMS is
sufficiently implemented before the Stage 2 certification audit. Risk assessment (A), SoA (B),
and management review (C) are all required but occur earlier within the ISMS build, not the
certification sequence.
Q5: Which document provides a mapping between NIST SP 800-53 controls and PCI DSS
requirements?
A. NIST SP 800-37 Rev. 2
B. NIST Cybersecurity Framework
C. NIST SP 800-53A
D. NIST Interagency Report (NISTIR) 8097
Correct Answer: B
Rationale: The CSF includes Informative References that map 800-53 controls to sector-specific
standards such as PCI DSS. 800-37 (A) is Risk Management Framework; 800-53A (C) is
assessment guidance; NISTIR 8097 (D) addresses mobile threat catalog, not mappings.
Q6: A startup stores health records in AWS. Which regulation MOST directly requires a
documented Business Associate Agreement (BAA) with AWS?
A. HIPAA
B. HITECH
C. GDPR
D. SOX
Correct Answer: A
Rationale: HIPAA mandates BAAs when a covered entity shares PHI with a cloud provider.
HITECH (B) strengthens HIPAA but does not create new agreement types. GDPR (C) requires
data-processing agreements, not BAAs. SOX (D) focuses on financial reporting.
Q7: In quantitative risk analysis, which variable is multiplied by Exposure Factor to derive Single
Loss Expectancy (SLE)?
A. Annualized Rate of Occurrence (ARO)
B. Asset Value (AV)
C. Safeguard cost
D. Residual risk
Correct Answer: B
Rationale: SLE = AV × EF. ARO (A) is used later to compute ALE. Safeguard cost (C) and
residual risk (D) are not components of SLE.
Q8: Which of the following BEST exemplifies the concept of “due care” from a legal
perspective?
A. Installing the latest firewall after a breach
B. Performing annual penetration tests aligned with industry norms
Actual Exam 2026 | Questions with Verified Answers |
100% Correct | Pass Guaranteed
SECTION 1: Security Concepts & Governance
Q1: Which primary goal of the CIA triad is violated when a database record is modified by an
unauthorized user?
A. Confidentiality
B. Integrity
C. Availability
D. Non-repudiation
Correct Answer: B
Rationale: Integrity ensures that data remains accurate and unaltered without authorization;
unauthorized modification directly violates this principle. Confidentiality (A) is concerned with
disclosure, not alteration. Availability (C) relates to timely access. Non-repudiation (D) prevents
denial of an action but does not address data alteration.
Q2: A company must decide whether to accept, transfer, mitigate, or avoid a risk with an
annualized loss expectancy (ALE) of $45,000 and mitigation cost of $60,000. Which risk
response is MOST aligned with NIST SP 800-30 guidance?
A. Accept the risk
B. Transfer the risk
C. Avoid the risk
D. Mitigate the risk
Correct Answer: A
Rationale: When mitigation cost exceeds the ALE, accepting the risk is usually justified unless
regulatory or reputational factors dictate otherwise. Transfer (B) via insurance still costs
premiums near or above ALE. Avoid (C) would eliminate the asset/process, which is extreme.
Mitigate (D) is uneconomical here.
Q3: Which governance document is MOST appropriate for high-level statements such as “All
customer PII must be encrypted at rest”?
A. Policy
B. Standard
C. Procedure
D. Guideline
Correct Answer: A
Rationale: Policies are executive-level documents that set mandatory requirements. Standards
(B) define specific technologies or parameters, procedures (C) give step-by-step instructions,
and guidelines (D) are non-mandatory recommendations.
, Q4: The ISO 27001 certification process requires which phase to be completed BEFORE
conducting the Stage 2 audit?
A. Risk assessment
B. Statement of Applicability
C. Management review
D. Stage 1 audit (readiness review)
Correct Answer: D
Rationale: ISO 27001 mandates a Stage 1 readiness review to verify that the ISMS is
sufficiently implemented before the Stage 2 certification audit. Risk assessment (A), SoA (B),
and management review (C) are all required but occur earlier within the ISMS build, not the
certification sequence.
Q5: Which document provides a mapping between NIST SP 800-53 controls and PCI DSS
requirements?
A. NIST SP 800-37 Rev. 2
B. NIST Cybersecurity Framework
C. NIST SP 800-53A
D. NIST Interagency Report (NISTIR) 8097
Correct Answer: B
Rationale: The CSF includes Informative References that map 800-53 controls to sector-specific
standards such as PCI DSS. 800-37 (A) is Risk Management Framework; 800-53A (C) is
assessment guidance; NISTIR 8097 (D) addresses mobile threat catalog, not mappings.
Q6: A startup stores health records in AWS. Which regulation MOST directly requires a
documented Business Associate Agreement (BAA) with AWS?
A. HIPAA
B. HITECH
C. GDPR
D. SOX
Correct Answer: A
Rationale: HIPAA mandates BAAs when a covered entity shares PHI with a cloud provider.
HITECH (B) strengthens HIPAA but does not create new agreement types. GDPR (C) requires
data-processing agreements, not BAAs. SOX (D) focuses on financial reporting.
Q7: In quantitative risk analysis, which variable is multiplied by Exposure Factor to derive Single
Loss Expectancy (SLE)?
A. Annualized Rate of Occurrence (ARO)
B. Asset Value (AV)
C. Safeguard cost
D. Residual risk
Correct Answer: B
Rationale: SLE = AV × EF. ARO (A) is used later to compute ALE. Safeguard cost (C) and
residual risk (D) are not components of SLE.
Q8: Which of the following BEST exemplifies the concept of “due care” from a legal
perspective?
A. Installing the latest firewall after a breach
B. Performing annual penetration tests aligned with industry norms
