Domain 4 Capstone: Information Technology & Security
Architecture defines exposure.
Operations influence reliability.
Governance aligns protection.
These 20 questions integrate all Domain 4 concepts.
Slow down.
Think structurally.
Think governance.
Questions
1
An organization centralizes all authentication into one cloud provider without failover.
Primary risk?
A. Standardization risk
B. Concentration and single point of failure
C. Reduced inherent risk
D. Strong KPI
Answer
B — Centralization increases blast radius without redundancy.
2
Emergency changes are frequently implemented without testing due to business pressure.
Most compromised principle?
A. Incident management
B. Change control integrity
C. Disaster recovery
D. Segregation of duties
Answer
B — Change discipline protects operational stability.
3
A project launches before security requirements are fully defined.
Primary weakness?
A. Agile methodology
B. Failure to embed security in SDLC
C. Reduced inherent risk
D. Strong awareness
Answer
B — Security must be defined during requirements/design.
4
RTO exceeds MTD for a critical system.
This indicates:
A. Strong resilience
B. Misalignment between recovery capability and business tolerance
C. Over-mitigation
D. Reduced exposure
Answer
B — Recovery objectives must align with BIA.
5
Customer data is encrypted but retained indefinitely.
Primary risk?
A. Confidentiality
B. Regulatory and breach impact exposure
C. Availability
D. Integrity
Answer
B — Over-retention increases liability.
6
Incidents are resolved quickly, but root causes are never addressed.
Operational weakness?
A. Strong incident response
B. Weak problem management discipline
C. Reduced inherent risk
D. Strong KCI
Answer
B — Recurring incidents indicate structural weakness.
7
Executives are exempt from awareness training.
Governance risk?
A. Strong leadership
B. Tone at the top failure
C. Reduced exposure
D. Defense in depth
Answer
B — Leadership sets cultural expectations.
8
A security framework is adopted but not integrated into operational processes.
Primary issue?
A. Strong maturity
B. Framework without execution
C. Reduced inherent risk
D. Improved KRI
Answer
B — Governance requires integration.
9
A cloud contract lacks data destruction clauses.
Lifecycle gap?
A. Creation
B. Use
C. Disposal
D. Classification
Answer
C — Disposal must be governed contractually.
10
An unsupported legacy system remains in production.
Primary concern?
A. Reduced exposure
B. Increasing vulnerability and operational risk
C. Strong mitigation
D. Strong awareness
Answer
B — Unsupported systems increase exposure.
11
AI tools are deployed without defined governance or data controls.
Most compromised principle?
A. Innovation
B. Risk assessment prior to adoption
C. KPI alignment
D. Availability
Answer
B — Emerging tech requires structured risk evaluation.
12
Phishing click rates decline but reporting rates remain low.
Primary concern?
A. Strong awareness
B. Incomplete behavioral change
C. Reduced inherent risk
D. Strong KPI
Answer
B — Reporting is part of behavior change.
13
Multiple business units use inconsistent risk scoring methods.
Impact?
A. Strong aggregation
B. Weak enterprise visibility
C. Reduced inherent risk
D. Improved monitoring
Answer
B — Standardization supports aggregation.
14
A system bypasses formal change management because it is “low impact.”
Primary risk?
A. Strong agility
B. Uncontrolled operational exposure
C. Reduced inherent risk
D. Defense in depth
Answer
B — All production changes require governance.
15
Personal data is processed for analytics beyond stated consent.
Violated principle?
A. Confidentiality
B. Purpose limitation
C. Availability
D. Segregation of duties
Answer
B — Privacy governs lawful use.
16
DR plans are documented but never tested.
Primary exposure?
A. Strong resilience
B. False assurance and availability risk
C. Reduced inherent risk
D. Strong KPI
Answer
B — Untested recovery cannot be trusted.
17
Control implementation is completed, but residual risk is not reassessed.
Governance gap?
A. Inherent risk scoring
B. Validation of effectiveness
C. Strong mitigation
D. Risk avoidance
Answer
B — Residual risk must be recalculated.
18
IoT devices are deployed without centralized inventory tracking.
Primary risk?
A. Reduced exposure
B. Increased attack surface and unmanaged assets
C. Strong awareness
D. Improved KPI
Answer
B — Unknown assets create unmanaged risk.
19
A company encrypts all systems equally regardless of data sensitivity.
Which principle may be violated?
A. Defense in depth
B. Risk-based proportionality
C. Integrity
D. Segregation of duties
Answer
B — Controls must align with risk exposure.
20
BCM plans are not updated after major organizational restructuring.
What risk emerges?
A. Strong governance
B. Outdated dependency and recovery assumptions
C. Reduced inherent risk
D. Improved monitoring
Answer
B — Continuity must reflect current operations.
Domain 4 master pattern
Remember:
- Architecture creates structure.
- Operations create stability.
- Lifecycle creates exposure.
- Governance enforces discipline.
- Privacy governs lawful use.
- BCM reduces impact.
- DR restores systems.
- Awareness reduces human likelihood.
- Frameworks provide structure.
- Controls must align with risk appetite.
- Monitoring validates effectiveness.
- Emerging tech increases uncertainty.
Domain 4 rewards structural, enterprise-level thinking — not tool configuration knowledge.