Domain 4 Capstone: Information Technology & Security
Architecture defines exposure.
Operations influence reliability.
Governance aligns protection.
These 20 questions integrate all Domain 4 concepts.
Slow down.
Think structurally.
Think governance.
Questions
1
An organization centralizes all authentication into one cloud provider without failover.
Primary risk?
A. Concentration and single point of failure
B. Standardization risk
C. Reduced inherent risk
D. Strong KPI
Answer
A — Centralization increases blast radius without redundancy.
2
Emergency changes are frequently implemented without testing due to business pressure.
Most compromised principle?
A. Incident management
B. Disaster recovery
C. Change control integrity
D. Segregation of duties
Answer
C — Change discipline protects operational stability.
3
A project launches before security requirements are fully defined.
Primary weakness?
A. Agile methodology
B. Strong awareness
C. Reduced inherent risk
D. Failure to embed security in SDLC
Answer
D — Security must be defined during requirements/design.
4
RTO exceeds MTD for a critical system.
This indicates:
A. Strong resilience
B. Misalignment between recovery capability and business tolerance
C. Over-mitigation
D. Reduced exposure
Answer
B — Recovery objectives must align with BIA.
5
Customer data is encrypted but retained indefinitely.
Primary risk?
A. Confidentiality
B. Regulatory and breach impact exposure
C. Availability
D. Integrity
Answer
B — Over-retention increases liability.
6
Incidents are resolved quickly, but root causes are never addressed.
Operational weakness?
A. Strong incident response
B. Strong KCI
C. Reduced inherent risk
D. Weak problem management discipline
Answer
D — Recurring incidents indicate structural weakness.
7
Executives are exempt from awareness training.
Governance risk?
A. Tone at the top failure
B. Strong leadership
C. Reduced exposure
D. Defense in depth
Answer
A — Leadership sets cultural expectations.
8
A security framework is adopted but not integrated into operational processes.
Primary issue?
A. Strong maturity
B. Reduced inherent risk
C. Framework without execution
D. Improved KRI
Answer
C — Governance requires integration.
9
A cloud contract lacks data destruction clauses.
Lifecycle gap?
A. Creation
B. Use
C. Disposal
D. Classification
Answer
C — Disposal must be governed contractually.
10
An unsupported legacy system remains in production.
Primary concern?
A. Increasing vulnerability and operational risk
B. Reduced exposure
C. Strong mitigation
D. Strong awareness
Answer
A — Unsupported systems increase exposure.
11
AI tools are deployed without defined governance or data controls.
Most compromised principle?
A. Innovation
B. Risk assessment prior to adoption
C. KPI alignment
D. Availability
Answer
B — Emerging tech requires structured risk evaluation.
12
Phishing click rates decline but reporting rates remain low.
Primary concern?
A. Strong awareness
B. Strong KPI
C. Reduced inherent risk
D. Incomplete behavioral change
Answer
D — Reporting is part of behavior change.
13
Multiple business units use inconsistent risk scoring methods.
Impact?
A. Strong aggregation
B. Improved monitoring
C. Reduced inherent risk
D. Weak enterprise visibility
Answer
D — Standardization supports aggregation.
14
A system bypasses formal change management because it is “low impact.”
Primary risk?
A. Strong agility
B. Uncontrolled operational exposure
C. Reduced inherent risk
D. Defense in depth
Answer
B — All production changes require governance.
15
Personal data is processed for analytics beyond stated consent.
Violated principle?
A. Confidentiality
B. Availability
C. Purpose limitation
D. Segregation of duties
Answer
C — Privacy governs lawful use.
16
DR plans are documented but never tested.
Primary exposure?
A. False assurance and availability risk
B. Strong resilience
C. Reduced inherent risk
D. Strong KPI
Answer
A — Untested recovery cannot be trusted.
17
Control implementation is completed, but residual risk is not reassessed.
Governance gap?
A. Validation of effectiveness
B. Inherent risk scoring
C. Strong mitigation
D. Risk avoidance
Answer
A — Residual risk must be recalculated.
18
IoT devices are deployed without centralized inventory tracking.
Primary risk?
A. Reduced exposure
B. Strong awareness
C. Increased attack surface and unmanaged assets
D. Improved KPI
Answer
C — Unknown assets create unmanaged risk.
19
A company encrypts all systems equally regardless of data sensitivity.
Which principle may be violated?
A. Defense in depth
B. Segregation of duties
C. Integrity
D. Risk-based proportionality
Answer
D — Controls must align with risk exposure.
20
BCM plans are not updated after major organizational restructuring.
What risk emerges?
A. Strong governance
B. Outdated dependency and recovery assumptions
C. Reduced inherent risk
D. Improved monitoring
Answer
B — Continuity must reflect current operations.
Domain 4 master pattern
Remember:
- Architecture creates structure.
- Operations create stability.
- Lifecycle creates exposure.
- Governance enforces discipline.
- Privacy governs lawful use.
- BCM reduces impact.
- DR restores systems.
- Awareness reduces human likelihood.
- Frameworks provide structure.
- Controls must align with risk appetite.
- Monitoring validates effectiveness.
- Emerging tech increases uncertainty.
Domain 4 rewards structural, enterprise-level thinking — not tool configuration knowledge.