During a confirmed ransomware incident, the IR team identifies that the attacker is still actively exfiltrating data through a compromised service account. The legal team requests that no systems be taken offline to preserve evidence for potential litigation. Operations wants the bleeding stopped immediately. What should the incident commander prioritize FIRST? A. Disable the compromised service account to stop active data exfiltration B. Isolate affected network segments while preserving system state for forensics C. Initiate a full forensic image of all affected systems before any containment action D. Convene an emergency meeting with legal, operations, and security to align on priorities Come back for the answer tomorrow, or study more now!

An architect proposes implementing end-to-end encryption for all internal microservice communications. The SOC team warns this will eliminate their ability to inspect east-west traffic for lateral movement detection. Both teams escalate to you. What is the BEST course of action? A. Prioritize encryption and accept reduced network visibility as residual risk B. Reject encryption to preserve the SOC's detection capabilities C. Implement encryption with TLS termination points that allow authorized inspection D. Defer the decision until a formal threat model evaluates both risks Come back for the answer tomorrow, or study more now!

Your organization acquires a competitor and inherits their customer database containing PII subject to GDPR. The integration team wants to merge both databases immediately to eliminate duplicate customer records. The acquired company's privacy notices did not disclose data sharing with third parties. What should you do FIRST? A. Obtain updated consent from the acquired company's customers before merging B. Conduct a data protection impact assessment on the proposed database merge C. Proceed with the merge using the acquiring company's existing privacy framework D. Engage the DPO to determine whether a lawful basis for processing exists under the new entity Come back for the answer tomorrow, or study more now!

Your organization completes a data classification initiative and discovers that 40% of data labeled "confidential" has not been accessed in over three years. Storage costs are significant. Data owners across business units cannot confirm whether retention requirements still apply. What should you recommend FIRST? A. Archive the dormant data to lower-cost storage with existing classification labels B. Conduct a retention review with data owners and legal to validate regulatory obligations C. Declassify the unused data to reduce protection overhead and storage costs D. Implement automated data lifecycle policies to purge data exceeding retention thresholds Come back for the answer tomorrow, or study more now!

Your organization passes its annual SOC 2 Type II audit with no findings. Two months later, a penetration test reveals a critical vulnerability in a customer-facing application that has existed for over a year. The board questions why the audit missed it. What is the BEST explanation? A. The penetration testing firm used more advanced techniques than the SOC 2 auditors B. SOC 2 evaluates control design and operating effectiveness, not technical vulnerability discovery C. The audit scope was improperly defined and should have included application testing D. The auditors failed to meet professional due diligence standards Come back for the answer tomorrow, or study more now!