An organization replaces periodic vulnerability scans with a continuous exposure-management platform that automatically adjusts risk scores based on real-time threat intelligence. During an internal audit, leadership asks whether this approach still satisfies regulatory expectations for formal security assessments. What should the security manager do FIRST to address this concern? A. Map continuous monitoring outputs to regulatory assessment requirements B. Resume scheduled vulnerability scans to avoid audit findings C. Request written approval from regulators for the new approach D. Disable automated risk scoring and rely on static assessments

During a quarterly access review, an organization discovers that several DevOps engineers have accumulated multiple privileged roles across different cloud environments due to automated provisioning workflows that never revoked old permissions. No misuse has been detected, but the roles collectively exceed least-privilege requirements and present a potential lateral-movement risk. What should the security manager do FIRST? A. Immediately disable all excessive roles and force users to request access again B. Conduct a risk analysis to understand business impact before removing permissions C. Implement just-in-time privileged access to eliminate standing permissions D. Escalate the issue to HR for potential policy violations

An enterprise discovers that a widely used third-party monitoring agent embedded in multiple production servers has begun making undocumented outbound connections to an IP range controlled by a subcontractor the enterprise has never engaged. The agent is critical for operational visibility, and disabling it would blind several detection controls. No malicious activity has been confirmed, but threat intelligence reports suggest recent supply chain compromises involving similar agents. What should the security manager do FIRST? A. Immediately isolate all hosts running the agent from the network B. Conduct a rapid supplier risk reassessment and verify the legitimacy of the subcontractor relationship C. Disable the agent across production to eliminate potential exfiltration D. Escalate directly to regulators due to potential third-party data exposure

Rymar Tech’s SOC deploys a new AI-based anomaly detection system that suddenly begins generating an unusually high volume of high-risk alerts after being retrained with third-party data the previous night. No malicious activity has been confirmed, but the alert surge is overwhelming SOC analysts and impacting monitoring effectiveness. What should the incident response manager do FIRST? A. Disable the AI platform and revert to manual triage B. Escalate to the CISO and declare a security incident C. Initiate the incident response process beginning with detection and verification D. Conduct a model validation review with the third-party integrator

A regional bank adopts a new third-party transaction-scoring engine hosted in the cloud. The vendor refuses to provide detailed architectural diagrams but offers recent SOC 2 Type II reports. Executives want rapid deployment, but regulators recently flagged the bank for weak vendor oversight. What is the MOST appropriate next step? A. Require the vendor to provide full network diagrams before integration B. Review and validate the SOC 2 report against the bank’s control objectives C. Conduct a full on-site audit of the vendor’s operations D. Delay onboarding until regulators approve the vendor’s environment