@Jonathan Perry glad to have you Sir!

@William Serrano will that’s great! What’s the prep plan?

@Dj Sahoo Correct Answer: C. Perform a risk assessment mapped to your control requirements Explanation (CISSP logic): Third-party risk management starts with understanding your own control requirements and the risk the vendor introduces, not collecting their artifacts. A SOC 2 report and questionnaires are inputs to a risk assessment, not substitutes for it. Domain 3 and Domain 1 both stress that due diligence means evaluating fit against your risk appetite before contractual commitment. Breakdown: A. A SOC 2 Type II is evidence, not a decision; accepting it without mapping to your controls skips due diligence. B. Questionnaires feed the assessment but don't replace the analysis or the risk decision. C. ✅ Correct. Establishes the control gap and informs whether to proceed, negotiate, or walk away. D. A pen test addresses technical posture, not regulatory fit, contractual terms, or residual risk ownership. Think like a manager: Vendor artifacts are inputs; your risk assessment is the decision. Sign the contract last, not first.

@Ms. Marlow Correct Answer: B. Initiate a formal access recertification with each respective data owner Explanation (CISSP logic): This is privilege creep, and the fix is governance, not tooling. Data owners (not IT, not managers) are the accountable parties for authorizing access to their data. Recertification forces each owner to justify continued access against current job function, satisfying least privilege and separation of duties. Breakdown: A. Activity-based pruning is operational hygiene; it skips the authorization question and bypasses the data owner. B. ✅ Correct. Re-anchors access decisions with the accountable owners and produces audit evidence. C. RBAC is a sound long-term design, but implementation comes after you've validated what access is actually authorized. D. HR governs job descriptions, not data access authorization; wrong authority. Think like a manager: Access doesn't expire on its own. Owners authorize, recertification validates, and least privilege is a verb.

@Antony Onamu Correct Answer: B. Enforce the existing retention schedule and require a formal exception with risk acceptance Explanation (CISSP logic): Retention schedules exist to limit liability, storage cost, and privacy exposure. "Just in case" is not a lawful basis to retain personal data, and over-retention increases breach impact and regulatory risk (GDPR, CCPA minimization principles). Any deviation must follow a documented exception process with the accountable risk owner signing off. Breakdown: A. Longer retention increases discovery scope and breach blast radius; it doesn't reduce legal risk. B. ✅ Correct. Upholds policy, forces accountability, and routes the deviation through governance. C. Cold storage solves cost, not the underlying policy violation or privacy exposure. D. Legal is a stakeholder, not the decision authority for routine retention; punting delays without resolving the governance issue. Think like a manager: Data you don't need is liability you can't insure. Retention is a control, not a convenience.