A financial institution is designing its disaster recovery strategy. Management states that after a disruption, customer-facing services must be restored within four hours, and no more than 30 minutes of customer transaction data can be lost. Which of the following BEST describes these requirements? A. RTO = 30 minutes, RPO = 4 hours B. RTO = 4 hours, RPO = 30 minutes C. RTO = 4 hours, RPO = 4 hours D. RTO = 30 minutes, RPO = 30 minutes

An enterprise is moving to a hybrid cloud model and wants to centralize user authentication across on-premises systems and multiple SaaS providers. The solution must support single sign-on (SSO), enforce multi-factor authentication (MFA), and minimize administrative overhead for provisioning and deprovisioning accounts. Which of the following approaches BEST meets these requirements? A. Deploying Kerberos across all environments, including the SaaS providers B. Implementing a Security Assertion Markup Language (SAML)–based federation with an identity provider C. Using RADIUS servers for all authentication requests to centralize credential management D. Requiring each SaaS provider to integrate directly with the corporate LDAP directory

An organization is selecting a system that must provide strong assurance that all access control decisions are enforced correctly and cannot be bypassed. The evaluation team is considering systems certified under the Common Criteria (ISO/IEC 15408) framework. Which of the following Common Criteria assurance levels BEST meets this requirement? A. EAL2 – Structurally Tested B. EAL4 – Methodically Designed, Tested, and Reviewed C. EAL5 – Semiformally Designed and Tested D. EAL7 – Formally Verified, Designed, and Tested

You are designing a system for a law firm that represents multiple competing corporations. The system must: - Prevent lawyers from accessing case files of competing clients - Ensure paralegals can enter data but only senior attorneys can approve filings - Maintain confidentiality of client records Which combination of models is most relevant here? A. Bell–LaPadula and Biba B. Clark–Wilson and Brewer–Nash C. Bell–LaPadula and Clark–Wilson D. Brewer–Nash and Biba

A company’s security team is planning regular vulnerability assessments of its production systems. Management insists that business operations must not be disrupted during these tests. Which of the following approaches BEST meets this requirement? A. Run authenticated vulnerability scans against production systems during business hours. B. Conduct penetration tests against production systems once per quarter. C. Perform vulnerability scans in a staging environment that mirrors production. D. Schedule uncredentialed vulnerability scans of production systems during off-peak hours.