Your organization wants to integrate a third-party pre-trained ML model into an internal application. The vendor provides the model weights but no documentation on the training data sources. As the security lead, what is the MOST appropriate action BEFORE integration? A. Run the model in an isolated sandbox and monitor its behavior B. Require a software bill of materials covering the model and its provenance C. Scan the model file for embedded malware before deployment D. Limit the model's runtime permissions to read-only data access Come back for the answer tomorrow, or study more now!

Your organization is deploying a customer-facing chatbot powered by a third-party LLM. The product team wants to connect it directly to the order management database to answer real-time inventory questions. As the security architect, what is the BEST design control? A. Implement input validation to block prompt injection attempts B. Place an API gateway with strict allow-listed queries between the LLM and the database C. Require TLS 1.3 for all traffic between the chatbot and backend systems D. Deploy a WAF tuned for LLM-specific attack signatures Come back for the answer tomorrow, or study more now!

An organization migrating legacy file shares to a cloud collaboration platform discovers that several datasets contain regulated records with no documented retention periods or data owners. The business wants immediate migration to meet a project deadline. What should the security manager do FIRST? A. Migrate the data and address ownership and retention after cutover B. Identify data owners and define retention requirements before migration C. Apply default retention policies to all datasets to avoid delay D. Escalate the issue to legal and halt the migration indefinitely

A global enterprise is transitioning from long-term symmetric encryption keys to an automated key rotation system using hardware security modules (HSMs). During the rollout, application owners express concern that frequent rotation may disrupt legacy integrations and availability. What should the security architect do FIRST? A. Enforce the new key-rotation policy across all systems immediately B. Perform a risk assessment to evaluate availability impact and integration dependencies C. Allow legacy systems to retain long-term keys indefinitely D. Delay implementation until all applications are modernized

You are designing a system for a law firm that represents multiple competing corporations. The system must: - Prevent lawyers from accessing case files of competing clients - Ensure paralegals can enter data but only senior attorneys can approve filings - Maintain confidentiality of client records Which combination of models is most relevant here? A. Bell–LaPadula and Biba B. Clark–Wilson and Brewer–Nash C. Bell–LaPadula and Clark–Wilson D. Brewer–Nash and Biba