During a quarterly access review, an organization discovers that several DevOps engineers have accumulated multiple privileged roles across different cloud environments due to automated provisioning workflows that never revoked old permissions. No misuse has been detected, but the roles collectively exceed least-privilege requirements and present a potential lateral-movement risk. What should the security manager do FIRST? A. Immediately disable all excessive roles and force users to request access again B. Conduct a risk analysis to understand business impact before removing permissions C. Implement just-in-time privileged access to eliminate standing permissions D. Escalate the issue to HR for potential policy violations

An enterprise discovers that a widely used third-party monitoring agent embedded in multiple production servers has begun making undocumented outbound connections to an IP range controlled by a subcontractor the enterprise has never engaged. The agent is critical for operational visibility, and disabling it would blind several detection controls. No malicious activity has been confirmed, but threat intelligence reports suggest recent supply chain compromises involving similar agents. What should the security manager do FIRST? A. Immediately isolate all hosts running the agent from the network B. Conduct a rapid supplier risk reassessment and verify the legitimacy of the subcontractor relationship C. Disable the agent across production to eliminate potential exfiltration D. Escalate directly to regulators due to potential third-party data exposure

A regional bank adopts a new third-party transaction-scoring engine hosted in the cloud. The vendor refuses to provide detailed architectural diagrams but offers recent SOC 2 Type II reports. Executives want rapid deployment, but regulators recently flagged the bank for weak vendor oversight. What is the MOST appropriate next step? A. Require the vendor to provide full network diagrams before integration B. Review and validate the SOC 2 report against the bank’s control objectives C. Conduct a full on-site audit of the vendor’s operations D. Delay onboarding until regulators approve the vendor’s environment

A multinational enterprise operates a highly distributed microservices architecture across multiple cloud providers.All traffic between microservices must be encrypted and authenticated. To simplify governance, the company wants a single global certificate hierarchy for all workloads across all clouds and on-prem systems. However, several constraints apply: - Private keys must never leave the host or container where they are created. - Certificate issuance must support auto-scaling, ephemeral workloads, and identity rotation every few minutes. - The environment includes legacy systems that cannot use modern service mesh sidecars. - Security monitoring requires centralized revocation and trust-state visibility across all issuers. Which PKI architecture BEST satisfies these requirements? A. single monolithic root CA issuing certificates directly to all cloud and on-prem workloads. B. Multiple independent PKIs, each cloud provider managing its own root and workload certificates. C. A federated PKI with one offline enterprise root and cloud-specific subordinate CAs, each issuing short-lived, locally generated keypairs. D. Use self-signed certificates generated per workload and synchronize fingerprints centrally for trust verification.

If you missed it last time, May Brooks is graciously welcoming CISSP Study Group members back into her CISSP Masterclass! Completely free! This live session will be held on: Sunday, December 7th — 7:00 PM to 9:00 PM *Dubai time* (please check your time zone conversion) May is one of the most respected CISSP instructors worldwide. She’s an ISC2 Board Member, co-author of the Official CISSP Study Guide, a TEDx speaker, bestselling author (Scams, Hacking, and Cybersecurity). Having her open her masterclass to our group speaks volumes about the reputation you all have built here. Here’s what this means for you: 📚 Free Access to Mae’s Masterclass – If you’re serious about passing the CISSP, this is one of the most valuable sessions you can attend 💡 Ideal for All Levels – Whether you’re early in your studies or testing soon, Mae’s perspective will give you insights you won’t get anywhere else. 🤝 Community Recognition – May specifically wanted our study group to join because she believes in what you’re building here. See you there! Link & Access Info