During a confirmed ransomware incident, the IR team identifies that the attacker is still actively exfiltrating data through a compromised service account. The legal team requests that no systems be taken offline to preserve evidence for potential litigation. Operations wants the bleeding stopped immediately. What should the incident commander prioritize FIRST? A. Disable the compromised service account to stop active data exfiltration B. Isolate affected network segments while preserving system state for forensics C. Initiate a full forensic image of all affected systems before any containment action D. Convene an emergency meeting with legal, operations, and security to align on priorities Come back for the answer tomorrow, or study more now!

Your organization is migrating legacy on-premises applications to a multi-cloud environment. The security team discovers that several applications use hardcoded service account credentials that cannot be easily refactored before the migration deadline. Business leadership refuses to delay the timeline. What is the BEST approach? A. Migrate as planned and prioritize credential refactoring in the next sprint B. Implement secrets management and network segmentation around the vulnerable applications C. Present the risk formally to leadership with compensating control options and timeline impacts D. Reject the migration for applications with hardcoded credentials until remediation is complete Come back for the answer tomorrow, or study more now!

During a third-party risk assessment, you discover a critical SaaS vendor stores customer data in a jurisdiction that conflicts with your organization's data residency requirements. The vendor scores well on every other security benchmark. The contract renewal deadline is in two weeks. What should you do FIRST? A. Require the vendor to migrate data to a compliant region before renewal B. Engage legal counsel to assess regulatory exposure and contractual options C. Renew the contract with an addendum requiring future data residency compliance D. Begin evaluating alternative vendors that meet data residency requirements Come back for the answer tomorrow, or study more now!

A development team integrates a third-party open-source library that processes customer PII. Six months later, a critical vulnerability is disclosed in that library. The vendor has not released a patch. Business stakeholders resist removing the library because it powers a revenue-generating feature. What is the MOST appropriate action? A. Implement compensating controls around the vulnerable component and document the accepted risk B. Fork the library and develop an internal patch C. Escalate to the risk owner for a formal risk acceptance decision D. Immediately remove the library and disable the affected feature Come back for the answer tomorrow, or study more now!

A newly acquired subsidiary uses a separate identity provider with no federation to the parent company. Executives want immediate single sign-on access to the subsidiary's financial reporting system. The subsidiary's IT team warns their directory contains orphaned accounts from prior layoffs. What should you address FIRST? A. Establish federated trust between both identity providers B. Perform an access review and remove orphaned accounts in the subsidiary's directory C. Provision executive accounts directly in the subsidiary's identity provider D. Implement multi-factor authentication on the financial reporting system Come back for the answer tomorrow, or study more now!