Your SaaS CRM vendor notifies you that a subprocessor they rely on for email delivery suffered a breach. Your customer contact data was likely exposed. The vendor cannot yet confirm scope or timeline. What should the CISO do FIRST? A. Notify affected customers within 72 hours to meet GDPR deadlines B. Trigger the incident response plan and engage legal counsel on breach notification obligations C. Terminate the contract with the CRM vendor for failing to secure its supply chain D. Demand the subprocessor provide forensic evidence directly to your security team Come back for the answer tomorrow, or study more now!

Hi All, Im happy to announce, the im officially passed CISSP exam today. Our study sessions helped me a lot, I will try to join todays call at 6PM CST to share my experience. Thank you all 😃

A vendor claims their fraud detection model is "99% accurate" based on internal testing. Your company plans to deploy it to score $2B in annual transactions. What should the security team require BEFORE signing the contract? A. A SOC 2 Type II report covering the vendor's development environment B. Independent red team testing of the model against adversarial inputs C. A performance guarantee with financial penalties for accuracy below 99% D. Source code escrow in case the vendor goes out of business Come back for the answer tomorrow, or study more now!

Your organization's fraud detection ML model passes all traditional software vulnerability scans. However, a red team discovers they can subtly alter transaction inputs to cause the model to misclassify fraudulent activity as legitimate. What testing gap does this BEST illustrate? A. The vulnerability scans lacked authenticated scanning credentials B. Static application security testing was not integrated into the CI/CD pipeline C. The assessment program did not include adversarial robustness testing of the model D. The red team should have coordinated findings with the vulnerability management team first Come back for the answer tomorrow, or study more now!

A healthcare company deploys a diagnostic AI system that recommends treatment options. Regulators require the organization to explain how the model reaches its conclusions. The security architect proposes encrypting the model's internal weights to protect intellectual property. What concern should the CISO raise FIRST? A. Encryption at rest is insufficient without also encrypting data in transit between inference nodes B. Protecting model weights may conflict with the regulatory requirement for explainability C. The model should be hosted in a secure enclave to prevent adversarial extraction attacks D. A third-party penetration test should validate the encryption implementation before deployment Come back for the answer tomorrow, or study more now!