Your organization's risk register is maintained by a single senior analyst who built custom scoring formulas undocumented outside his workstation. He announces his resignation with two weeks notice. The next quarterly risk review is in three weeks. What should you do FIRST? A. Hire a replacement analyst before the departing employee's last day B. Conduct an immediate knowledge transfer to document the scoring methodology C. Postpone the quarterly risk review until a replacement is onboarded D. Assign the risk register to the internal audit team as an interim measure Come back for the answer tomorrow, or study more now!

Your organization deploys an AI assistant with access to internal knowledge bases containing data classified at multiple sensitivity levels. The system currently returns results regardless of the requestor's clearance level. No access enforcement layer exists between the AI and the data. What is the PRIMARY risk? A. The AI model may retain sensitive data in its context and leak it to subsequent users B. Unauthorized information disclosure through the AI bypassing established access controls C. Excessive query logging creating a secondary repository of classified information D. Users developing over-reliance on AI responses instead of consulting original sources Come back for the answer tomorrow, or study more now!

I couldn’t have done this alone. Thanks to everyone who supported me along the way—I’m excited to say I’m now CCIE and CISSP certified!

Your company relies on a critical SaaS provider for customer onboarding. During a routine review, you learn the provider has added a new sub-processor in a high-risk jurisdiction. Your current contract lacks explicit audit/assessment rights for sub-processors, and the business cannot tolerate downtime on this service. What should the security manager do FIRST? A. Issue a risk exception and document acceptance until renewal. B. Perform a targeted supplier risk assessment focused on the new sub-processor and data flows. C. Terminate the relationship and move to a contingency provider. D. Purchase cyber insurance to transfer exposure.

A company discovers that a competitor has copied portions of its proprietary source code into a commercial product. Senior management asks the security manager if the company is protected even though the code was never formally registered with the U.S. Copyright Office. Which of the following is the BEST response? A. No, copyright protection requires formal registration before it applies. B. Yes, the company owns copyright automatically once the code was created, but registration is required to pursue statutory damages in court. C. No, the company must have registered the code as a trade secret before enforcement is possible. D. Yes, but only if the company also filed for a patent covering the code’s algorithms.