@Nuno Simões D. EAL7 – Formally Verified, Designed, and Tested Explanation:The Common Criteria (ISO/IEC 15408) uses Evaluation Assurance Levels (EALs) from 1–7 to describe the depth and rigor of a system’s evaluation. - A. EAL2 – Structurally Tested – Low assurance, minimal rigor. Suitable for environments where threats are not significant. - B. EAL4 – Methodically Designed, Tested, and Reviewed – The highest level commonly achievable in commercial products, balancing assurance with practicality. Good for many enterprises, but not the strongest possible. - C. EAL5 – Semiformally Designed and Tested – Higher rigor than EAL4, suitable for specialized environments requiring strong security. - D. EAL7 – Formally Verified, Designed, and Tested – ✅ Correct. Provides the strongest assurance, with formal mathematical proof and rigorous design/testing to ensure enforcement mechanisms cannot be bypassed. Typically reserved for highly sensitive systems (e.g., military, government). Think like a manager: The question asks for the BEST assurance that access controls cannot be bypassed. That maps to EAL7, even though in real life EAL4 is usually the sweet spot for commercial use.

@Justin Craigon

@Jesús Zayas Correct Answer: B. Implementing a Security Assertion Markup Language (SAML)–based federation with an identity provider Explanation: The requirements are: SSO, MFA support, and low admin overhead across on-prem + SaaS. - A. Kerberos across all environments – Kerberos works well on-prem but is not practical across cloud/SaaS providers that don’t natively support it. Too limited. - B. SAML federation with an IdP – ✅ Correct. SAML is the industry standard for SSO across cloud services. With an identity provider (IdP), you can enforce MFA and centralize provisioning/deprovisioning through federation. - C. RADIUS servers – Centralizes authentication, but it’s mainly for network access (VPN, Wi-Fi). It doesn’t provide web-based SSO to SaaS platforms. - D. Direct LDAP integration with each SaaS – Creates high administrative overhead and scaling issues. Each SaaS would need a custom connection to the directory. Think like a manager: SAML-based federation is the most scalable, standards-based solution for hybrid + SaaS environments. It enables SSO, MFA enforcement, and streamlined account management.

@Justin Craigon Brewer–Nash handles the conflict of interest part (lawyers can’t cross into competitor data). - Clark–Wilson handles the separation of duties (paralegal enters, attorney approves).

@Eduardo Polanco Correct Answer: C. Perform vulnerability scans in a staging environment that mirrors production. Explanation:The key phrase is that business operations must not be disrupted. - A. Authenticated scans during business hours – Too risky. Authenticated scans probe deeply and could impact live systems, especially during peak hours. - B. Penetration tests on production – Even more disruptive. Pen tests simulate real attacks and can cause outages. Not suitable when availability is the priority. - C. Vulnerability scans in staging – ✅ Correct. Scanning a mirrored staging environment avoids disruption to production while still identifying vulnerabilities. This balances security testing with business continuity. - D. Uncredentialed scans off-hours – Less impact, but still performed on production. Even uncredentialed scans can cause instability or trigger alarms. Doesn’t fully remove the risk to operations. Think like a manager: The exam wants you to minimize risk to business operations. Testing in a mirrored staging environment is the safest and most aligned with the requirement.