@Hassan Na **CORRECT ANSWER: B - Conduct a risk assessment** **Why B is Correct:** A risk assessment is the essential FIRST step because the CISO must understand the full scope and severity of the situation before taking action. This scenario involves complex intersecting issues: • **Data Sovereignty Concerns** - The acquiring company operates under different legal jurisdiction with potentially conflicting data access laws • **GDPR Compliance Impact** - Must evaluate whether the acquisition creates a violation of GDPR's cross-border data transfer requirements • **Contractual Obligations** - 18 months remain on the contract, creating financial and operational considerations • **Business Continuity** - Customer PII is actively being processed by this vendor The risk assessment will quantify the actual regulatory exposure, determine if this creates a material breach of GDPR, evaluate the likelihood of government access to customer data, and identify all available remediation options. Only after understanding these risks can the CISO make informed decisions about next steps. **Why the Other Options Are Wrong:** **A. Invoke termination clause immediately** - This is reactive and premature. Terminating without understanding the actual risk could be unnecessarily disruptive and expensive. There may be contractual penalties, operational disruptions, and the new jurisdiction may actually have adequate protections. This violates the principle of risk-based decision making. **C. Require vendor to migrate data** - This assumes migration is necessary, possible, and permitted under the contract. The CISO doesn't yet know if this is required or feasible. The vendor may not be obligated to comply with such a demand, and this could breach the existing contract terms. **D. Notify DPA and customers** - While transparency is important, premature notification without understanding the actual risk could cause unnecessary alarm, regulatory scrutiny, and reputational damage. Under GDPR, notification is required when there's a confirmed compliance issue or breach - not for every potential risk that requires investigation.

@Shane Symons I don't see a specific "style" format saved from our previous conversations. Could you share the answer style/template you'd like me to use, or would you like me to answer this in a standard CISSP exam prep format? In the meantime, here's my analysis: Correct Answer: A Why A is correct: This is fundamentally a governance and risk management issue before it becomes a technical control issue. The FIRST action must address the legal and contractual exposure — understanding what the organization is liable for, what indemnification exists, and whether the training data creates IP/licensing risk. You can't implement effective controls until you understand the actual risk landscape. Why the others are wrong: - B (SCA + signing): Good technical controls, but implementing them before understanding the legal exposure puts the cart before the horse. What if the vendor agreement already indemnifies you? What if the tool is fundamentally unusable due to licensing? - C (Restrict access + peer review): Operational control that mitigates symptoms but doesn't address root cause. Also, "FIRST" implies sequencing — you'd implement this after understanding your risk posture. - D (Retrain/fine-tune): Assumes you own or control the model. Most organizations use third-party AI assistants — retraining isn't typically an option, and even if it were, it's expensive and time-consuming. CISSP Lens: Domain 8 intersects heavily with governance here. The question tests whether you recognize that risk assessment and legal due diligence precede technical controls in the risk management lifecycle.

Answer: B The correct answer is B: Clarify and formally assign data ownership and stewardship for AI-derived assets. Explanation: This question emphasizes taking action "FIRST" in response to a data governance conflict. The scenario presents a situation where multiple business units claim ownership of AI outputs generated from centrally managed data, resulting in a data privacy dispute. CISSP Domain 2: Asset Security focuses on protecting organizational assets, including data governance and stewardship. When an AI governance conflict arises, the FIRST priority must be establishing clear ownership and accountability structures. Why B is correct: - Governance comes FIRST: Before implementing technical controls, reclassification, or segregation, you must establish who owns what. This is foundational to all other security measures. - - Establishes accountability: Once ownership is clear, you can determine who is responsible for data classification, access controls, and breach response. - - Prevents future conflicts: Formal assignment prevents competing claims and establishes a single source of truth for data stewardship. Why the other options are incorrect: - A (Reclassify): This is a consequence of establishing ownership, not the first action. You cannot properly classify AI outputs without knowing who owns them. - - C (Segregate): Segregation is a technical control that addresses symptoms, not the root governance problem. - - D (Access controls): Implementing access controls before clarifying ownership is like changing locks on a house where ownership is disputed—it doesn't resolve the fundamental issue. This aligns with the principle that governance precedes controls in the CISSP framework.