@Antony Onamu Correct Answer: B. Enforce the existing retention schedule and require a formal exception with risk acceptance Explanation (CISSP logic): Retention schedules exist to limit liability, storage cost, and privacy exposure. "Just in case" is not a lawful basis to retain personal data, and over-retention increases breach impact and regulatory risk (GDPR, CCPA minimization principles). Any deviation must follow a documented exception process with the accountable risk owner signing off. Breakdown: A. Longer retention increases discovery scope and breach blast radius; it doesn't reduce legal risk. B. ✅ Correct. Upholds policy, forces accountability, and routes the deviation through governance. C. Cold storage solves cost, not the underlying policy violation or privacy exposure. D. Legal is a stakeholder, not the decision authority for routine retention; punting delays without resolving the governance issue. Think like a manager: Data you don't need is liability you can't insure. Retention is a control, not a convenience.

@Allison Regan Correct Answer: B. Require microsegmentation aligned to a Zero Trust reference architecture Explanation (CISSP logic): Extending a flat VLAN into the cloud propagates the existing trust boundary problem and violates least common mechanism. CISSP Domain 4 expects the architect to redesign trust zones during migration, not preserve legacy assumptions. Microsegmentation enforced under Zero Trust principles addresses the root cause: implicit trust between workloads. Breakdown: A. Encryption protects data in transit but does nothing about lateral movement once an attacker is inside the trusted segment. B. ✅ Correct. Establishes identity-based, per-workload trust boundaries appropriate for hybrid cloud. C. East-west IDS is a detective control bolted onto a flawed design; you're monitoring a problem you should have architected away. D. A CASB governs SaaS and user-to-cloud activity, not internal workload segmentation in a VPC. Think like a manager: Don't extend yesterday's trust model into tomorrow's architecture. Redesign the boundary, then encrypt and monitor inside it.

@Antony Onamu Correct Answer: B. Conduct a data flow and risk assessment to classify exposure boundaries Explanation (CISSP logic): You cannot negotiate, architect, or control what you have not yet assessed. Domain 3 and the ISC2 AI Exam Guidance both anchor AI procurement in assess before you act: identify what data crosses the trust boundary, what classification it carries, and what regulatory or privilege obligations attach. Privileged legal data adds attorney-client and potential cross-border concerns that change the entire control conversation. Skip the assessment and every downstream control is guesswork. Breakdown: A. Contract addendum - Strong governance move, but you cannot draft meaningful contract language without first knowing what data is in scope and what risk you are transferring. B. ✅ Correct. Establishes the data classification, trust boundary, and regulatory exposure that drive every subsequent control decision. C. Tenant-isolated model - A solid architectural control, but it is an implementation answer to a question that has not yet been assessed. Right step, wrong sequence. D. DLP redaction - Useful operational control, but redacting privileged content from contract summaries often defeats the business purpose. Premature without a risk decision. Think like a manager: Assess the data, then architect the deal. Controls without context are just expensive guesses.

@Ms. Marlow Correct Answer: C. Snapshot the instances and preserve CloudTrail logs for forensic analysis Explanation (CISSP logic): The financial pain is loud, but evidence preservation comes first. Domain 7 sequencing is Detect → Respond → Preserve → Contain → Eradicate → Recover. Terminating instances or rotating keys before capturing volatile state destroys the forensic trail you need to scope the breach, prove fraud to AWS, and satisfy legal/insurance requirements. Containment without evidence is a self-inflicted wound. Breakdown: A. Terminate instances - Stops the bleeding but destroys volatile memory, attacker artifacts, and lateral movement evidence. Cost panic is not an IR principle. B. Rotate the key - Necessary, but doing it first tips off the attacker and may trigger destructive scripts before you've captured state. C. ✅ Correct. Snapshots and CloudTrail preserve the chain of custody, enable root cause analysis, and support the AWS fraud claim and any legal action. D. Contact AWS billing - A finance recovery step, not an incident response step. Premature without an evidence package to substantiate the fraud claim. Think like a manager: Preserve before you purge. The bill can be negotiated; destroyed evidence cannot be recovered.