CISSP Practice Question (Domain 7: Security Operations / Supply Chain Risk)

An enterprise discovers that a widely used third-party monitoring agent embedded in multiple production servers has begun making undocumented outbound connections to an IP range controlled by a subcontractor the enterprise has never engaged.

The agent is critical for operational visibility, and disabling it would blind several detection controls. No malicious activity has been confirmed, but threat intelligence reports suggest recent supply chain compromises involving similar agents.

What should the security manager do FIRST?

A. Immediately isolate all hosts running the agent from the network

B. Conduct a rapid supplier risk reassessment and verify the legitimacy of the subcontractor relationship

C. Disable the agent across production to eliminate potential exfiltration

D. Escalate directly to regulators due to potential third-party data exposure

16 comments