@Dj Sahoo Correct Answer: C. Present the risk formally to leadership with compensating control options and timeline impacts Explanation (CISSP logic): Leadership already made a business decision to hold the timeline. Security's job now is to ensure that decision is an informed one. Hardcoded credentials in a multi-cloud environment dramatically expand the blast radius if compromised, but unilaterally blocking the migration or silently migrating known vulnerabilities are both governance failures. The CISSP approach is to formally communicate the risk, propose compensating controls, and let leadership decide with full visibility. This is risk communication, not risk avoidance. Breakdown: A. Migrate and fix later - This is "hope as a strategy." You're knowingly pushing vulnerable applications into a broader attack surface with no documented risk acceptance. If a breach occurs, there's no paper trail showing leadership was informed. B. Secrets management and segmentation - Strong technical answer and likely part of the compensating control proposal, but implementing controls without formal risk communication skips governance. Who authorized the cost, scope, and residual risk? C. ✅ Correct. Formalizes the risk, gives leadership options, and preserves accountability. Whether they accept, mitigate, or adjust the timeline, the decision is documented and owned. D. Reject the migration - Security doesn't have veto authority over business decisions. Blocking a leadership-approved initiative without escalation is overstepping your role. Think like a manager: When the business says "go" and security sees danger, your job isn't to block the road. It's to put up the warning signs and make sure the driver knows exactly what's ahead.

@Dj Sahoo Correct Answer: B. Engage legal counsel to assess regulatory exposure and contractual options Explanation (CISSP logic): Data sovereignty conflicts are legal and regulatory problems before they are technical or procurement problems. You have a two-week deadline, a vendor you otherwise trust, and a jurisdictional conflict that could carry fines, enforcement actions, or contractual liability. Before you demand migration, renew with conditions, or start a vendor search, you need to understand what your actual exposure is. Legal counsel determines whether this is a hard regulatory violation or a manageable contractual gap. That assessment drives every decision that follows. Breakdown: A. Require data migration before renewal - Sounds decisive, but two weeks is almost certainly not enough time for a data migration. You're also making demands without understanding whether the contract gives you leverage to enforce them. B. ✅ Correct. Legal defines the risk landscape. Are you in violation today? What are the penalties? Does the current contract have data residency clauses you can enforce? You can't make an informed decision without these answers. C. Renew with a compliance addendum - This kicks the can down the road. You're signing a contract while knowingly in a potentially non-compliant state. If regulators come knocking, "we added an addendum" is not a strong defense. D. Evaluate alternative vendors - Prudent long-term, but not the first step. Starting a vendor search before understanding your legal position wastes time and may be unnecessary if the situation is contractually resolvable. Think like a manager: When proprietary data crosses a border, your first call is to legal, not to engineering or procurement. Understand your exposure before you act on it.

Altonnn!!! That's alright man. We are here for ya.

@Ivo Mulders Correct Answer: C. Escalate to the risk owner for a formal risk acceptance decision Explanation (CISSP logic): This is a textbook governance-versus-engineering trap. You have a known vulnerability, no vendor patch, and business pressure to keep the feature running. The CISSP answer is never for the security team to unilaterally accept risk or make business continuity decisions. That authority belongs to the risk owner. Domain 1 and Domain 8 intersect here: the risk owner must weigh the exposure against business value and formally decide whether to accept, mitigate, or avoid. Everything else flows from that decision. Breakdown: A. Compensating controls and document risk - Sounds mature, but who authorized accepting this risk? The security team is making a business decision without the authority to do so. Compensating controls may follow, but only after the risk owner decides. B. Fork and patch internally - Technically proactive, but introduces maintenance burden, potential licensing issues, and still skips the governance step. You're assuming the decision has already been made. C. ✅ Correct. The risk owner has the authority and accountability to make this call. They may choose compensating controls, removal, or formal acceptance, but it's their decision to make. D. Remove the library immediately - Respects security but ignores business impact. Unilaterally killing a revenue feature without executive sign-off is a career-ending move and a governance failure. Think like a manager: Security identifies risk. The risk owner decides what to do about it. Never confuse advisory authority with decision authority.