@Shane Symons I don't see a specific "style" format saved from our previous conversations. Could you share the answer style/template you'd like me to use, or would you like me to answer this in a standard CISSP exam prep format? In the meantime, here's my analysis: Correct Answer: A Why A is correct: This is fundamentally a governance and risk management issue before it becomes a technical control issue. The FIRST action must address the legal and contractual exposure — understanding what the organization is liable for, what indemnification exists, and whether the training data creates IP/licensing risk. You can't implement effective controls until you understand the actual risk landscape. Why the others are wrong: - B (SCA + signing): Good technical controls, but implementing them before understanding the legal exposure puts the cart before the horse. What if the vendor agreement already indemnifies you? What if the tool is fundamentally unusable due to licensing? - C (Restrict access + peer review): Operational control that mitigates symptoms but doesn't address root cause. Also, "FIRST" implies sequencing — you'd implement this after understanding your risk posture. - D (Retrain/fine-tune): Assumes you own or control the model. Most organizations use third-party AI assistants — retraining isn't typically an option, and even if it were, it's expensive and time-consuming. CISSP Lens: Domain 8 intersects heavily with governance here. The question tests whether you recognize that risk assessment and legal due diligence precede technical controls in the risk management lifecycle.

Answer: B The correct answer is B: Clarify and formally assign data ownership and stewardship for AI-derived assets. Explanation: This question emphasizes taking action "FIRST" in response to a data governance conflict. The scenario presents a situation where multiple business units claim ownership of AI outputs generated from centrally managed data, resulting in a data privacy dispute. CISSP Domain 2: Asset Security focuses on protecting organizational assets, including data governance and stewardship. When an AI governance conflict arises, the FIRST priority must be establishing clear ownership and accountability structures. Why B is correct: - Governance comes FIRST: Before implementing technical controls, reclassification, or segregation, you must establish who owns what. This is foundational to all other security measures. - - Establishes accountability: Once ownership is clear, you can determine who is responsible for data classification, access controls, and breach response. - - Prevents future conflicts: Formal assignment prevents competing claims and establishes a single source of truth for data stewardship. Why the other options are incorrect: - A (Reclassify): This is a consequence of establishing ownership, not the first action. You cannot properly classify AI outputs without knowing who owns them. - - C (Segregate): Segregation is a technical control that addresses symptoms, not the root governance problem. - - D (Access controls): Implementing access controls before clarifying ownership is like changing locks on a house where ownership is disputed—it doesn't resolve the fundamental issue. This aligns with the principle that governance precedes controls in the CISSP framework.

@Harrison Efijemue The correct answer is C. Homomorphic encryption. The CISSP Logic This question tests your knowledge of Data-in-Use protection and emerging cryptographic technologies. - The Technical Constraint: The prompt specifies that the data must remain encrypted while it is being processed. - The Limitation of Traditional Crypto: Standard symmetric (AES) and asymmetric (RSA) encryption require data to be decrypted into plaintext within a system's memory (RAM) before a CPU can perform mathematical operations on it. This creates a "window of vulnerability" where a compromised server or a malicious insider at the third party could access the plaintext. - Why Homomorphic Encryption is Correct: This is a specialized category of encryption that allows computations to be performed directly on ciphertext. The resulting ciphertext, when decrypted by the data owner, matches the result of the operations as if they had been performed on the original plaintext. This perfectly satisfies the legal requirement of never losing control over the plaintext. Distractor Analysis - A. Symmetric encryption (AES-256): While AES is the gold standard for Data-at-Rest, the analytics provider would need the decryption key to perform any analysis. This would expose the plaintext to the third party, violating the mandate. - B. Asymmetric encryption (RSA-4096): Primarily used for Data-in-Transit (key exchange and digital signatures), RSA also requires decryption before data processing. - D. Quantum-resistant cryptography: These are algorithms designed to withstand attacks from future quantum computers (e.g., lattice-based cryptography). While it addresses future threats to Confidentiality, it does not provide the functional capability to process encrypted data. Real-World Check Homomorphic encryption is the "holy grail" of privacy-preserving analytics. While historically very slow and computationally expensive, it is seeing real-world adoption in: