A global enterprise is transitioning from long-term symmetric encryption keys to an automated key rotation system using hardware security modules (HSMs). During the rollout, application owners express concern that frequent rotation may disrupt legacy integrations and availability. What should the security architect do FIRST? A. Enforce the new key-rotation policy across all systems immediately B. Perform a risk assessment to evaluate availability impact and integration dependencies C. Allow legacy systems to retain long-term keys indefinitely D. Delay implementation until all applications are modernized

An organization integrates automated security testing into its CI/CD pipeline. Shortly after deployment, build times increase significantly, and developers begin bypassing security checks to meet release deadlines. Senior management is concerned about both security and delivery velocity. What should the security lead do FIRST? A. Disable automated security testing to restore build speed B. Tune and prioritize security tests based on risk and criticality C. Enforce strict policy violations and discipline developers D. Move security testing entirely to post-deployment monitoring

A business unit requests an exception to bypass multifactor authentication for a legacy system that cannot support it without a costly upgrade. The system processes sensitive but non-regulated data, and no active exploits are known. What should the security manager do FIRST? A. Deny the request and mandate immediate MFA implementation B. Perform a risk assessment and formally document risk acceptance C. Approve the exception indefinitely due to technical limitations D. Compensate by increasing network monitoring without documentation

Your organization is in the process of integrating embedded systems into its existing architecture to support various IoT initiatives. During the planning phase, the organization needs to ensure these systems can operate securely within its infrastructure. Which of the following is the most effective strategy to mitigate security risks associated with embedded systems within this context? Options: A. Implement full monitoring and security control implementation similar to traditional IT systems. B. Allow peer-to-peer communication between embedded systems for greater flexibility. C. Limit access and communications to devices and isolate them on dedicated networks. D. Regularly update embedded devices' firmware using over-the-air updates to ensure current security patches are applied. ( answer tomorrow, study more now with CISSP.app! )

A U.S.–based company provides cloud storage services to European customers. Personal data from EU citizens is processed and stored on servers located in the United States. Under the EU General Data Protection Regulation (GDPR), what is the PRIMARY legal requirement before transferring this data outside the EU? A. Encrypt the data before transmitting it to ensure confidentiality in transit. B. Notify EU supervisory authorities within 72 hours of each cross-border data transfer. C. Establish an approved transfer mechanism such as Standard Contractual Clauses or Binding Corporate Rules. D. Obtain the explicit consent of every data subject prior to data transfer.