A penetration test identifies a critical vulnerability in a customer-facing application, but exploitation would require downtime during peak business hours. The business requests delaying remediation until the next quarterly release. What should the security manager do FIRST? A. Accept the risk and document the delay as requested B. Perform a risk assessment and present impact analysis to business leadership C. Immediately remediate the vulnerability despite business objections D. Disable the affected application until remediation is complete

A business unit requests an exception to bypass multifactor authentication for a legacy system that cannot support it without a costly upgrade. The system processes sensitive but non-regulated data, and no active exploits are known. What should the security manager do FIRST? A. Deny the request and mandate immediate MFA implementation B. Perform a risk assessment and formally document risk acceptance C. Approve the exception indefinitely due to technical limitations D. Compensate by increasing network monitoring without documentation

An organization integrates automated security testing into its CI/CD pipeline. Shortly after deployment, build times increase significantly, and developers begin bypassing security checks to meet release deadlines. Senior management is concerned about both security and delivery velocity. What should the security lead do FIRST? A. Disable automated security testing to restore build speed B. Tune and prioritize security tests based on risk and criticality C. Enforce strict policy violations and discipline developers D. Move security testing entirely to post-deployment monitoring

An organization adopts a Zero Trust model and removes implicit trust between internal network segments. Shortly after deployment, several business-critical applications experience latency and intermittent access failures. Leadership questions whether the Zero Trust initiative should be rolled back. What should the security architect do FIRST? A. Roll back Zero Trust controls to restore application performance B. Perform a targeted assessment to identify policy enforcement points causing disruption C. Permanently whitelist affected applications to bypass Zero Trust controls D. Escalate the issue to vendors to redesign the Zero Trust architecture

An organization migrating legacy file shares to a cloud collaboration platform discovers that several datasets contain regulated records with no documented retention periods or data owners. The business wants immediate migration to meet a project deadline. What should the security manager do FIRST? A. Migrate the data and address ownership and retention after cutover B. Identify data owners and define retention requirements before migration C. Apply default retention policies to all datasets to avoid delay D. Escalate the issue to legal and halt the migration indefinitely