The goal is to help Group members think like a CISSP professional (Think Like a Manager) by understanding governance, risk management, business alignment, and executive decision making. I hope you all enjoy reading it
Your company plans to adopt a third-party AI vendor to process regulated customer data. The vendor offers strong contractual indemnification but declines to share model documentation. What should the security leader do FIRST? A. Negotiate stronger audit rights into the contract B. Perform a vendor risk assessment against organizational risk appetite C. Require the vendor to obtain independent AI certification D. Pilot the tool with anonymized data to evaluate performance
Your organization fine-tuned a large language model on internal customer support records and deployed it as an employee-facing assistant. An internal audit is scheduled, and the audit committee asks you to demonstrate that the model cannot be induced to reveal sensitive training data. What is the MOST appropriate assessment approach? A. Perform static analysis of the model's source code and dependencies B. Conduct adversarial prompt testing designed to elicit training data memorization C. Validate that role-based access controls restrict who can query the model D. Review data classification labels applied to the fine-tuning dataset Come back for the answer tomorrow, or study more now!