During a third-party risk assessment, you discover a critical SaaS vendor stores customer data in a jurisdiction that conflicts with your organization's data residency requirements. The vendor scores well on every other security benchmark. The contract renewal deadline is in two weeks. What should you do FIRST? A. Require the vendor to migrate data to a compliant region before renewal B. Engage legal counsel to assess regulatory exposure and contractual options C. Renew the contract with an addendum requiring future data residency compliance D. Begin evaluating alternative vendors that meet data residency requirements Come back for the answer tomorrow, or study more now!

Your organization's risk register is maintained by a single senior analyst who built custom scoring formulas undocumented outside his workstation. He announces his resignation with two weeks notice. The next quarterly risk review is in three weeks. What should you do FIRST? A. Hire a replacement analyst before the departing employee's last day B. Conduct an immediate knowledge transfer to document the scoring methodology C. Postpone the quarterly risk review until a replacement is onboarded D. Assign the risk register to the internal audit team as an interim measure Come back for the answer tomorrow, or study more now!

4th Time

A developer commits API credentials into a public repository and immediately deletes the commit. The security team discovers the credentials are still visible in the repository's commit history. The API provides read access to customer records. What should you do FIRST? A. Purge the commit history to remove the exposed credentials from the repository B. Revoke and rotate the compromised API credentials immediately C. Scan customer records for evidence of unauthorized access using the exposed keys D. Implement pre-commit hooks to prevent future credential exposure in repositories Come back for the answer tomorrow, or study more now!

A development team integrates a third-party open-source library that processes customer PII. Six months later, a critical vulnerability is disclosed in that library. The vendor has not released a patch. Business stakeholders resist removing the library because it powers a revenue-generating feature. What is the MOST appropriate action? A. Implement compensating controls around the vulnerable component and document the accepted risk B. Fork the library and develop an internal patch C. Escalate to the risk owner for a formal risk acceptance decision D. Immediately remove the library and disable the affected feature Come back for the answer tomorrow, or study more now!