A financial institution implements a workflow system where users submit transactions, an application service validates them, and a separate approval service finalizes execution. Auditors require proof that users cannot bypass the workflow or modify transactions directly in the database. What is the MOST appropriate architectural control to meet this requirement? A. Mandatory access control enforced at the database layer B. Constrained interfaces enforcing well formed transactions C. Role based access control with least privilege assignments D. Dual control requiring two administrators for approvals Come back for the answer tomorrow, or study more now!

Senior leadership wants to launch a new customer analytics platform that processes regulated personal data. The CISO identifies control gaps that exceed the organization’s stated risk appetite, but executives are pushing for speed to market. What is the MOST appropriate action for the CISO to take NEXT? A. Document the risk and accept it to support business objectives B. Implement compensating controls within the security team C. Escalate the risk to senior management for formal risk acceptance D. Delay the project until all identified risks are fully mitigated Come back for the answer tomorrow! Study more now at CISSP.app

A business unit requests an exception to bypass multifactor authentication for a legacy system that cannot support it without a costly upgrade. The system processes sensitive but non-regulated data, and no active exploits are known. What should the security manager do FIRST? A. Deny the request and mandate immediate MFA implementation B. Perform a risk assessment and formally document risk acceptance C. Approve the exception indefinitely due to technical limitations D. Compensate by increasing network monitoring without documentation

A penetration test identifies a critical vulnerability in a customer-facing application, but exploitation would require downtime during peak business hours. The business requests delaying remediation until the next quarterly release. What should the security manager do FIRST? A. Accept the risk and document the delay as requested B. Perform a risk assessment and present impact analysis to business leadership C. Immediately remediate the vulnerability despite business objections D. Disable the affected application until remediation is complete

An organization replaces periodic vulnerability scans with a continuous exposure-management platform that automatically adjusts risk scores based on real-time threat intelligence. During an internal audit, leadership asks whether this approach still satisfies regulatory expectations for formal security assessments. What should the security manager do FIRST to address this concern? A. Map continuous monitoring outputs to regulatory assessment requirements B. Resume scheduled vulnerability scans to avoid audit findings C. Request written approval from regulators for the new approach D. Disable automated risk scoring and rely on static assessments