A. Switch to full-tunnel VPN to route all traffic through corporate controls ( As the split tunnel VPN was selected to reduce cost as business decision, full tunnel VPN will increase cost which will causing diversion of funds from business to secuirty violating the principle of resonable security ). B. Deploy a cloud-based secure web gateway to enforce policy at the endpoint ( best recommendation balancing security, performace and cost for SAAS remote access). C. Accept the risk and document the DLP gap as a known exception ( Security lead should suggest the appopriate cost effective balanced solution for security and business rather than straight away acceptance of risk ). D. Restrict SaaS access to corporate-managed devices only (DLP and proxy controls are still bypassed even on managed devices. Although the leadership can restrict but it has business impact and will not eradicate the root cause of the problem).

A. Migrate as planned and prioritize credential refactoring in the next sprint (As the Business leadership refuses to delay the timeline , without formal risk acceptence by them and you being security consultant / advisor suggesting remediation measures, blind migration is not asvisable). B. Implement secrets management and network segmentation around the vulnerable applications (Compensating are implemented sometimes as weak, temporary stopgaps rather than robust alternatives. regulatory frameworks take them as a last resort, these controls are ocassionaly ineffective when they fail to meet the "rigor and intent" of the primary controls). C. Present the risk formally to leadership with compensating control options and timeline impacts (Keeping above explanation of option 'B' in view, option 'C' is the best aligned with secuirty governance as business enabler). D. Reject the migration for applications with hardcoded credentials until remediation is complete ( overly rigid approach is business unfriendly action without the formal risk acceptence or otherwise by the leadership who is ultimate risk owner, moreover, remediation is not immidiate due to not easy refactoring as mentioned in the scenario ).

🚫 Deterrence Discourages unauthorized actions before they happen. Examples: Warning signs, visible CCTV, security guards, perimeter fencing. 🔒 Denial Prevents unauthorized access entirely. Examples: Locked doors, biometric access, turnstiles, security barriers. 👁️ Detection Identifies suspicious or unauthorized activity when prevention fails. Examples: Motion sensors, IDS/IPS, alarms, SIEM alerts. ⏳ Delay Slows attackers down to give responders time to act. Examples: Mantraps, reinforced doors, security glass, layered locks. 🔍 Determine Analyzes what is happening, how serious it is, and what’s impacted. Examples: SOC analysts reviewing logs, camera feeds, and alerts. ⚡ Decide Triggers the right response based on the assessment. Examples: Incident response teams isolating systems, escalating alerts, or engaging law enforcement

contrary to above 6 D's, The 5 D’s of physical security Deter, Detect, Deny, Delay, and Defend is not conforming to CBK ?

A. Require the vendor to migrate data to a compliant region before renewal ( best suggestion for continued operation / renewal of imminant expiring contract, however, it requires contract review as mentioned in option 'B'). B. Engage legal counsel to assess regulatory exposure and contractual options ( For contractual and regulatory matters falling in legal domain, "call the attorney" is the best option before proceed further (option A/C) as per GRC). C. Renew the contract with an addendum requiring future data residency compliance ( Renewal of the contract depends on outcome of option 'B' either remediation or termination). D. Begin evaluating alternative vendors that meet data residency requirements ( this option also implementable in case of outcome of option 'B' if renewal of contract with previous contractor is not recommended following failing to comply with data residency requirements).

congrats