A global enterprise adopts a strict zero-trust network architecture. All workloads—on-prem, cloud, and containerized—must mutually authenticate before communicating. To comply with regulatory requirements, the company must also maintain full packet-level visibility for threat analysis and incident response. Which solution BEST satisfies all of these requirements simultaneously? A. Deploy full end-to-end TLS between all workloads and rely on IDS/IPS to inspect only metadata and flow logs. B. Use a TLS termination proxy at network choke points and decrypt all internal traffic for inspection before re-encrypting. C. Implement mutual TLS within a service mesh that supports encrypted telemetry export and out-of-band traffic mirroring for deep packet inspection. D. Use host-based agents to perform inline decryption on each workload and send decrypted payload streams to the central IDS via secure channels.

A pharmaceutical company stores decades of proprietary research data in encrypted archives. Recent threat intelligence reports warn that several nation-state actors are collecting large volumes of encrypted data today (“harvest-now, decrypt-later”) in preparation for future quantum decryption capabilities. The company currently uses RSA-2048 for key exchange and AES-256 for bulk encryption. What is the MOST critical action to take to protect the long-term confidentiality of this archived data? A. Increase RSA key length to 4096 bits to delay quantum-based decryption timelines. B. Migrate to a hybrid post-quantum key-establishment scheme (e.g., classical + lattice-based) for future encryptions and begin re-encrypting high-value archives. C. Deploy quantum-random number generators (QRNGs) to improve entropy for new cryptographic keys. D. Implement HSM-protected symmetric keys with annual rotation to strengthen present-day cryptographic hygiene.

A large financial services company is updating its security testing program. The red team reports that modern AI-driven attack tools can automatically craft polymorphic payloads, evade signature-based controls, and generate targeted spear-phishing content indistinguishable from human-written messages.The CISO wants to ensure that the organization’s security testing program can accurately measure resilience against these new capabilities. Which testing approach MOST effectively validates the organization’s defenses against AI-augmented attack techniques? A. Perform quarterly vulnerability scans using updated threat signatures and CVE databases. B. Conduct adversarial machine learning (AML) evaluations to measure susceptibility to model poisoning and evasion attacks. C. Integrate AI-enabled BAS (Breach and Attack Simulation) tools that continuously replicate evolving attacker TTPs across email, endpoint, and network layers. D. Run annual red-team exercises focused on social engineering and spear-phishing campaigns executed manually by trained personnel.

A multinational enterprise migrates sensitive analytics workloads to a cloud provider. The environment uses a zero-trust architecture, and encryption is enabled for data in transit and at rest. During a review, the CISO learns that several teams are using cloud-native analytics tools that temporarily decrypt and process customer PII inside managed service environments where the organization has no visibility into memory, caching, or key-handling operations. Which control is MOST critical to implement to maintain data-lifecycle protection under these conditions? A. Enforce customer-managed encryption keys (CMEK) and prohibit provider-managed key usage. B. Implement strict data-minimization and tokenization before data enters the cloud analytics pipeline. C. Require all analytics tools to run only in containers where memory and cache can be fully inspected. D. Mandate continuous CASB monitoring to detect shadow analytics workflows and unauthorized data feeds.

A global fintech company adopts an AI-assisted code-generation platform to accelerate development.The CISO learns that developers sometimes allow the tool to access proprietary source repositories and external training data. Management wants faster delivery but is concerned about intellectual-property leakage and unvetted open-source dependencies being inserted into production builds. What is the BEST control to implement FIRST? A. Require legal review of the vendor’s AI license terms and intellectual-property indemnification clauses. B. Integrate automated software-composition analysis (SCA) and code-signing into the CI/CD pipeline to validate all generated components. C. Restrict the AI tool’s access to internal repositories and enforce output review through secure-coding peer validation. D. Mandate retraining of the AI model using only internal proprietary data to eliminate third-party influence.