A multinational enterprise migrates sensitive analytics workloads to a cloud provider. The environment uses a zero-trust architecture, and encryption is enabled for data in transit and at rest. During a review, the CISO learns that several teams are using cloud-native analytics tools that temporarily decrypt and process customer PII inside managed service environments where the organization has no visibility into memory, caching, or key-handling operations. Which control is MOST critical to implement to maintain data-lifecycle protection under these conditions? A. Enforce customer-managed encryption keys (CMEK) and prohibit provider-managed key usage. B. Implement strict data-minimization and tokenization before data enters the cloud analytics pipeline. C. Require all analytics tools to run only in containers where memory and cache can be fully inspected. D. Mandate continuous CASB monitoring to detect shadow analytics workflows and unauthorized data feeds.

A global fintech company adopts an AI-assisted code-generation platform to accelerate development.The CISO learns that developers sometimes allow the tool to access proprietary source repositories and external training data. Management wants faster delivery but is concerned about intellectual-property leakage and unvetted open-source dependencies being inserted into production builds. What is the BEST control to implement FIRST? A. Require legal review of the vendor’s AI license terms and intellectual-property indemnification clauses. B. Integrate automated software-composition analysis (SCA) and code-signing into the CI/CD pipeline to validate all generated components. C. Restrict the AI tool’s access to internal repositories and enforce output review through secure-coding peer validation. D. Mandate retraining of the AI model using only internal proprietary data to eliminate third-party influence.

She will be will us! Sorry about the confusion all

Your organization plans to deploy a generative-AI system that will assist in making decisions on loan applications. Given the high stakes (financial risk, regulatory oversight, data privacy) the CISO demands robust controls throughout the AI lifecycle. Which of the following actions is MOST critical to satisfy both the risk management and governance objectives in this scenario? A. Ensure the AI model is hosted on-premises within a dedicated enterprise cloud to maintain maximum infrastructure control. B. Perform a model risk assessment that covers data integrity, bias/ethics, explainability, lineage of training data, and model drift, and present the findings to senior leadership. C. Require applicants to submit non-financial documents (e.g., social media profiles) so the AI has more data to improve its predictive accuracy. D. Develop an SLA with the AI vendor guaranteeing 99.9% uptime and a fixed model-update schedule every 90 days.

A company’s internal investigation uncovers evidence suggesting that an employee may have stolen trade secrets and transmitted them to a competitor. The security team’s forensic analyst, who is not law enforcement, uses packet capture tools to monitor the suspect’s outbound traffic in real time to confirm the leak. The analyst captures the data and presents it to management, who plan to terminate the employee immediately. From a CISSP and legal standpoint, what is the MOST significant concern with how this evidence was obtained? A. The analyst may have violated wiretapping and privacy laws by monitoring live network traffic without proper authorization. B. The analyst exceeded professional scope by performing forensics on corporate assets without a court order. C. The evidence is invalid because the analyst did not use a certified forensic tool for packet capture. D. The company should have notified law enforcement before beginning the internal investigation.