A global enterprise adopts a strict zero-trust network architecture. All workloads—on-prem, cloud, and containerized—must mutually authenticate before communicating. To comply with regulatory requirements, the company must also maintain full packet-level visibility for threat analysis and incident response. Which solution BEST satisfies all of these requirements simultaneously? A. Deploy full end-to-end TLS between all workloads and rely on IDS/IPS to inspect only metadata and flow logs. B. Use a TLS termination proxy at network choke points and decrypt all internal traffic for inspection before re-encrypting. C. Implement mutual TLS within a service mesh that supports encrypted telemetry export and out-of-band traffic mirroring for deep packet inspection. D. Use host-based agents to perform inline decryption on each workload and send decrypted payload streams to the central IDS via secure channels.

A global fintech company adopts an AI-assisted code-generation platform to accelerate development.The CISO learns that developers sometimes allow the tool to access proprietary source repositories and external training data. Management wants faster delivery but is concerned about intellectual-property leakage and unvetted open-source dependencies being inserted into production builds. What is the BEST control to implement FIRST? A. Require legal review of the vendor’s AI license terms and intellectual-property indemnification clauses. B. Integrate automated software-composition analysis (SCA) and code-signing into the CI/CD pipeline to validate all generated components. C. Restrict the AI tool’s access to internal repositories and enforce output review through secure-coding peer validation. D. Mandate retraining of the AI model using only internal proprietary data to eliminate third-party influence.

Which of the following actions BEST balances regulatory obligations with evidence integrity and due diligence? A. Release preliminary findings immediately, clearly labeled as “provisional,” and continue full forensic analysis. B. Delay all external communication until the full investigation is complete and validated. C. Provide regulators with a high-level incident acknowledgment, outline the investigation timeline, and commit to an official report after evidence validation. D. Provide sanitized technical logs to regulators immediately while withholding full forensic images until legal review.

A global enterprise has implemented federated identity management using SAML between its internal Active Directory domain and multiple cloud SaaS providers. During testing, a partner organization asks to use the same SAML assertions from the enterprise’s identity provider (IdP) to access shared applications hosted in the partner’s environment. Which of the following must the enterprise ensure FIRST before extending this trust? A. The partner’s service provider (SP) certificate is issued by the same certificate authority (CA) as the enterprise’s IdP. B. The partner’s SP enforces attribute-based access control (ABAC) using SAML attributes. C. A formal trust agreement defines assertion validity, encryption standards, and identity-proofing responsibilities between both organizations. D. The enterprise IdP is configured to issue assertions with short lifetimes (e.g., < 5 minutes) to limit misuse.

A multinational enterprise uses an MPLS WAN to connect global offices. The company wants to add end-to-end encryption to protect confidential data but still allow its IDS/IPS systems at key choke points to inspect for malicious traffic. Which of the following design approaches BEST satisfies both confidentiality and monitoring requirements? A. Deploy full-mesh IPsec tunnels between all sites to ensure maximum privacy of traffic. B. Implement TLS encryption from client to server for all applications, and disable packet inspection. C. Use gateway-to-gateway VPN encryption within the MPLS backbone, and terminate the tunnels at trusted inspection points. D. Encrypt traffic at Layer 2 using MACsec (802.1AE) to protect data across the WAN.