@Enrico Sciullo Correct Answer: B. Conduct a retention review with data owners and legal to validate regulatory obligations Explanation (CISSP logic): The key phrase is "cannot confirm whether retention requirements still apply." You're sitting on a pile of data classified as confidential, but nobody knows if it's being held for regulatory reasons, legal hold, contractual obligation, or just inertia. Every other action assumes you already know the answer to that question. Domain 2 is clear: data lifecycle decisions require understanding the obligations attached to the data before you move, reclassify, or destroy anything. Data owners and legal are the two parties who can validate those obligations. Breakdown: A. Archive to lower-cost storage - Reduces cost but doesn't answer the fundamental question. You might be archiving data you're legally required to destroy, or preserving data in a way that doesn't meet regulatory requirements for accessibility. B. ✅ Correct. Establishes the factual basis for every downstream decision. You can't archive, declassify, or purge until you know what obligations are attached to the data. C. Declassify the unused data - Extremely dangerous. "Unused" does not mean "unimportant." Confidential data doesn't lose its sensitivity because nobody opened it recently. Declassifying without understanding regulatory context could create compliance violations overnight. D. Automated lifecycle purge policies - The right long-term destination, but automating deletion when you don't even know your retention obligations is how organizations destroy evidence or violate data protection laws. Think like a manager: Data you don't understand is data you can't govern. Before you move it, shrink it, or delete it, find out why it exists.

@Mercy Mensah Correct Answer: B. Deploy a cloud-based secure web gateway to enforce policy at the endpoint Explanation (CISSP logic): This question tests whether you can solve a security gap without undoing a legitimate business decision. Management already weighed in: split-tunnel stays because the performance gains matter. Full-tunnel would fix the control gap but directly contradicts that business requirement. The CISSP-aligned approach is finding a control that meets security objectives within the constraints you've been given. A cloud-based secure web gateway enforces DLP and proxy policy regardless of tunnel configuration, protecting data without degrading the user experience management wants to preserve. Breakdown: A. Full-tunnel VPN - The "obvious" security answer, but it ignores the stated business constraint. Management values the performance gains. Recommending the exact thing they've already rejected is tone-deaf and wastes political capital. B. ✅ Correct. Maintains the split-tunnel architecture management wants while closing the DLP gap. Policy enforcement follows the user to the endpoint rather than depending on network path. C. Accept the risk and document - This might be appropriate if no viable control existed, but it does. Accepting a gap you can reasonably close is not good risk management, it's avoidance disguised as acceptance. D. Restrict to managed devices only - Addresses device trust but doesn't solve the traffic bypass problem. A managed device on a split tunnel still routes SaaS traffic outside corporate controls. Think like a manager: When the business draws a line, don't fight the constraint. Find the control that works within it. Security that ignores business reality doesn't get implemented.

@Dj Sahoo Correct Answer: C. Present the risk formally to leadership with compensating control options and timeline impacts Explanation (CISSP logic): Leadership already made a business decision to hold the timeline. Security's job now is to ensure that decision is an informed one. Hardcoded credentials in a multi-cloud environment dramatically expand the blast radius if compromised, but unilaterally blocking the migration or silently migrating known vulnerabilities are both governance failures. The CISSP approach is to formally communicate the risk, propose compensating controls, and let leadership decide with full visibility. This is risk communication, not risk avoidance. Breakdown: A. Migrate and fix later - This is "hope as a strategy." You're knowingly pushing vulnerable applications into a broader attack surface with no documented risk acceptance. If a breach occurs, there's no paper trail showing leadership was informed. B. Secrets management and segmentation - Strong technical answer and likely part of the compensating control proposal, but implementing controls without formal risk communication skips governance. Who authorized the cost, scope, and residual risk? C. ✅ Correct. Formalizes the risk, gives leadership options, and preserves accountability. Whether they accept, mitigate, or adjust the timeline, the decision is documented and owned. D. Reject the migration - Security doesn't have veto authority over business decisions. Blocking a leadership-approved initiative without escalation is overstepping your role. Think like a manager: When the business says "go" and security sees danger, your job isn't to block the road. It's to put up the warning signs and make sure the driver knows exactly what's ahead.