@Antony Onamu Correct Answer: B. Redefine the program metrics to measure remediation outcomes, not scan activity Explanation (CISSP logic): Measuring activity instead of outcomes is a classic governance failure. A vulnerability management program exists to reduce risk, not to prove scans ran. CISSP Domain 6 stresses that metrics must align to control objectives, and KPIs should reflect risk reduction (mean time to remediate, SLA adherence) rather than process completion. Breakdown: A. Slowing scans hides the backlog and increases exposure window; treats the symptom, not the cause. B. ✅ Correct. Aligns metrics with the actual control objective and surfaces accountability. C. Escalation may be warranted later, but without fixing the metric, the program keeps reporting green while risk accumulates. D. Outsourcing transfers work, not accountability, and doesn't address the broken measurement model. Think like a manager: You get the behavior you measure. If you reward scanning, you get scans; if you reward remediation, you get risk reduction.

@Jonathan Perry glad to have you Sir!

@William Serrano will that’s great! What’s the prep plan?

@Dj Sahoo Correct Answer: C. Perform a risk assessment mapped to your control requirements Explanation (CISSP logic): Third-party risk management starts with understanding your own control requirements and the risk the vendor introduces, not collecting their artifacts. A SOC 2 report and questionnaires are inputs to a risk assessment, not substitutes for it. Domain 3 and Domain 1 both stress that due diligence means evaluating fit against your risk appetite before contractual commitment. Breakdown: A. A SOC 2 Type II is evidence, not a decision; accepting it without mapping to your controls skips due diligence. B. Questionnaires feed the assessment but don't replace the analysis or the risk decision. C. ✅ Correct. Establishes the control gap and informs whether to proceed, negotiate, or walk away. D. A pen test addresses technical posture, not regulatory fit, contractual terms, or residual risk ownership. Think like a manager: Vendor artifacts are inputs; your risk assessment is the decision. Sign the contract last, not first.

@Ms. Marlow Correct Answer: B. Initiate a formal access recertification with each respective data owner Explanation (CISSP logic): This is privilege creep, and the fix is governance, not tooling. Data owners (not IT, not managers) are the accountable parties for authorizing access to their data. Recertification forces each owner to justify continued access against current job function, satisfying least privilege and separation of duties. Breakdown: A. Activity-based pruning is operational hygiene; it skips the authorization question and bypasses the data owner. B. ✅ Correct. Re-anchors access decisions with the accountable owners and produces audit evidence. C. RBAC is a sound long-term design, but implementation comes after you've validated what access is actually authorized. D. HR governs job descriptions, not data access authorization; wrong authority. Think like a manager: Access doesn't expire on its own. Owners authorize, recertification validates, and least privilege is a verb.