@Dj Sahoo Correct Answer: B. Conduct a retention review with data owners and legal to validate regulatory obligations Explanation (CISSP logic): The key phrase is "cannot confirm whether retention requirements still apply." You're sitting on a pile of data classified as confidential, but nobody knows if it's being held for regulatory reasons, legal hold, contractual obligation, or just inertia. Every other action assumes you already know the answer to that question. Domain 2 is clear: data lifecycle decisions require understanding the obligations attached to the data before you move, reclassify, or destroy anything. Data owners and legal are the two parties who can validate those obligations. Breakdown: A. Archive to lower-cost storage - Reduces cost but doesn't answer the fundamental question. You might be archiving data you're legally required to destroy, or preserving data in a way that doesn't meet regulatory requirements for accessibility. B. ✅ Correct. Establishes the factual basis for every downstream decision. You can't archive, declassify, or purge until you know what obligations are attached to the data. C. Declassify the unused data - Extremely dangerous. "Unused" does not mean "unimportant." Confidential data doesn't lose its sensitivity because nobody opened it recently. Declassifying without understanding regulatory context could create compliance violations overnight. D. Automated lifecycle purge policies - The right long-term destination, but automating deletion when you don't even know your retention obligations is how organizations destroy evidence or violate data protection laws. Think like a manager: Data you don't understand is data you can't govern. Before you move it, shrink it, or delete it, find out why it exists.

@Enrico Sciullo Correct Answer: B. Conduct a retention review with data owners and legal to validate regulatory obligations Explanation (CISSP logic): The key phrase is "cannot confirm whether retention requirements still apply." You're sitting on a pile of data classified as confidential, but nobody knows if it's being held for regulatory reasons, legal hold, contractual obligation, or just inertia. Every other action assumes you already know the answer to that question. Domain 2 is clear: data lifecycle decisions require understanding the obligations attached to the data before you move, reclassify, or destroy anything. Data owners and legal are the two parties who can validate those obligations. Breakdown: A. Archive to lower-cost storage - Reduces cost but doesn't answer the fundamental question. You might be archiving data you're legally required to destroy, or preserving data in a way that doesn't meet regulatory requirements for accessibility. B. ✅ Correct. Establishes the factual basis for every downstream decision. You can't archive, declassify, or purge until you know what obligations are attached to the data. C. Declassify the unused data - Extremely dangerous. "Unused" does not mean "unimportant." Confidential data doesn't lose its sensitivity because nobody opened it recently. Declassifying without understanding regulatory context could create compliance violations overnight. D. Automated lifecycle purge policies - The right long-term destination, but automating deletion when you don't even know your retention obligations is how organizations destroy evidence or violate data protection laws. Think like a manager: Data you don't understand is data you can't govern. Before you move it, shrink it, or delete it, find out why it exists.

@Mercy Mensah Correct Answer: B. Deploy a cloud-based secure web gateway to enforce policy at the endpoint Explanation (CISSP logic): This question tests whether you can solve a security gap without undoing a legitimate business decision. Management already weighed in: split-tunnel stays because the performance gains matter. Full-tunnel would fix the control gap but directly contradicts that business requirement. The CISSP-aligned approach is finding a control that meets security objectives within the constraints you've been given. A cloud-based secure web gateway enforces DLP and proxy policy regardless of tunnel configuration, protecting data without degrading the user experience management wants to preserve. Breakdown: A. Full-tunnel VPN - The "obvious" security answer, but it ignores the stated business constraint. Management values the performance gains. Recommending the exact thing they've already rejected is tone-deaf and wastes political capital. B. ✅ Correct. Maintains the split-tunnel architecture management wants while closing the DLP gap. Policy enforcement follows the user to the endpoint rather than depending on network path. C. Accept the risk and document - This might be appropriate if no viable control existed, but it does. Accepting a gap you can reasonably close is not good risk management, it's avoidance disguised as acceptance. D. Restrict to managed devices only - Addresses device trust but doesn't solve the traffic bypass problem. A managed device on a split tunnel still routes SaaS traffic outside corporate controls. Think like a manager: When the business draws a line, don't fight the constraint. Find the control that works within it. Security that ignores business reality doesn't get implemented.