A financial services firm acquires a pre-trained ML model from a third-party vendor for fraud detection. During onboarding, the security team discovers the vendor cannot provide documentation on the origin of the training dataset. What should the CISO address FIRST? A. Commission an independent bias audit before production deployment B. Classify the model and its training data as high-value intellectual property C. Assess whether the undocumented data sourcing introduces unmanageable supply chain risk D. Require the vendor to retrain the model using only internally sourced datasets Come back for the answer tomorrow, or study more now!

During a third-party risk assessment, you discover a critical SaaS vendor stores customer data in a jurisdiction that conflicts with your organization's data residency requirements. The vendor scores well on every other security benchmark. The contract renewal deadline is in two weeks. What should you do FIRST? A. Require the vendor to migrate data to a compliant region before renewal B. Engage legal counsel to assess regulatory exposure and contractual options C. Renew the contract with an addendum requiring future data residency compliance D. Begin evaluating alternative vendors that meet data residency requirements Come back for the answer tomorrow, or study more now!

Your organization is migrating legacy on-premises applications to a multi-cloud environment. The security team discovers that several applications use hardcoded service account credentials that cannot be easily refactored before the migration deadline. Business leadership refuses to delay the timeline. What is the BEST approach? A. Migrate as planned and prioritize credential refactoring in the next sprint B. Implement secrets management and network segmentation around the vulnerable applications C. Present the risk formally to leadership with compensating control options and timeline impacts D. Reject the migration for applications with hardcoded credentials until remediation is complete Come back for the answer tomorrow, or study more now!

Your organization deploys an AI assistant with access to internal knowledge bases containing data classified at multiple sensitivity levels. The system currently returns results regardless of the requestor's clearance level. No access enforcement layer exists between the AI and the data. What is the PRIMARY risk? A. The AI model may retain sensitive data in its context and leak it to subsequent users B. Unauthorized information disclosure through the AI bypassing established access controls C. Excessive query logging creating a secondary repository of classified information D. Users developing over-reliance on AI responses instead of consulting original sources Come back for the answer tomorrow, or study more now!