You are the network administrator for a large GCP organization. The security team wants to enforce a rule that blocks all outbound SSH traffic to the internet across ALL projects in the organization. Individual project owners must not be able to override this rule. Which TWO steps should you take? (Select TWO)

Hierarchical Firewall Policies allow security administrators to define and enforce firewall rules at the Organization or Folder level. These rules are evaluated before VPC-level firewall rules. By creating a deny rule for egress port 22 at the Organization node, you guarantee that no VM in any project can initiate an outbound SSH connection, and project owners cannot override it.