CRISC Question #316: Real Exam Question with Answer & Explanation

Question

An organization's IT department wants to complete a proof of concept (POC) for a security tool. The project lead has asked for approval to use the production data for testing purposes as it will yield the best results. Which of the following is the risk practitioner's BEST recommendation?

Options

• AAccept the risk of using the production data to ensure accurate results.
• BAssess the risk of using production data for testing before making a decision.
• CBenchmark against what peer organizations are doing with POC testing environments.
• DDeny the request, as production data should not be used for testing purposes.

Explanation

The risk practitioner's best recommendation is to assess the risks of using production data for testing, allowing for an informed decision based on potential harms versus benefits.

Common mistakes.

• A. Accepting the risk without a formal assessment is irresponsible, as it bypasses the core function of a risk practitioner to evaluate potential harms and ensure due care.
• C. While benchmarking against peer organizations can provide context, it does not replace a tailored risk assessment specific to the organization's unique data, environment, and compliance obligations.
• D. Denying the request outright without a full risk assessment might prevent the organization from achieving valuable insights if the risks are manageable through controls like data anonymization or strict access.

Concept tested. Risk Assessment in Test Environments

Reference. https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/secure/security-governance-disciplines#cloud-risk-assessment

No community discussion yet for this question.