CRISC Question #535: Real Exam Question with Answer & Explanation

Question

An organization's board of directors is concerned about recent data breaches in the news and wants to assess its exposure to similar scenarios. Which of the following is the BEST course of action?

Options

• AEvaluate the organization's existing data protection controls.
• BReassess the risk appetite and tolerance levels of the business.
• CEvaluate the sensitivity of data that the business needs to handle.
• DReview the organization's data retention policy and regulatory requirements.

Explanation

To address board concerns about data breach exposure, the most effective first step is to evaluate the existing data protection controls to determine their effectiveness against potential threats.

Common mistakes.

• B. While risk appetite and tolerance are important for setting overall risk strategy, reassessing them doesn't directly evaluate the current effectiveness of defenses against data breaches.
• C. Evaluating data sensitivity is a critical component of data classification and risk assessment, but it doesn't directly assess the effectiveness of controls against breaches, which is the immediate concern triggered by external events.
• D. Reviewing data retention policies and regulatory requirements is important for compliance, but it focuses on data lifecycle and legal obligations rather than the immediate effectiveness of technical and administrative controls to prevent a breach.

Concept tested. Data breach exposure assessment

Reference. https://learn.microsoft.com/en-us/azure/security/fundamentals/data-protection-overview

No community discussion yet for this question.