CRISC · Question #629
CRISC Question #629: Real Exam Question with Answer & Explanation
The correct answer is D: Controls are not applied to the applications.. The challenge of managing conflicting data retention regulations is severely exacerbated if the underlying applications lack necessary controls to enforce data lifecycle policies.
Question
A new international data privacy regulation requires personal data to be disposed after the specified retention period, which is different from the local regulatory requirement. Which of the following is the risk practitioner's BEST course of action?
Options
- AThe application code has not been version controlled.
- BKnowledge of the applications is limited to few employees.
- CAn IT project manager is not assigned to oversee development.
- DControls are not applied to the applications.
Explanation
The challenge of managing conflicting data retention regulations is severely exacerbated if the underlying applications lack necessary controls to enforce data lifecycle policies.
Common mistakes.
- A. Lack of application code version control is a development lifecycle issue, not directly the primary impediment to managing data retention policies across applications.
- B. Limited knowledge of applications is an operational risk, but the absence of controls is a more fundamental problem for data retention compliance.
- C. Not assigning an IT project manager relates to project governance, which is less directly tied to the technical capability of enforcing data retention than the presence of controls.
Concept tested. Data lifecycle management and application controls
Reference. https://learn.microsoft.com/en-us/compliance/regulatory/gdpr-data-retention
Topics
Community Discussion
No community discussion yet for this question.