The best assurance is obtained by verifying a sample of critical fields. If the question is specifically about encryption at the database level, the auditor should test the actual data elements in the database that are expected to be encrypted. ISACA privacy and data-protection guidance discusses encryption of sensitive data fields as a protection mechanism, which supports validating field-level protection directly.
Option C is correct because it provides direct evidence that sensitive database fields are actually encrypted. This is stronger than reviewing policies or peripheral settings because it tests the implemented control itself.
Option A is incorrect because drive settings usually relate to disk or full-volume encryption on the host server, not necessarily to database-level encryption of specific sensitive fields.
Option B is incorrect because checking network traffic for clear text transmissions only helps verify encryption in transit, not whether the data is encrypted within the database.
Option D is incorrect because a policy only states intent or requirement. It does not prove the database is actually encrypting sensitive fields.
Therefore, C is the best answer because direct verification of sensitive fields provides the strongest assurance that encryption is implemented at the database level.
References (Official ISACA):
ISACA Journal, Practical Data Security and Privacy for GDPR and CCPA — discusses encryption of sensitive client data fields.
ISACA Journal, Privacy-Preserving Analytics and Secure Multiparty Computation — discusses encryption of sensitive data fields throughout the data life cycle.
ISACA, Cloud Data Sovereignty: Governance and Risk Implications of Cross-Border Cloud Storage — distinguishes encryption at rest and in transit, supporting why network checks alone are insufficient for database-level assurance.
Submit