Isaca Certified in Risk and Information Systems Control CRISC Question # 169 Topic 17 Discussion

CRISC Exam Topic 17 Question 169 Discussion:

Question #: 169

Topic #: 17

While reviewing a contract of a cloud services vendor, it was discovered that the vendor refuses to accept liability for a sensitive data breach. Which of the following controls will BES reduce the risk associated with such a data breach?

Ensuring the vendor does not know the encryption key

Engaging a third party to validate operational controls

Using the same cloud vendor as a competitor

Using field-level encryption with a vendor supplied key

Get Premium CRISC Questions

Explanation

Encryption is a technique that transforms data into an unreadable format using a secret key, so that only authorized parties can access and decrypt the data. Encryption can help to protectsensitive data from unauthorized access or disclosure, especially when the data is stored or transmitted in the cloud1.

Ensuring the vendor does not know the encryption key is a control that will best reduce the risk associated with a data breach, because it can help to:

Prevent the vendor from accessing or disclosing the sensitive data, intentionally or unintentionally

Limit the exposure or impact of the data breach, even if the vendor’s systems or networks are compromised by hackers or malicious insiders

Maintain the confidentiality and integrity of the sensitive data, regardless of the vendor’s liability or responsibility

Enhance the trust and confidence of the customers and stakeholders, who may be concerned about the vendor’s refusal to accept liability for a data breach23

The other options are not as effective as ensuring the vendor does not know the encryption key for reducing the risk associated with a data breach. Engaging a third party to validate operational controls is a control that can help to verify and improve the vendor’s security practices and processes, but it does not guarantee that the vendor will prevent or respond to a data breach adequately or timely. Using the same cloud vendor as a competitor is not a control, but rather a business decision that may increase the risk associated with a data breach, as the vendor may have access to or disclose the sensitive data of both parties, or may favor one party over the other. Using field-level encryption with a vendor supplied key is a control that can help to encrypt specific fields or columns of data, such as names, addresses, or credit card numbers, but it does not prevent the vendor from accessing or disclosing the data, as the vendor has the encryption key4. References =

Encryption - ISACA

Cloud Encryption: Using Data Encryption in The Cloud

Cloud Encryption: Why You Need It and How to Do It Right

Field-Level Encryption - ISACA

[CRISC Review Manual, 7th Edition]

Actual exam question for Isaca CRISC exam by Jett7350 at Oct 14, 2025, 9:34:41 PM

Contribute your Thoughts:

Chosen Answer: A B C D
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.

Isaca Certified in Risk and Information Systems Control CRISC Question # 169 Topic 17 Discussion

Isaca Certified in Risk and Information Systems Control CRISC Question # 169 Topic 17 Discussion

Correct Answer:

Options Selected by Other Users:

Contribute your Thoughts:

Isaca Certified in Risk and Information Systems Control CRISC Question # 169 Topic 17 Discussion

Isaca Certified in Risk and Information Systems Control CRISC Question # 169 Topic 17 Discussion

Correct Answer:

Options Selected by Other Users:

Contribute your Thoughts:

Awaiting moderator approval