Isaca Certified in Risk and Information Systems Control CRISC Question # 313 Topic 32 Discussion
CRISC Exam Topic 32 Question 313 Discussion:
Question #: 313
Topic #: 32
An organization is increasingly concerned about loss of sensitive data and asks the risk practitioner to assess the current risk level. Which of the following should the risk practitioner do FIRST?
A.
Identify staff members who have access to the organization's sensitive data.
B.
Identify locations where the organization's sensitive data is stored.
C.
Identify risk scenarios and owners associated with possible data loss vectors.
D.
Identify existing data loss controls and their levels of effectiveness.
The first step in assessing the current risk level of data loss is to identify where the sensitive data is stored, such as servers, databases, laptops, mobile devices, etc. This will help to determine the scope and boundaries of the risk assessment, as well as the potential exposure and impact of data loss. Identifying staff members who have access to the data, risk scenarios and owners, and existing controls are important steps, but they should be done after identifying the data locations. References = Risk and Information Systems Control Study Manual, 7th Edition, Chapter 2, Section 2.1.1.1, page 51.
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit