Certified in the Governance of Enterprise IT (CGEIT) — Question 360

An enterprise learns that a new privacy regulation was recently published to protect customers in the event of a breach involving personally identifiable information
(PII). The IT risk management team's FIRST course of action should be to:

Answer options

• A. evaluate the risk appetite for the new regulation.
• B. determine if the new regulation introduces new risk.
• C. assign a risk owner for the new regulation.
• D. define the risk tolerance for the new regulation.

Correct answer: B

Explanation

The correct answer, B, is essential as the team needs to assess whether the new regulation brings any new risks before taking further steps. Evaluating risk appetite, assigning a risk owner, or defining risk tolerance are important but come after understanding the potential new risks introduced by the regulation.