Certified in the Governance of Enterprise IT (CGEIT) — Question 52

A business unit within an enterprise has directly contracted with a cloud service provider to process sensitive customer information. The CIO later identifies a serious risk of potential data compromise due to the vendor's insufficient segregation of environments and lack of strong access controls. The FIRST course of action should be to:

Answer options

• A. immediately suspend sending of data to the cloud service provider.
• B. notify internal audit of the risk.
• C. discuss the risk with the vendor to determine mitigation actions.
• D. inform the business process owner of the risk.

Correct answer: C

Explanation

The correct answer is C, as discussing the risk with the vendor is crucial to understand their security measures and work collaboratively on mitigation strategies. Option A is too drastic and could disrupt business operations without addressing the root cause. Option B, while important, does not directly address the immediate risk with the vendor. Option D is also necessary but is secondary to engaging with the vendor to find a resolution.