Certified Information Systems Auditor (CISA) — Question 1460

Following a breach, what is the BEST source to determine the maximum amount of time before customers must be notified that their personal information may have been compromised?

Answer options

• A. Industry standards
• B. Information security policy
• C. Incident response plan
• D. Industry regulations

Correct answer: D

Explanation

The correct answer is D, as industry regulations often specify the legal requirements and deadlines for notifying affected individuals after a data breach. While industry standards, security policies, and incident response plans may provide guidance, they do not carry the same legal weight or enforceable timeframes as industry regulations do.