Certified in Risk and Information Systems Control (CRISC) — Question 104

An organization has engaged a third party to provide an Internet gateway encryption service that protects sensitive data uploaded to a cloud service. This is an example of risk:

Answer options

• A. transfer
• B. acceptance
• C. mitigation
• D. avoidance

Correct answer: A

Explanation

The correct answer is 'transfer' because the organization is shifting the risk of data exposure to a third party by using their encryption service. The other options do not apply as 'acceptance' would mean acknowledging the risk without action, 'mitigation' involves reducing the risk, and 'avoidance' means eliminating the risk altogether, none of which reflect the scenario described.