Certified in Risk and Information Systems Control (CRISC) — Question 1147

An organization's IT department wants to complete a proof of concept (POC) for a security tool. The project lead has asked for approval to use the production data for testing purposes as it will yield the best results. Which of the following is the risk practitioner's BEST recommendation?

Answer options

• A. Accept the risk of using the production data to ensure accurate results.
• B. Deny the request, as production data should not be used for testing purposes.
• C. Benchmark against what peer organizations are doing with POC testing environments.
• D. Assess the risk of using production data for testing before making a decision.

Correct answer: D

Explanation

The best recommendation is to assess the risk of using production data for testing before making a decision, as this allows for a thorough understanding of potential implications. Accepting the risk outright without evaluation could lead to serious security breaches, while denying the request may hinder the effectiveness of the POC. Benchmarking against peers does not address the specific risks associated with using production data directly.