Certified in Risk and Information Systems Control (CRISC) — Question 123

An internal audit report reveals that not all IT application databases have encryption in place. Which of the following information would be MOST important for assessing the risk impact?

Answer options

• A. The reason some databases have not been encrypted.
• B. A list of unencrypted databases which contain sensitive data.
• C. The cost required to enforce encryption.
• D. The number of users who can access sensitive data.

Correct answer: B

Explanation

The most critical information for assessing risk impact is the list of unencrypted databases that contain sensitive data, as it directly highlights areas where exposure to data breaches could occur. The other options, while relevant, do not provide as direct a connection to the potential risk posed by the absence of encryption on sensitive databases.