Certified in Risk and Information Systems Control (CRISC) — Question 1232

Which of the following should be the PRIMARY driver for an organization on a multi-year cloud implementation to publish a cloud security policy?

Answer options

• A. Evaluating gaps in the on-premise and cloud security profiles
• B. Establishing minimum cloud security requirements
• C. Enforcing compliance with cloud security parameters
• D. Educating IT staff on variances between on-premise and cloud security

Correct answer: B

Explanation

The correct answer, B, emphasizes the importance of establishing minimum cloud security requirements, which provides a foundation for all security efforts. The other options, while important, focus on evaluating current security gaps, ensuring compliance, or educating staff, which are secondary to defining the essential security standards needed for effective cloud implementation.