Certified in Risk and Information Systems Control (CRISC) — Question 1286

A multinational company needs to implement a new centralized security system. The risk practitioner has identified a conflict between the organization's data-handling policy and local privacy regulations. Which of the following would be the BEST recommendation?

Answer options

• A. Request a policy exception from senior management.
• B. Request an exception from the local regulatory agency.
• C. Comply with the organizational policy.
• D. Report the noncompliance to the local regulatory agency.

Correct answer: A

Explanation

The best course of action is to request a policy exception from senior management, as they have the authority to make exceptions to organizational policies when necessary. Requesting an exception from the local regulatory agency (Option B) may not address the internal policy conflict, while complying with the organizational policy (Option C) would lead to noncompliance with local laws. Reporting the noncompliance (Option D) does not resolve the conflict and could lead to penalties for the organization.