Certified in Risk and Information Systems Control (CRISC) — Question 1308

An organization uses a web application hosted by a cloud service that is populated by data sent to the vendor via email on a monthly basis. Which of the following should be the FIRST consideration when analyzing the risk associated with the application?

Answer options

• A. Whether the service provider contract allows right of onsite audit
• B. Whether the service provider's data center is located in the same country
• C. Whether the data has been appropriately classified
• D. Whether the data sent by email has been encrypted

Correct answer: C

Explanation

The correct answer is C because classifying the data is essential to understanding its sensitivity and the appropriate safeguards needed. Options A and B, while important, are secondary considerations that come into play after understanding the data's classification. Option D is also important but follows after ensuring the data has been classified correctly.