Certified in Risk and Information Systems Control (CRISC) — Question 1364

An organization's board of directors is concerned about recent data breaches in the news and wants to assess its exposure to similar scenarios. Which of the following is the BEST course of action?

Answer options

• A. Reassess the risk appetite and tolerance levels of the business.
• B. Review the organization's data retention policy and regulatory requirements.
• C. Evaluate the organization's existing data protection controls.
• D. Evaluate the sensitivity of data that the business needs to handle.

Correct answer: C

Explanation

The best course of action is to evaluate the organization's existing data protection controls, as this will directly identify weaknesses that could be exploited in a breach. While reassessing risk appetite and reviewing policies are important, they do not directly address current protective measures. Evaluating data sensitivity is also useful, but it does not assess the effectiveness of existing controls.