Certified in Risk and Information Systems Control (CRISC) — Question 1425

An organization is implementing encryption for data at rest to reduce the risk associated with unauthorized access. Which of the following MUST be considered to assess the residual risk?

Answer options

• A. Data destruction requirements
• B. Cloud storage architecture
• C. Data retention requirements
• D. Key management

Correct answer: D

Explanation

Key management is crucial because it ensures that encryption keys are stored, handled, and disposed of securely. If keys are compromised or poorly managed, the encryption becomes ineffective, allowing unauthorized access. The other options, while important, do not directly impact the effectiveness of the encryption itself in mitigating residual risk.