Certified in Risk and Information Systems Control (CRISC) — Question 20

An organization has granted a vendor access to its data in order to analyze customer behavior. Which of the following would be the MOST effective control to mitigate the risk of customer data leakage?

Answer options

• A. Restrict access to customer data on a ג€need to knowג€ basis
• B. Enforce criminal background checks
• C. Mask customer data fields
• D. Require vendor to sign a confidentiality agreement

Correct answer: A

Explanation

Limiting access to customer data strictly on a 'need to know' basis (Option A) is the most effective control as it ensures that only authorized personnel with a valid reason can access sensitive information, thereby minimizing the risk of data leakage. While enforcing background checks (Option B) and requiring confidentiality agreements (Option D) are important, they do not directly restrict data access. Masking customer data fields (Option C) is useful but does not provide the same level of control as restricting access based on necessity.