Certified in Risk and Information Systems Control (CRISC) — Question 232

A highly regulated organization acquired a medical technology startup company that processes sensitive personal information with weak data protection controls.
Which of the following is the BEST way for the acquiring company to reduce its risk while still enabling the flexibility needed by the startup company?

Answer options

• A. Implement a firewall and isolate the environment from the parent company's network.
• B. Classify and protect the data according to the parent company's internal standards.
• C. Have the data privacy officer review the startup company's data protection policies.
• D. Identify previous data breaches using the startup company's audit reports.

Correct answer: C

Explanation

The correct answer is C because having the data privacy officer review the startup's data protection policies helps ensure compliance and identifies potential gaps in security. Option A is overly restrictive and may hinder the startup's operations. Option B, while important, does not directly address the immediate need for a review of existing policies, and option D focuses on past incidents rather than current protections.