Certified in Risk and Information Systems Control (CRISC) — Question 26

A risk practitioner recently discovered that sensitive data from the production environment is required for testing purposes in non-production environments. Which

of the following is the BEST
recommendation to address this situation?

Answer options

• A. Mask data before being transferred to the test environment.
• B. Implement equivalent security in the test environment.
• C. Enable data encryption in the test environment.
• D. Prevent the use of production data for test purposes.

Correct answer: A

Explanation

The best approach is to mask data before it is moved to the test environment, which helps in protecting sensitive information while still allowing testing to occur. Implementing equivalent security or enabling encryption may not fully address the exposure of sensitive data, and preventing the use of production data entirely could hinder testing processes.