Certified in Risk and Information Systems Control (CRISC) — Question 306

While reviewing a contract of a cloud services vendor, it was discovered that the vendor refuses to accept liability for a sensitive data breach. Which of the following controls will BEST reduce the risk associated with such a data breach?

Answer options

• A. Engaging a third party to validate operational controls
• B. Using the same cloud vendor as a competitor
• C. Using field-level encryption with a vendor-supplied key
• D. Ensuring the vendor does not know the encryption key

Correct answer: A

Explanation

Option A is the best choice because engaging a third party to validate operational controls can help ensure that the vendor has adequate security measures in place, thereby reducing risk. The other options do not address the underlying issue of liability and risk management effectively, with B being irrelevant, C potentially exposing data through the vendor's key, and D not guaranteeing overall data security.