Certified in Risk and Information Systems Control (CRISC) — Question 444

A risk practitioner recently discovered that personal information from the production environment is required for testing purposes in non-production environments. Which of the following is the BEST recommendation to address this situation?

Answer options

• A. Enable data encryption in the test environment.
• B. Enforce multi-factor authentication within the test environment.
• C. Prevent the use of production data in the test environment.
• D. De-identify data before being transferred to the test environment.

Correct answer: D

Explanation

The best approach is to de-identify data before transferring it to the test environment, as this protects personal information while still allowing for necessary testing. Enabling data encryption and enforcing multi-factor authentication do not directly address the issue of sensitive data being used, and preventing the use of production data entirely may hinder testing processes.