Certified in Risk and Information Systems Control (CRISC) — Question 744
An organization moved its payroll system to a Software as a Service (SaaS) application. A new data privacy regulation stipulates that data can only be processed within the country where it is collected. Which of the following should be done FIRST when addressing this situation?
Answer options
- A. Analyze data protection methods.
- B. Understand data flows.
- C. Include a right-to-audit clause.
- D. Implement strong access controls.
Correct answer: B
Explanation
Understanding data flows is crucial as it allows the organization to identify where data is being processed and stored, ensuring compliance with the new regulation. Analyzing data protection methods, including audit clauses, and implementing access controls are important but should follow after understanding how data is currently managed.