Certified in Risk and Information Systems Control (CRISC) — Question 798

A new regulatory requirement imposes severe fines for data leakage involving customers' personally identifiable information (PII). The risk practitioner has recommended avoiding the risk. Which of the following actions would BEST align with this recommendation?

Answer options

• A. Implement strong encryption for PII.
• B. Modify business processes to stop collecting PII.
• C. Move PII to a highly secured outsourced site.
• D. Reduce retention periods for PII data.

Correct answer: B

Explanation

The correct answer is B, as modifying business processes to stop collecting PII directly eliminates the risk of data leakage. Option A, while improving security, does not remove the risk itself; option C merely relocates the data without addressing collection; and option D reduces exposure time but does not eliminate the risk of collection altogether.