Certified in Risk and Information Systems Control (CRISC) — Question 804

An organization is planning to move its application infrastructure from on-premise to the cloud. Which of the following is the BEST course of action to address the risk associated with data transfer if the relationship is terminated with the vendor?

Answer options

• A. Work closely with the information security officer to ensure the company has the proper security controls in place.
• B. Collect requirements for the environment to ensure the Infrastructure as a Service (IaaS) is configured appropriately.
• C. Meet with the business leaders to ensure the classification of their transferred data is in place.
• D. Ensure the language in the contract explicitly states who is accountable for each step of the data transfer process.

Correct answer: D

Explanation

The correct answer is D because having explicit language in the contract about accountability ensures that both parties understand their responsibilities during the data transfer. Options A, B, and C focus on security controls, environmental requirements, and data classification, which are important but do not directly address the risk of vendor relationship termination regarding data transfer.