Certified in Risk and Information Systems Control (CRISC) — Question 926

An organization retains footage from its data center security camera for 30 days when the policy requires 90-day retention. The business owner challenges whether the situation is worth remediating. Which of the following is the risk manager’s BEST response?

Answer options

• A. Evaluate the risk as a measure of probable loss.
• B. Identify the regulatory bodies that may highlight this gap.
• C. Verify if competitors comply with a similar policy.
• D. Highlight news articles about data breaches.

Correct answer: A

Explanation

The best response from the risk manager is to assess the risk as a measure of probable loss, as this directly addresses the potential consequences of not meeting the retention policy. Identifying regulatory bodies is important but does not focus on the immediate risk. Verifying competitor compliance and highlighting news articles are less relevant to the specific situation at hand.