CGEIT Certified in the Governance of Enterprise IT – Question228

A business unit within an enterprise has directly contracted with a cloud service provider to process sensitive customer information. The CIO later identifies a serious risk of potential data compromise due to the vendor’s insufficient segregation of environments and lack of strong access controls. The FIRST course of action should be to:

A.
immediately suspend sending of data to the cloud service provider.
B. notify internal audit of the risk.
C. discuss the risk with the vendor to determine mitigation actions.
D. inform the business process owner of the risk.

Correct Answer: B