An organization is implementing encryption for data at rest to reduce the risk associated with unauthorized access. Which of the following MUST be considered to assess the residual risk?

A. Data destruction requirements
B. Cloud storage architecture
C. Data retention requirements
D. Key management