内部監査レポートによると、すべての IT アプリケーション データベースに暗号化が導入されているわけではないことがわかりました。リスクの影響を評価するために最も重要な情報は次のどれでしょうか。
正解:B
According to the CRISC Review Manual, a list of unencrypted databases which contain sensitive data would be the most important information for assessing the risk impact, because it would help to determine the extent and severity of the potential data breach or loss. The risk impact is the effect or consequence of the risk occurrence on the business objectives and operations. A list of unencrypted databases which contain sensitive data would indicate the scope and magnitude of the risk exposure and the potential damage to the confidentiality, integrity, and availability of the data. The other options are not the most important information for assessing the risk impact, as they are less relevant or less specific than a list of unencrypted databases which contain sensitive data. The number of users who can access sensitive data would indicate the level of access control and the likelihood of unauthorized access, but it would not indicate thetype and value of the data. The reason some databases have not been encrypted would indicate the cause and rationale of the risk, but it would not indicate the effect or consequence of the risk. The cost required to enforce encryption would indicate the feasibility and affordability of the risk response, but it would not indicate the potential loss or harm of the risk. References = CRISC Review Manual, 7th Edition, Chapter 2, Section 2.2.2, page 78.