CRISC IT Risk Identification • Set 8
CRISC IT Risk Identification Practice Test 8 — 15 questions with explanations. Free, no signup.
A mid-sized retail company operates 50 stores across three regions. Each store uses a point-of-sale (POS) system that transmits credit card transactions to a centralized payment processor. The company recently deployed a new SaaS-based inventory management application that connects to the POS system via API. The IT department has no formal process for tracking third-party connections. The risk manager suspects that unknown or unauthorized connections may exist. During a risk identification review, the risk manager discovers that the POS vendor's API documentation was shared with the inventory SaaS provider without a non-disclosure agreement (NDA). Additionally, the API keys for the POS system are stored in plain text configuration files on the inventory SaaS application server. The company's security policy requires encryption of all sensitive data in transit and at rest. Which of the following should the risk manager prioritize as the HIGHEST risk scenario to document in the risk register?