During an audit of the organization’s data privacy policy, the IS auditor identified that only some IT application databases have encryption in place.
What should be the auditor’s FIRST action?
A . Assess the resources required to implement encryption to unencrypted databases.
B . Review the most recent database penetration testing results.
C . Determine whether compensating controls are in place.
D . Review a comprehensive list of databases with the information they contain.
Answer: C