An internal audit report reveals that not all IT application databases have encryption in place.
Which of the following information would be MOST important for assessing the risk impact?
A . The reason some databases have not been encrypted.
B . A list of unencrypted databases which contain sensitive data.
C . The cost required to enforce encryption.
D . The number of users who can access sensitive data.
Answer: A