Effective Control to Mitigate Customer Data Leakage Risk

A.

The most effective control to mitigate the risk of customer data leakage when granting a vendor access to data for analyzing customer behavior is to restrict access to customer data on a need to know basis.

Explanation:

A. Restrict access to customer data on a need to know basis: This control ensures that only authorized individuals within the vendor organization have access to customer data based on their job responsibilities and need to know. By limiting access to only those who require it, the risk of customer data leakage is significantly reduced.

B. Enforce criminal background checks: While conducting criminal background checks on vendor personnel may be necessary, it does not directly address the risk of customer data leakage. Background checks may identify potential issues with the vendor's staff, but it is not a foolproof control against data leakage.

C. Mask customer data fields: Masking customer data fields is a good practice, but it may not be sufficient to prevent data leakage. If an authorized individual has access to the masked data and can unmask it, they may still be able to view sensitive information.

D. Require vendor to sign a confidentiality agreement: Requiring a confidentiality agreement is a good practice, but it is not enough to prevent data leakage. While the agreement may help ensure that the vendor understands their responsibility to protect the data, it does not necessarily prevent them from mishandling or intentionally leaking the data.

Therefore, restricting access to customer data on a need to know basis is the most effective control to mitigate the risk of customer data leakage. This control ensures that only authorized individuals within the vendor organization have access to customer data based on their job responsibilities and need to know.