Certificate of Cloud Auditing Knowledge (CCAK) — Question 271

A multinational organization that decided to move from a legacy on-premises system for processing payroll to a cloud-based solution is currently experiencing some regulatory issues due to inadequate protection of sensitive personal data. Who should be accountable for the impact in this scenario?

Answer options

• A. Business process owner of the organization
• B. Chief privacy officer (CPO) of the organization
• C. Compliance officer of the cloud service provider
• D. Information security manager of the cloud service provider

Correct answer: A

Explanation

The Business process owner of the organization is ultimately accountable for the operational processes, including those involving sensitive data, making them responsible for any repercussions from data protection failures. The Chief privacy officer (CPO) is responsible for privacy policies but does not manage daily operations. The compliance officer of the cloud service provider oversees compliance but is not directly responsible for the organization's data handling. Similarly, the information security manager of the cloud service provider manages security but does not have authority over the organization's processes.