Certified in the Governance of Enterprise IT (CGEIT) — Question 160

An IT security team identified a significant weakness in the enterprise's Internet-facing infrastructure. The exposure requires immediate corrective action that is both cost and resource intensive. Which of the following is the MAIN reason why accountability for this risk should be assigned to the board of directors?

Answer options

• A. The exploit can cause serious disruptions to the enterprise's reputation and profitability.
• B. The board should be aware of risks concerning organizational operations.
• C. Risk ownership at the highest level will ensure risk awareness throughout the enterprise.
• D. The IT organization cannot take ownership for self-identified risks concerning infrastructure security.

Correct answer: C

Explanation

Assigning risk ownership to the board of directors ensures that there is a high-level commitment to understanding and addressing risks, fostering a culture of awareness across the organization. While the other options highlight important aspects of risk management, they do not emphasize the significance of having accountability at the highest level to effectively manage and mitigate risks throughout the enterprise.