Certified in the Governance of Enterprise IT (CGEIT) — Question 317

A health tech enterprise wants to ensure that its in-house developed mobile app for users complies with data privacy regulations. Which of the following should be identified FIRST when creating an inventory of information systems and data related to the mobile app?

Answer options

• A. Vendors and outsourced systems
• B. Data maintained by vendors
• C. Information classification scheme
• D. Application and data owners

Correct answer: D

Explanation

Identifying application and data owners is crucial as they are responsible for the data and its compliance with privacy regulations. Without knowing who owns the application and its data, it becomes challenging to enforce compliance measures. The other options, while important, come after establishing ownership as they depend on the clarity of who is accountable.