Certified Information Security Manager (CISM) — Question 1019

Of the following, who should own the risk associated with unauthorized access to application data?

Answer options

• A. Data custodian
• B. Application developer
• C. Application owner
• D. Access administrator

Correct answer: C

Explanation

The application owner is ultimately responsible for the data and its security, making them accountable for risks associated with unauthorized access. The data custodian manages the data, but they do not own the risk; the application developer creates the application, and the access administrator manages user permissions, but neither has ownership of the risk.