Certified Information Security Manager (CISM) — Question 1165
An organization's main product is a customer-facing application delivered using Software as a Service (SaaS). The lead security engineer has just identified a major security vulnerability at the primary cloud provider. Within the organization, who is PRIMARILY accountable for the associated risk?
Answer options
- A. The data owner
- B. The information security manager
- C. The security engineer
- D. The application owner
Correct answer: D
Explanation
The application owner is primarily accountable for the risk because they are responsible for the application's overall security and compliance. While the other roles play important parts in security management, the application owner directly oversees the application and its associated risks, especially in the context of vulnerabilities found at the cloud provider.