Certified Information Security Manager (CISM) — Question 488

When defining and communicating roles and responsibilities between an organization and cloud service provider, which of the following situations would present the GREATEST risk to the organization's ability to ensure information risk is managed appropriately?

Answer options

• A. The service agreement uses a custom-developed RACI instead of an industry standard RACI to document responsibilities
• B. The organization believes the provider accepted responsibility for issues affecting security that the provider did not accept
• C. The organization and provider identified multiple information security responsibilities that neither party was planning to provide
• D. The service agreement results in unnecessary duplication of effort because shared responsibilities have not been clearly defined

Correct answer: B

Explanation

Option B is correct because a misunderstanding about the acceptance of security responsibilities can lead to significant security gaps, putting the organization at risk. Options A and D may lead to inefficiencies, but they do not directly jeopardize security responsibilities. Option C indicates a lack of planning, but it does not imply a false sense of security as seen in option B.