Certified Information Security Manager (CISM) — Question 520

Who should determine data access requirements for an application hosted at an organization's data center?

Answer options

• A. Information security manager
• B. Business owner
• C. Data custodian
• D. Systems administrator

Correct answer: B

Explanation

The business owner is best positioned to determine data access requirements because they understand the application's purpose and the necessary data for its functioning. While the information security manager and data custodian play crucial roles in protecting data, they typically implement the access policies rather than define them. The systems administrator manages the technical aspects but does not set the access criteria.