Certified Information Security Manager (CISM) — Question 604

Which of the following parties should be responsible for determining access levels to an application that processes client information?

Answer options

• A. The identity and access management team
• B. The business client
• C. The information security team
• D. Business unit management

Correct answer: D

Explanation

The correct answer is D, as business unit management typically understands the specific needs and roles within their unit, allowing them to make informed decisions regarding access levels. The identity and access management team (A), information security team (C), and business client (B) may provide input or guidelines, but they do not have the direct authority to set these access levels.