Certified Information Security Manager (CISM) — Question 846

An organization is in the process of creating an agreement with a cloud provider. Who should determine the third party's destruction schedule for the organization's information?

Answer options

• A. The organization's information security manager
• B. The cloud provider's information security manager
• C. The organization's data owner
• D. The cloud provider's data custodian

Correct answer: C

Explanation

The organization's data owner is the correct answer because they have the authority and responsibility for managing the data, including its lifecycle and destruction. The information security managers and data custodians may provide input or support, but ultimately the data owner must make decisions regarding their own data.