Certified Information Security Manager (CISM) — Question 849

Of the following, who is accountable for data loss in the event of an information security incident at a third-party provider?

Answer options

• A. The information security manager
• B. The service provider that hosts the data
• C. The incident response team
• D. The business data owner

Correct answer: D

Explanation

The business data owner is ultimately accountable for the data they possess, even when it is managed by a third-party provider. While the service provider and the incident response team play crucial roles, the responsibility for data loss resides with the business data owner who has authority and oversight over the data.