Certified Information Security Manager (CISM) — Question 864

Of the following, who is MOST appropriate to own the risk associated with the failure of a privileged access control?

Answer options

• A. Data owner
• B. Information security manager
• C. Business owner
• D. Compliance manager

Correct answer: C

Explanation

The Business owner is ultimately responsible for the overall risk management within their domain, including privileged access controls. While the Data owner, Information security manager, and Compliance manager have roles in managing security, they do not have the final authority or ownership over the risks associated with business operations.