Certified Information Security Manager (CISM) — Question 950

An organization has implemented a new customer relationship management (CRM) system. Who should be responsible for enforcing authorized and controlled access to the CRM data?

Answer options

• A. The data custodian
• B. The data owner
• C. Internal IT audit
• D. The information security manager

Correct answer: A

Explanation

The data custodian is responsible for the day-to-day management of data and ensuring that access controls are in place, thus making them the right choice. The data owner typically determines who should have access but does not manage the access controls directly. The internal IT audit looks at compliance and controls but does not enforce access. The information security manager oversees security policies but may not directly handle access to specific systems like the CRM.