Certified in Risk and Information Systems Control (CRISC) — Question 1148

Who is ULTIMATELY accountable for the confidentiality of data in the event of a data breach within a Software as a Service (SaaS) environment?

Answer options

• A. Vendor’s application owner
• B. Vendor’s information security officer
• C. Customer’s data owner
• D. Customer’s data privacy officer

Correct answer: C

Explanation

The customer’s data owner is ultimately accountable for data confidentiality, as they are responsible for managing the data they possess, even in a SaaS environment. While the vendor's roles such as the application owner and information security officer play important parts in security, the responsibility lies with the customer who owns the data. The customer’s data privacy officer is also involved but does not hold the final accountability for the data itself.