Certified in Risk and Information Systems Control (CRISC) — Question 1158
An organization’s Internet-facing server was successfully attacked because the server did not have the latest security patches. The risk associated with poor patch management had been documented in the risk register and accepted. Who should be accountable for any related losses to the organization?
Answer options
- A. IT risk manager
- B. Risk practitioner
- C. Server administrator
- D. Risk owner
Correct answer: D
Explanation
The risk owner is accountable for the risks they accept, which includes the management of risks associated with poor patch management. While the IT risk manager and risk practitioner may provide oversight and support, the ultimate responsibility lies with the risk owner. The server administrator is responsible for the maintenance of the server but not for the acceptance of the risk.