Certified in Risk and Information Systems Control (CRISC) — Question 1168

An online retailer has decided to store its customer database with a cloud provider in an Infrastructure as a Service (IaaS) configuration. During an initial review of preliminary risk scenarios, a risk practitioner identifies instances where sensitive customer information is stored unencrypted. Who is accountable for ensuring this encryption?

Answer options

• A. The data owner
• B. The chief information officer (CIO)
• C. The retailer’s IT department
• D. The cloud provider

Correct answer: A

Explanation

The data owner is responsible for protecting sensitive information, including ensuring its encryption. While the CIO and IT department play crucial roles in data management and security policies, the ultimate accountability for the data itself rests with the data owner. The cloud provider is responsible for the infrastructure but not for the specific management of data encryption by the data owner.