Certified in Risk and Information Systems Control (CRISC) — Question 342

An IT organization is replacing the customer relationship management (CRM) system. Who should own the risk associated with customer data leakage caused by insufficient IT security controls for the new system?

Answer options

• A. Chief risk officer (CRO)
• B. IT controls manager
• C. Chief information security officer (CISO)
• D. Business process owner

Correct answer: D

Explanation

The business process owner is accountable for the processes that involve customer data, making them the most appropriate person to manage risks related to data leakage. The Chief risk officer, IT controls manager, and Chief information security officer play important roles, but they focus on broader risk management, IT controls, and security policies rather than specific business processes.