Certified in Risk and Information Systems Control (CRISC) — Question 368

Which of the following stakeholders are typically included as part of a line of defense within the three lines of defense model?

Answer options

• A. Regulators
• B. Legal team
• C. Vendors
• D. Board of directors

Correct answer: B

Explanation

The legal team is crucial in ensuring compliance and managing legal risks, which aligns with the second line of defense in the model. Regulators and vendors play different roles that do not directly relate to internal risk management, while the board of directors is more concerned with oversight rather than being part of the defense structure.