Certified in Risk and Information Systems Control (CRISC) — Question 467

A systems interruption has been traced to a personal USB device plugged into the corporate network by an IT employee who bypassed internal control procedures. Of the following, who should be accountable?

Answer options

• A. Chief risk officer (CRO)
• B. Business continuity manager (BCM)
• C. Human resources manager (HRM)
• D. Chief information officer (CIO)

Correct answer: D

Explanation

The Chief Information Officer (CIO) is ultimately responsible for the organization's information technology and security policies, including the enforcement of internal control procedures. The other roles, while important, do not directly oversee the implementation of IT security measures or the actions of IT employees in this context.