Certified in Risk and Information Systems Control (CRISC) — Question 709
An organization has outsourced its IT security operations to a third party. Who is ULTIMATELY accountable for the risk associated with the outsourced operations?
Answer options
- A. The organization's vendor management office
- B. The organization's management
- C. The control operators at the third party
- D. The third party's management
Correct answer: B
Explanation
The correct answer is B, as the organization's management retains ultimate accountability for the risks, even when operations are outsourced. Options A, C, and D refer to other parties involved, but they do not hold the final responsibility for the outcomes associated with the security operations.