Certified in Risk and Information Systems Control (CRISC) — Question 726

An organization has procured a managed hosting service and just discovered the location is likely to be flooded every 20 years. Of the following, who should be notified of this new information FIRST?

Answer options

• A. The risk owner who also owns the business service enabled by this infrastructure
• B. The site manager who is required to provide annual risk assessments under the contract
• C. The data center manager who is also employed under the managed hosting services contract
• D. The chief information officer (CIO) who is responsible for the hosted services

Correct answer: A

Explanation

The risk owner is the individual who has the most direct responsibility for the business service affected by the infrastructure, making it crucial for them to be notified first. The site manager and data center manager have roles related to operations and assessments, but they do not own the risk associated with the service. The CIO, while responsible for hosted services, may not be the immediate point of contact regarding specific risks.