Certified in Risk and Information Systems Control (CRISC) — Question 766

An organization has outsourced its billing function to an external service provider. Who should own the risk of customer data leakage caused by the service provider?

Answer options

• A. The service provider
• B. Business process owner
• C. Vendor risk manager
• D. Legal counsel

Correct answer: B

Explanation

The Business process owner is ultimately responsible for the processes and outcomes related to billing, including any risks associated with data leakage. While the service provider has a role in safeguarding data, the accountability lies with the organization that owns the business process. Other options, such as the vendor risk manager and legal counsel, may provide support, but they do not own the risk directly.