Certified in Risk and Information Systems Control (CRISC) — Question 907
An organization has outsourced its customer management database to an external service provider. Of the following, who should be accountable for ensuring customer data privacy?
Answer options
- A. The organization's business process owner
- B. The organization's information security manager
- C. The organization's vendor management officer
- D. The vendor's risk manager
Correct answer: A
Explanation
The correct answer is A, as the business process owner is ultimately responsible for the processes involving customer data, including privacy concerns. While the information security manager and vendor management officer have roles in data protection and vendor oversight, their accountability does not extend to direct ownership of customer data privacy, which lies with the business process owner.