Exam CISM topic 1 question 762 discussion

D. The application owner. The application owner is responsible for overseeing the development, maintenance, and security of the customer-facing application. As the primary owner of the application, they have a direct stake in ensuring its security and mitigating any risks associated with it. The application owner is accountable for identifying and addressing vulnerabilities in the application, including those arising from the cloud provider's infrastructure or services. They must work closely with the security engineer and the information security manager to assess and manage the risk effectively. The application owner has the authority and responsibility to make decisions and take action to address the security vulnerability and protect the organization's customers and their data.

The information security manager is primarily accountable for the associated risk in this scenario. The information security manager is responsible for overseeing the overall security posture of the organization, including identifying and mitigating risks to the organization's information and systems. In this case, the security vulnerability at the primary cloud provider poses a significant risk to the organization's customer-facing application and the information security manager would be responsible for managing and mitigating that risk.

It's the application owner - he is accountable for the security of the application. Its not the information security manager or the security engineer, as the role of security within the organization is of supporting / consulting nature. Its also not the data owner. Data within the customer facing application may include personal identifiable information from the customers. Hence, customers are the data owners and needless to say that they are not in charge of fixing the security issue.

B - Reason being the Primary accountability for security risks related to the CLOUD PROVIDER may not fall squarely on Application Owner's shoulders. But if the question is vulnerability to the application, the ultimate accountability should be under the Application Owner.

why ISM take responsibility for a non-security product...

The application is SaaS which is provided and own by provider not person within the organization. In fact, the answer should be the "business process/operation owner", but the term was not there. The best answer is A. The data owner.

A. Data Owner

The application owner.

The question has keywords of "Within the organization" and "SaaS". Not sure if there will be an application owner in this scenario inside the organization. It would be the data owner.

Board of Directors/CEO are always the accountable party no matter what. Since board of Directors or CEO is not an option for an answer the second-best answer is the information security manager. If the company was sued do to a security incident it would land on the board of directors, but you better bet that the ISM would be fired because it is his priority to relay security posture to the BOD.

D. The application owner

sec manager is accountable for the risk of course the app owner doesnt understand security to be accountable for it, he is just accountable for the app itslef so the manager will have to inform him

The information security manager is primarily responsible for overseeing the organization's overall security posture, which includes assessing and managing risks related to third-party services, such as the SaaS application delivered by the primary cloud provider. The application owner is responsible for the security and performance of the specific application in question. They should collaborate with the information security manager to address and mitigate risks related to the application's deployment in the cloud.

The CISM Review Manual 15th Edition says: "Data owners, also known as information owners or business owners, are management personnel who are formally recognized to own specific business processes and the information used and created by those processes... Owners have management and oversight responsibilities to ensure appropriate controls are employed." (p. 22).

Can anybody explain why application owner and not Data Owner ?

D. The application owner

he application owner is responsible for the overall management and performance of the customer-facing application. They have the primary accountability for ensuring the security, availability, and functionality of the application. Therefore, when a major security vulnerability is identified at the primary cloud provider, it directly impacts the application and its operations. The application owner would be responsible for assessing the risk, coordinating with the security engineer, and taking appropriate actions to address and mitigate the vulnerability.