CISSP · Question #555
CISSP Question #555: Real Exam Question with Answer & Explanation
The correct answer is A: The acquiring organization. When an organization outsources IT systems or services, the acquiring (client) organization retains ultimate accountability for the risks to its own systems and data, even though a third-party provider performs the work.
Question
Which of the following is held accountable for the risk to organizational systems and data that result from outsourcing Information Technology (IT) systems and services?
Options
- AThe acquiring organization
- BThe service provider
- CThe risk executive (function)
- DThe IT manager
Explanation
When an organization outsources IT systems or services, the acquiring (client) organization retains ultimate accountability for the risks to its own systems and data, even though a third-party provider performs the work.
Common mistakes.
- B. The service provider bears contractual and operational responsibility for delivering secure services, but legal and mission accountability for the risk to organizational assets remains with the acquiring organization, not the vendor.
- C. The risk executive (function) is an organizational role that coordinates risk management activities and ensures consistent risk decisions, but it does not bear ultimate accountability for risks introduced by outsourcing - the organization as a whole does.
- D. The IT manager oversees day-to-day technology operations and may manage vendor relationships, but accountability for organizational risk from outsourcing decisions rests at the organizational level, not with an individual IT manager.
Concept tested. Organizational accountability for outsourced IT risk
Reference. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r2.pdf
Topics
Community Discussion
No community discussion yet for this question.