CISSP Question #867: Real Exam Question with Answer & Explanation

Question

Which of the following entities is ultimately accountable for data remanence vulnerabilities with data replicated by a cloud service provider?

Options

• AData owner
• BData steward
• CData custodian
• DData processor

Explanation

Data Remanence Accountability in Cloud Environments

The data owner (A) bears ultimate accountability for data remanence vulnerabilities because they are the business entity or individual who holds legal responsibility and authority over the data - including how it is stored, replicated, and ultimately destroyed. Even when a cloud service provider replicates data across multiple locations, the data owner cannot delegate away their fundamental accountability for ensuring proper data disposal policies are in place and enforced.

Why the distractors are wrong:

• Data steward (B) manages data quality and governance on behalf of the organization but operates in an advisory or operational role without ultimate accountability.
• Data custodian (C) handles the technical storage and maintenance of data (often the IT department or cloud provider itself), but custodians are responsible, not ultimately accountable - a critical distinction.
• Data processor (D) is a GDPR/legal term referring to entities that process data on behalf of the owner; they have compliance obligations but the owner retains ultimate accountability.

Memory Tip: Think of the RACI model - the data owner is always Accountable (the "A"), while custodians and processors are merely Responsible (the "R"). Accountability cannot be outsourced, only responsibility can.

No community discussion yet for this question.