Which of the following is the GREATEST risk of an inadequate policy definition for ownership of data
and systems?

A.
User management coordination does not exist.

B.
Specific user accountability cannot be established.

C.
Unauthorized users may have access to originate, modify or delete data.

D.
Audit recommendations may not be implemented.

Explanation:
Without a policy defining who has the responsibility for granting access to specific systems, there is
an increased risk that one could gain (be given) system access when they should not have

authorization. By assigning authority to grant access to specific users, there is a better chance that
business objectives will be properly supported.