The Widget Company decided to take their company public and while they were in the process of doing so had
an external auditor come and look at their company. As part of the external audit they brought in a technology
expert, who incidentally was a new CISSP. The auditor’s expert asked to see their last risk analysis from the
technology manager. The technology manager did not get back to him for a few days and then the Chief
Financial Officer gave the auditors a 2 page risk assessment that was signed by both the Chief Financial
Officer and the Technology Manager. While reviewing it, the auditor noticed that only parts of their financial data
were being backed up on site and nowhere else; the Chief Financial Officer accepted the risk of only partial
financial data being backed up with no off-site copies available.
Who owns the risk with regards to the data that is being backed up and where it is stored?
A.
Only the Chief Financial Officer
B.
Only the most Senior Management such as the Chief Executive Officer
C.
Both the Chief Financial Officer and Technology Manager
D.
Only The Technology Manager
Explanation:
The chief financial officer (CFO) is a member of the board. The board members are responsible for setting the
organization’s strategy and risk appetite (how much risk the company should take on).
In this question, the Chief Financial Officer accepted the risk of only partial financial data being backed up with
no off-site copies available. The Chief Financial Officer therefore owns the risk.
Incorrect Answers:
B: The most Senior Management such as the Chief Executive Officer does not own the risk. The Chief
Financial Officer is responsible for company finances and accepted the risk. This means that the CFO owns the
risk, not the CEO.
C: The Technology Manager signed the risk assessment but he did not accept the risk.
D: The Technology Manager signed the risk assessment but he did not accept the risk.Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, New York, 2013, p. 98