Who is responsible for providing reports to the senior management on the effectiveness of the security
controls?

A.
Information systems security professionals

B.
Data owners

C.
Data custodians

D.
Information systems auditors

Explanation:
The auditor is responsible for providing reports to the senior management on the effectiveness of the security
controls.
The function of the auditor is to come around periodically and make sure you are doing what you are supposed
to be doing. They ensure the correct controls are in place and are being maintained securely. The goal of the
auditor is to make sure the organization complies with its own policies and the applicable laws and regulations.
Organizations can have internal auditors and/or external auditors. The external auditors commonly work on
behalf of a regulatory body to make sure compliance is being met.
Incorrect Answers:
A: Information systems security professionals implement security controls. They do not report on their
effectiveness.
B: The data owner (information owner) is usually a member of management who is in charge of a specific
business unit, and who is ultimately responsible for the protection and use of a specific subset of information.
The data owner does not report on the effectiveness of security controls.
C: The data custodian (information custodian) is responsible for maintaining and protecting the data. The data
custodian does not report on the effectiveness of security controls.

Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, New York, 2013, pp. 122-125