CRISC Certified in Risk and Information Systems Control – Question643

An organization has outsourced its IT security operations to a third party. Who is ULTIMATELY accountable for the risk associated with the outsourced operations?

A.
The organization’s vendor management office
B. The organization’s management
C. The control operators at the third party
D. The third party’s management

Correct Answer: B