An IT organization is replacing the customer relationship management (CRM) system. Who should own the risk associated with customer data leakage caused by insufficient IT security controls for the new system?

A. Chief risk officer
B. IT controls manager
C. Chief information security officer
D. Business process owner