What is required regarding the assignment of information security management responsibilities?

• A. Outsource to external vendors only
• B. Assign to an individual or team (e.g., Chief Security Officer)
• C. Do not assign formal responsibility
• D. Leave it to each department

Answer: (B)

Assigning information security responsibilities to a specific person or team creates clear accountability and a solid governance structure. PCI DSS requires that responsibilities for protecting cardholder data be formally assigned to an individual or team, such as a Chief Security Officer or security program owner, so there is a named owner who oversees security controls, incident response, and vendor management. Relying on external vendors alone doesn't establish internal accountability or a single point of ownership for the organization's security posture. Without a formal assignment, there’s no clear person responsible for ensuring controls are implemented and maintained. Leaving responsibility unassigned or distributed haphazardly across departments leads to gaps, inconsistencies, and weaker security oversight.