Secure Software Lifecycle Professional – CSSLP – Question148
Which of the following persons in an organization is responsible for rejecting or accepting the residual risk for a system? A. Information Systems Security Officer (ISSO) B. Designated Approving Authority (DAA) C. System Owner D. Chief Information Security Officer (CISO)
Correct Answer: B
Explanation:
Explanation: The authorizing official is the senior manager responsible for approving the working of the information system. He is responsible for the risks of operating the information system within a known environment through the security accreditation phase. In many organizations, the authorizing official is also referred as approving/accrediting authority (DAA) or the Principal Approving Authority (PAA). Answer: C is incorrect. The system owner has the responsibility of informing the key officials within the organization of the requirements for a security C&A of the information system. He makes the resources available, and provides the relevant documents to support the process. Answer: A is incorrect. An Information System Security Officer (ISSO) plays the role of a supporter. The responsibilities of an Information System Security Officer (ISSO) are as follows: Manages the security of the information system that is slated for Certification & Accreditation (C&A). Insures the information systems configuration with the agency’s information security policy. Supports the information system owner/information owner for the completion of security-related responsibilities. Takes part in the formal configuration management process. Prepares Certification & Accreditation (C&A) packages. Answer: D is incorrect. The CISO has the responsibility of carrying out the CIO’s FISMA responsibilities. He manages the information security program functions.
Please disable your adblocker or whitelist this site!