Which of the following persons in an organization is responsible for rejecting or accepting the residual risk for a system?
Click on the arrows to vote for the correct answer
A. B. C. D.referred as approving/accrediting authority (DAA) or the Principal Approving Authority (PAA)
Answer: C is incorrect.
The system owner has the responsibility of.
The authorizing official is the senior manager responsible for approving the working of the information system.
He is responsible for the risks of operating the information system within a known environment through the security accreditation phase.
In many organizations, the authorizing official is also informing the key officials within the organization of the requirements for a security C&A of the information system.
He makes the resources available, and responsibilities of an Information System Security Officer (ISSO) are as follows: Manages the security of the information system that is slated for Certification & Accreditation (C&A)
Insures the information systems configuration with the agency's information security policy.
Supports the information system owner/ information owner for the completion of security-related responsibilities.
Takes part in the formal configuration management process.
Prepares Certification & information security program functions.
The Designated Approving Authority (DAA) is responsible for rejecting or accepting the residual risk for a system.
The DAA is a senior executive or organization official who is authorized to assume responsibility for operating a system at an acceptable level of risk, and has the authority to formally accept the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, or individuals, based on the implementation of an agreed-upon set of security controls.
The DAA is responsible for reviewing and evaluating the security controls implemented within the system, and determining whether or not the residual risk is acceptable to the organization. The residual risk is the risk that remains after all security controls have been implemented, and is the risk that the organization has accepted as part of its risk management strategy.
The Information Systems Security Officer (ISSO) is responsible for ensuring that the appropriate security controls are implemented within the system, and for providing guidance and assistance to the DAA in evaluating the effectiveness of those controls. The System Owner is responsible for the overall management and operation of the system, and the Chief Information Security Officer (CISO) is responsible for overseeing the organization's information security program.
In summary, while the ISSO, System Owner, and CISO all play important roles in the security of a system, it is the Designated Approving Authority (DAA) who ultimately has the responsibility for accepting or rejecting the residual risk for the system.