CGRC Question #105: Real Exam Question with Answer & Explanation

Question

During an annual assessment, numerous high-risk findings are discovered on a critical organizational system. The system's Federal Information Processing Standard (FIPS) 199 rating is "high" integrity, "high" confidentiality, and "low" availability. The organization has a very low risk tolerance. What is the best decision that should be made in this situation? Response:

Options

• AThe authorizing official should deny operation of the system until risk is reduced to an acceptable
• BThe information system owner should resolve issues as quickly as possible while keeping the
• CThe security control assessor should implement immediate compensating controls.
• DThe chief information security officer should scope and tailor the weak controls to ensure proper

Explanation

Given high-risk findings on a critical system and a very low organizational risk tolerance, the authorizing official should deny system operation until identified risks are reduced to an acceptable level.

Common mistakes.

• B. While the information system owner is responsible for resolving issues, simply resolving them "as quickly as possible" without an explicit decision from the AO, especially given high risk and low tolerance, is insufficient and doesn't address the immediate authorization status.
• C. The security control assessor's role is to assess and report, not to implement controls; implementation is the responsibility of system developers or administrators.
• D. The CISO's role involves overseeing security, but scoping and tailoring controls are typically done during the initial control selection and implementation phases, not as a primary response to numerous high-risk findings after an assessment, especially when the organization has low risk tolerance.

Concept tested. Authorizing Official's risk-based decision making.

Reference. https://csrc.nist.gov/glossary/term/authorizing_official

No community discussion yet for this question.