CGRC · Question #22
CGRC Question #22: Real Exam Question with Answer & Explanation
The correct answer is A: Authorization (to operate). Authorization (to operate) is the official management decision by a senior organizational official to permit an information system's operation and accept its associated risks. This decision is based on the system's implemented security controls.
Question
The official management decision given by a senior organizational official to authorize operation of an information system and to explicitly accept the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation based on the implementation of an agreed-upon set of security controls. Response:
Options
- AAuthorization (to operate)
- BSystems operated
- CSecurity Authorization
- DSenior Organizational
Explanation
Authorization (to operate) is the official management decision by a senior organizational official to permit an information system's operation and accept its associated risks. This decision is based on the system's implemented security controls.
Common mistakes.
- B. Systems operated is a generic term that does not represent a specific formal decision or process in risk management.
- C. Security Authorization is a broader term that encompasses the entire process leading to an authorization decision, but Authorization (to operate) is the specific decision itself.
- D. Senior Organizational describes a position or a type of official, not the decision being made.
Concept tested. Risk Management Framework - Authorization to Operate (ATO)
Reference. https://csrc.nist.gov/glossary/term/authorization_to_operate
Topics
Community Discussion
No community discussion yet for this question.