(ISC)2(ISC)2
CGRC · Question #366
CGRC Question #366: Real Exam Question with Answer & Explanation
The correct answer is A: Information System Owner (ISO). This question identifies the individual accountable for the overall lifecycle of security controls within an information system.
Security and Privacy Governance, Risk Management, and Compliance Program
Question
Who is the organizational official responsible for the development, implementation, assessment, and monitoring of security controls in an information system? Response:
Options
- AInformation System Owner (ISO)
- BInformation System Security Engineer (ISSE)
- CInformation System Security Officer (ISSO)
- DCommon Control Provider (CCP)
Explanation
This question identifies the individual accountable for the overall lifecycle of security controls within an information system.
Common mistakes.
- B. An Information System Security Engineer (ISSE) focuses on engineering and technical aspects of security implementation, not the overarching ownership and accountability.
- C. An Information System Security Officer (ISSO) helps maintain the security posture of an information system but typically reports to or supports the ISO, who holds the ultimate responsibility.
- D. A Common Control Provider (CCP) is responsible for controls that are inherited by multiple systems, not specifically for the controls within a single, distinct information system.
Concept tested. NIST RMF Information System Owner responsibilities
Reference. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r2.pdf
Topics
#Organizational Roles#System Owner#Security Controls#NIST RMF
Community Discussion
No community discussion yet for this question.