CGRC · Question #572
CGRC Question #572: Real Exam Question with Answer & Explanation
The correct answer is C: Authorizing official. The Authorizing Official (AO) is the designated individual responsible for accepting the residual risk of operating an information system after an Authorization to Operate (ATO) is issued. This role is critical for formalizing the security posture of the system within an organiza
Question
When an ATO is issued, which of the following roles authoritatively accepts residual risk on behalf of the organization? Response:
Options
- AInformation Owner
- BAO or the AO's designated Representation
- CAuthorizing official
- DCISO
Explanation
The Authorizing Official (AO) is the designated individual responsible for accepting the residual risk of operating an information system after an Authorization to Operate (ATO) is issued. This role is critical for formalizing the security posture of the system within an organization.
Common mistakes.
- A. An Information Owner is responsible for the data within a system but does not have the authority to formally accept residual organizational risk.
- B. While an AO can designate a representative, the fundamental role of accepting authoritative risk ultimately resides with the Authorizing Official themselves.
- D. The CISO (Chief Information Security Officer) is typically responsible for an organization's overall information security program, but the specific authority for accepting residual risk for a system's operation under an ATO belongs to the AO.
Concept tested. Authorizing Official's role in ATO
Reference. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r2.pdf
Topics
Community Discussion
No community discussion yet for this question.