nerdexam
(ISC)2

CISSP-ISSEP · Question #163

Which of the following individuals are part of the senior management and are responsible for authorization of individual systems, approving enterprise solutions, establishing security policies, provid

The correct answer is A. Chief Information Officer B. AO Designated Representative C. Senior Information Security Officer E. Authorizing Official. Senior management roles in the NIST Risk Management Framework (RMF) include the Chief Information Officer (A), who oversees enterprise IT strategy, approves enterprise solutions, and funds security initiatives; the Authorizing Official (E), who formally accepts risk and authorize

Governance and Training

Question

Which of the following individuals are part of the senior management and are responsible for authorization of individual systems, approving enterprise solutions, establishing security policies, providing funds, and maintaining an understanding of risks at all levels? Each correct answer represents a complete solution. Choose all that apply.

Options

  • AChief Information Officer
  • BAO Designated Representative
  • CSenior Information Security Officer
  • DUser Representative
  • EAuthorizing Official

How the community answered

(13 responses)
  • A
    92% (12)
  • D
    8% (1)

Explanation

Senior management roles in the NIST Risk Management Framework (RMF) include the Chief Information Officer (A), who oversees enterprise IT strategy, approves enterprise solutions, and funds security initiatives; the Authorizing Official (E), who formally accepts risk and authorizes systems to operate; the AO Designated Representative (B), who acts on the AO's behalf and shares those authorization responsibilities; and the Senior Information Security Officer (C), who establishes security policies and advises leadership on risk across the organization. Together, these four roles form the senior management tier responsible for governance, funding, and risk acceptance decisions. The User Representative (D) is the distractor - while they advocate for end-user needs during system development, they are an operational-level stakeholder with no authority over authorization, policy, or funding decisions.

Memory tip: Think of the four correct answers as the people who sign, fund, and set the rules - if a role is about using the system rather than authorizing or governing it, it's not senior management in this context. The User Representative's name gives it away: they represent users, not the organization's executive risk posture.

Topics

#Senior Management Roles#Authorization#Security Governance#Risk Management

Community Discussion

No community discussion yet for this question.

Full CISSP-ISSEP Practice