nerdexam
(ISC)2

CISSP-ISSEP · Question #190

Which of the following individuals is an upper-level manager who has the power and capability to evaluate the mission, business case, and budgetary needs of the system while also considering the secur

The correct answer is D. DAA. D (DAA - Designated Approving Authority) is correct because the DAA is a senior executive-level official formally empowered to authorize (or deny) a system's operation by weighing mission requirements, business justification, budget constraints, and residual security risk togethe

Risk Management

Question

Which of the following individuals is an upper-level manager who has the power and capability to evaluate the mission, business case, and budgetary needs of the system while also considering the security risks?

Options

  • AUser Representative
  • BProgram Manager
  • CCertifier
  • DDAA

How the community answered

(30 responses)
  • B
    7% (2)
  • C
    3% (1)
  • D
    90% (27)

Explanation

D (DAA - Designated Approving Authority) is correct because the DAA is a senior executive-level official formally empowered to authorize (or deny) a system's operation by weighing mission requirements, business justification, budget constraints, and residual security risk together - no other role combines all four of those responsibilities.

  • A (User Representative) is wrong because they advocate for end-user needs and requirements but lack the executive authority over budget or risk acceptance.
  • B (Program Manager) is wrong because they oversee project execution and resources but do not hold the formal security authorization decision-making power.
  • C (Certifier) is wrong because they technically evaluate and validate security controls, then recommend a decision - but the DAA is the one who actually makes it.

Memory tip: Think "DAA = Decision, Authority, Accountability" - the DAA is the one person who can say "yes, this system is approved to operate despite its risks," and who owns that decision organizationally.

Topics

#DAA#Designated Approving Authority#Risk Acceptance#System Authorization

Community Discussion

No community discussion yet for this question.

Full CISSP-ISSEP Practice