CISSP-ISSEP · Question #190
Which of the following individuals is an upper-level manager who has the power and capability to evaluate the mission, business case, and budgetary needs of the system while also considering the secur
The correct answer is D. DAA. D (DAA - Designated Approving Authority) is correct because the DAA is a senior executive-level official formally empowered to authorize (or deny) a system's operation by weighing mission requirements, business justification, budget constraints, and residual security risk togethe
Question
Which of the following individuals is an upper-level manager who has the power and capability to evaluate the mission, business case, and budgetary needs of the system while also considering the security risks?
Options
- AUser Representative
- BProgram Manager
- CCertifier
- DDAA
How the community answered
(30 responses)- B7% (2)
- C3% (1)
- D90% (27)
Explanation
D (DAA - Designated Approving Authority) is correct because the DAA is a senior executive-level official formally empowered to authorize (or deny) a system's operation by weighing mission requirements, business justification, budget constraints, and residual security risk together - no other role combines all four of those responsibilities.
- A (User Representative) is wrong because they advocate for end-user needs and requirements but lack the executive authority over budget or risk acceptance.
- B (Program Manager) is wrong because they oversee project execution and resources but do not hold the formal security authorization decision-making power.
- C (Certifier) is wrong because they technically evaluate and validate security controls, then recommend a decision - but the DAA is the one who actually makes it.
Memory tip: Think "DAA = Decision, Authority, Accountability" - the DAA is the one person who can say "yes, this system is approved to operate despite its risks," and who owns that decision organizationally.
Topics
Community Discussion
No community discussion yet for this question.