CISSP-ISSEP · Question #195
An Authorizing Official plays the role of an approver. What are the responsibilities of an Authorizing Official? Each correct answer represents a complete solution. Choose all that apply.
The correct answer is A. Ascertaining the security posture of the organization's information system B. Reviewing security status reports and critical security documents C. Determining the requirement of reauthorization and reauthorizing information systems when. Authorizing Official (AO) Responsibilities An Authorizing Official is a senior executive accountable for formally accepting the risk of operating an information system. Options A, B, and C are correct because they directly reflect the AO's core mandate under frameworks like the N
Question
An Authorizing Official plays the role of an approver. What are the responsibilities of an Authorizing Official? Each correct answer represents a complete solution. Choose all that apply.
Options
- AAscertaining the security posture of the organization's information system
- BReviewing security status reports and critical security documents
- CDetermining the requirement of reauthorization and reauthorizing information systems when
- DEstablishing and implementing the organization's continuous monitoring program
How the community answered
(28 responses)- A89% (25)
- D11% (3)
Explanation
Authorizing Official (AO) Responsibilities
An Authorizing Official is a senior executive accountable for formally accepting the risk of operating an information system. Options A, B, and C are correct because they directly reflect the AO's core mandate under frameworks like the NIST Risk Management Framework: the AO must understand the system's security posture (A) to make informed risk decisions, review authorization packages and status reports (B) such as security plans and POA&Ms as inputs to those decisions, and trigger and execute reauthorization (C) when significant changes or time thresholds warrant a fresh risk acceptance.
Option D is incorrect because establishing and implementing the continuous monitoring program is the responsibility of security operations personnel (typically the ISSO or system owner), not the AO. The AO consumes the outputs of continuous monitoring to make ongoing authorization decisions - they don't build or run the program itself. Confusing "approving based on results" with "owning the program" is the trap here.
Memory tip: Think of the AO as a senior executive signing off on a risk - they read reports, assess posture, and say yes/no to authorization. They don't roll up their sleeves to build security programs. If an answer describes hands-on implementation or program setup, it belongs to someone else (ISSO, system owner), not the AO.
Topics
Community Discussion
No community discussion yet for this question.