CISSP-ISSEP · Question #208
What are the responsibilities of a system owner? Each correct answer represents a complete solution. Choose all that apply.
The correct answer is A. Integrates security considerations into application and system purchasing decisions and C. Ensures that adequate security is being provided by the necessary controls, password D. Ensures that the systems are properly assessed for vulnerabilities and must report any to the. Options A, C, and D correctly describe system owner responsibilities because system owners are accountable for the security posture of their specific systems throughout the lifecycle - from purchasing decisions (A), to overseeing the operational adequacy of controls including acc
Question
What are the responsibilities of a system owner? Each correct answer represents a complete solution. Choose all that apply.
Options
- AIntegrates security considerations into application and system purchasing decisions and
- BEnsures that the necessary security controls are in place.
- CEnsures that adequate security is being provided by the necessary controls, password
- DEnsures that the systems are properly assessed for vulnerabilities and must report any to the
How the community answered
(35 responses)- A69% (24)
- B31% (11)
Explanation
Options A, C, and D correctly describe system owner responsibilities because system owners are accountable for the security posture of their specific systems throughout the lifecycle - from purchasing decisions (A), to overseeing the operational adequacy of controls including access mechanisms like passwords (C), to ensuring vulnerability assessments are conducted and findings are escalated (D).
Option B is the distractor. "Ensuring the necessary security controls are in place" is typically the responsibility of the data owner or the Information System Security Officer (ISSO) - roles focused on defining and mandating what controls must exist, rather than overseeing how a specific system operates under those controls. The system owner works within an established control framework, not as the authority that defines it.
Memory tip: Think of the system owner as the "caretaker" of a specific system - they integrate security when buying it, monitor that existing protections are adequate, and report weaknesses found. If a responsibility sounds like it belongs to a security policy setter (determining what controls are required), that's the data owner or security officer, not the system owner.
Topics
Community Discussion
No community discussion yet for this question.