CISSP-ISSEP · Question #3
Which of the following processes culminates in an agreement between key players that a system in its current configuration and operation provides adequate protection controls?
The correct answer is A. Certification and accreditation (C&A). Certification and Accreditation (C&A) is correct because it is the formal process where an authoritative official (the Authorizing Official) reviews a system's security posture and grants an official decision - called an Authorization to Operate (ATO) - confirming that the system
Question
Which of the following processes culminates in an agreement between key players that a system in its current configuration and operation provides adequate protection controls?
Options
- ACertification and accreditation (C&A)
- BRisk Management
- CInformation systems security engineering (ISSE)
- DInformation Assurance (IA)
How the community answered
(37 responses)- A89% (33)
- B3% (1)
- C5% (2)
- D3% (1)
Explanation
Certification and Accreditation (C&A) is correct because it is the formal process where an authoritative official (the Authorizing Official) reviews a system's security posture and grants an official decision - called an Authorization to Operate (ATO) - confirming that the system's controls are adequate for operation. The "agreement between key players" is precisely this accreditation decision.
B (Risk Management) is wrong because risk management is an ongoing, continuous process of identifying and mitigating risks - it doesn't culminate in a formal agreement about a specific system's operational approval. C (ISSE) is wrong because it's an engineering discipline focused on building security into systems during development, not evaluating whether a finished system is approved to run. D (Information Assurance) is wrong because IA is a broad umbrella concept encompassing policies and practices to protect information - not a specific process that ends in a system approval decision.
Memory tip: Think of C&A as a "sign-off meeting" - Certification is the technical review (does it meet the controls?), and Accreditation is the executive signature (we agree it's good enough to operate). If the question mentions an agreement, approval, or authorization to operate, the answer is C&A.
Topics
Community Discussion
No community discussion yet for this question.