CSSLP · Question #153
CSSLP Question #153: Real Exam Question with Answer & Explanation
The correct answer is B: Designated Approving Authority (DAA). The Designated Approving Authority (DAA) is the individual within an organization who holds the ultimate responsibility for accepting or rejecting the residual risk associated with a system's operation.
Question
Which of the following persons in an organization is responsible for rejecting or accepting the residual risk for a system?
Options
- AInformation Systems Security Officer (ISSO)
- BDesignated Approving Authority (DAA)
- CSystem Owner
- DChief Information Security Officer (CISO)
Explanation
The Designated Approving Authority (DAA) is the individual within an organization who holds the ultimate responsibility for accepting or rejecting the residual risk associated with a system's operation.
Common mistakes.
- A. The Information Systems Security Officer (ISSO) is responsible for the overall security of an information system but typically advises the DAA/AO, rather than accepting the residual risk themselves.
- C. The System Owner is responsible for the development, deployment, and maintenance of the system, including ensuring security requirements are met, but the final risk acceptance rests with the DAA/AO.
- D. The Chief Information Security Officer (CISO) is responsible for the overall information security program of the organization and provides guidance, but usually does not accept residual risk for specific systems unless they are also the DAA/AO for that system, which is not their primary role.
Concept tested. Risk acceptance authority (DAA/AO)
Reference. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r2.pdf
Topics
Community Discussion
No community discussion yet for this question.