ISC2 Certified Secure Software Lifecycle Professional (CSSLP) Practice Question

After completing the security assessment and documenting all residual risks, your team is ready to move a new payment-processing application into production. To obtain formal approval to operate, which management role must sign the authorization decision that accepts responsibility for the system's risk?

The Security Control Assessor (SCA)
The Information System Security Officer (ISSO)
The system owner
The Authorizing Official (Designated Approving Authority)

Report Issue

Answer Description

Within the Risk Management Framework, formal permission to place a system into production is granted through an Authorization to Operate (ATO). The individual who provides that authorization is the Authorizing Official (also called the Designated Approving Authority). This senior management representative has the requisite authority to allocate resources and accept or reject the residual risks documented in the security assessment report and Plan of Action and Milestones (POA&M). The system owner supplies input but does not grant the final approval; the Information System Security Officer administers day-to-day security but lacks the executive authority to accept enterprise risk; and the Security Control Assessor merely provides an independent evaluation of controls. Only the Authorizing Official's signature constitutes the formal sign-off required to operate the system in the production environment.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.