An information system has been authorized to operate. Which of the following is the least concern when monitoring risk at the information system level?
B. Residual risk
C. Emerging changes
D. Ongoing authorization
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is D. Ongoing authorization.
Information systems are protected by system-specific and common security controls to ensure security. An information system shall be certified and accredited (C&A) to be authorized to operations or use. The system authorization to operation is not granted forever but with an expiration date. If the system authorization expires or suffers from significant events, it shall be reauthorized.
Not all information systems are qualified for ongoing authorization. When an information system is under the ongoing authorization, the system may be authorized on a time-driven or event-driven basis, and the authorization package is presented to the authorizing official via automated reports to provide information in the most efficient and timely manner possible.
After an information system is authorized to operate, the system and its controls shall be monitored. There are three types of risk monitoring: compliance, effectiveness, and change monitoring. The purpose of monitoring risk is to:
- Ensure compliance that the risk response measures are implemented correctly and operating as intended.
- Determine the effectiveness that the implemented risk response measures have been reducing identified risk to the desired level. (A concern of residual risk)
- Identify changes that may introduce new risks or affect existing ones.