Effective CISSP Questions

Your company is developing an ERP system, owned by the head of the IT department, using Scrum. You are the product owner of the development of the material management module. Which of the following is the least of your concerns?
A. Refinement of the product backlog
B. Application for authorization to operate (ATO)
C. Trustworthiness of the product
D. User acceptance

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is B. Application for authorization to operate (ATO).

The material management module is part of the ERP system, which is composed of interacting elements such as hardware, software, data, humans, processes, facilities, materials, and naturally occurring physical entities. The authorization to operate (ATO) is granted at the information system level.

Authorization To Operate (ATO) 

The official management decision given by a senior organizational official to authorize operation of an information system and to explicitly accept the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation based on the implementation of an agreed-upon set of security controls.

Source: CNSSI 4009

Information System

Combination of interacting elements organized to achieve one or more stated purposes.

Note 1: There are many types of systems. Examples include: general and special-purpose information systems; command, control, and communication systems; crypto modules; central processing unit and graphics processor boards; industrial/process control systems; flight control systems; weapons, targeting, and fire control systems; medical devices and treatment systems; financial, banking, and merchandising transaction systems; and social networking systems.

Note 2: The interacting elements in the definition of system include hardware, software, data, humans, processes, facilities, materials, and naturally occurring physical entities.

Note 3: System of systems is included in the definition of system.

Source: NIST SP 800-160

Product Owner

The Product Owner is accountable for maximizing the value of the product resulting from the work of the Scrum Team. How this is done may vary widely across organizations, Scrum Teams, and individuals.

The Product Owner is also accountable for effective Product Backlog management, which includes:
* Developing and explicitly communicating the Product Goal;
* Creating and clearly communicating Product Backlog items;
* Ordering Product Backlog items; and,
* Ensuring that the Product Backlog is transparent, visible and understood.

The Product Owner may do the above work or may delegate the responsibility to others. Regardless, the Product Owner remains accountable.

For Product Owners to succeed, the entire organization must respect their decisions. These decisions are visible in the content and ordering of the Product Backlog, and through the inspectable Increment at the Sprint Review.

The Product Owner is one person, not a committee. The Product Owner may represent the needs of many stakeholders in the Product Backlog. Those wanting to change the Product Backlog can do so by trying to convince the Product Owner.

Source: Scrum Guide 2020



My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.

貴公司正在使用Scrum開發ERP系統。IT部門主管是該系統的擁有者(owner)。 您是物料管理模塊開發的產品所有者(Product Owner)。 您最不用擔心以下哪一項?
A. 產品待辦清單之調整(Refinement of the product backlog)
B. 申請系統上線許可(ATO)
C. 產品的可信賴度(Trustworthiness)
D. 用戶接受度(User acceptance)


Leave a Reply