As an information system owner, you are responsible for the overall procurement, development, integration, modification, operation, and maintenance of the information system. Which of the following is the first document you should develop to gain the authorization to operate for the information system? (Wentz QOTD)
A. Authorization package.
B. Security and privacy plans.
C. Plans of action and milestones.
D. Security and privacy assessment reports.
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is B. Security and privacy plans.
Wentz’s book, The Effective CISSP: Security and Risk Management, helps CISSP and CISM aspirants build a solid conceptual security model. It is a tutorial for information security and a supplement to the official study guides for the CISSP and CISM exams and an informative reference for security professionals.
The information system owner should prepare an authorization package and submit it to the appropriate authority for the Authorization To Operate (ATO). The authorization package typically contains:
- Security and privacy plans (to direct activities/tasks)
- Security and privacy assessment reports (after security controls are implemented)
- Plans of action and milestones (POA&M) for corrective actions and improvement
An authorization package is the last artifact. It is basically a compilation of the above three documents.
作為資訊系統所有者(owner)，您負責 資訊 系統的整體採購、開發、集成、修改、運行和維護。 以下哪一項是您為獲得資訊系統運行授權(ATO)而應首先發展的文件？ (Wentz QOTD)
B. 安全和隱私計 晝 。