An Authorization to Operate (ATO) is the official management decision to authorize the operation of a system. Which of the following is least significant to the authorization decision? (Wentz QOTD)
A. All identified risks are addressed.
B. Safeguards operate as intended.
C. Residual risk is at an acceptable level.
D. The system operates per the stated policies and practices.
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is A. All identified risks are addressed.
Wentz’s book, The Effective CISSP: Security and Risk Management, helps CISSP and CISM aspirants build a solid conceptual security model. It is a tutorial for information security and a supplement to the official study guides for the CISSP and CISM exams and an informative reference for security professionals.
RMF: Authorize System
Authorization is the official management decision to authorize the operation of a system.
To facilitate sound risk-based decision making, decisions are based on reliable and current information about the implementation and effectiveness of both technical and nontechnical safeguards. These include:
• Technical features (Do they operate as intended?);
• Operational policies and practices (Is the system operated according to stated policies and practices?);
• Overall security (Are there threats that the safeguards do not address?); and
• Remaining risk (Is residual risk8 at an acceptable level?)
Source: NIST SP 800-12 R1
All identified risks will be analyzed quantitatively, qualitatively, or both to determine the risk exposure. Risk evaluation is to make the decision on which risks need to be treated and prioritize them based on risk exposure. Identified risks that don’t meet the risk evaluation criteria will not be treated or addressed.
系統營運授權(ATO)是授權系統運行的正式管理決策。 以下哪一項對此授權決定最不重要？ (Wentz QOTD)