An information system needs the official management decision given by a senior organizational official to authorize the operation and to accept the residual risk explicitly. Which of the following provides the final decision? (Wentz QOTD)
A. Risk-based auditing
B. Authoritative accreditation
C. Comprehensive security assessment
D. Third-party security evaluation using objective criteria
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is B. Authoritative accreditation.
Wentz’s book, The Effective CISSP: Security and Risk Management, helps CISSP and CISM aspirants build a solid conceptual security model. It is a tutorial for information security and a supplement to the official study guides for the CISSP and CISM exams and an informative reference for security professionals.
- Certification: A comprehensive assessment of the management, operational, and technical security controls in an information system, made in support of security accreditation, to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the for the system.
- Accreditation: The official management decision given by a senior agency official to authorize operation of an information system and to explicitly accept the risk to agency operations (including mission, functions, image, or reputation), agency assets, or individuals, based on the implementation of an agreed-upon set of security controls.
Reference
信息系統需要高級組織官員給出的官方管理決策來授權操作並明確接受剩餘風險。 以下哪項提供了最終決定? (Wentz QOTD)
A. 基於風險的審計
B. 權威認證
C. 綜合安全評估
D. 使用客觀標準的第三方安全評估