The Authorizations to Operate (ATO) for information systems is granted after controls assessment and system authorization as a formal decision for the management to accept the residual risk. To support continuous authorization, which of the following tasks should be implemented first? (Wentz QOTD)
A. Automation for enforcement of policies and controls
B. Continuous integration and delivery
C. Continuous monitoring approach for the applicable security controls
D. Automated ways of performing security assessments
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is B. Continuous integration and delivery.
Wentz’s book, The Effective CISSP: Security and Risk Management, helps CISSP and CISM aspirants build a solid conceptual security model. It is a tutorial for information security and a supplement to the official study guides for the CISSP and CISM exams and an informative reference for security professionals.
Reference
- The Role of DevSecOps in Continuous Authority to Operate
- What is a Continuous Authority to Operate?
- DevSecOps
資訊系統的上線營運授權 (ATO) 是在控制評鑑和系統授權之後授予的,是管理階層接受剩餘風險的正式決定。 要支持連續授權,以下哪項任務應首先實施? (Wentz QOTD)
A. 策略和控制執行的自動化
B. 持續集成與交付
C. 適用安全控制的持續監控方法
D. 執行安全評鑑的自動化方式