The Authorizations to Operate (ATO) for information systems is granted after controls assessment and system authorization as a formal decision for the management to accept the residual risk. To support continuous authorization, which of the following tasks should be implemented first? (Wentz QOTD)
A. Automation for enforcement of policies and controls
B. Continuous integration and delivery
C. Continuous monitoring approach for the applicable security controls
D. Automated ways of performing security assessments
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is B. Continuous integration and delivery.
Wentz’s book, The Effective CISSP: Security and Risk Management, helps CISSP and CISM aspirants build a solid conceptual security model. It is a tutorial for information security and a supplement to the official study guides for the CISSP and CISM exams and an informative reference for security professionals.
- The Role of DevSecOps in Continuous Authority to Operate
- What is a Continuous Authority to Operate?
資訊系統的上線營運授權 (ATO) 是在控制評鑑和系統授權之後授予的，是管理階層接受剩餘風險的正式決定。 要支持連續授權，以下哪項任務應首先實施？ (Wentz QOTD)