New Year Sale 2026! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location US
Mob_nav_barsMENU

ISC2 CSSLP Exam - Topic 5 Question 55 Discussion

Actual exam question for ISC2's CSSLP exam
Question #: 55
Topic #: 5
[All CSSLP Questions]

Who amongst the following makes the final accreditation decision?

Show Suggested Answer Hide Answer
Suggested Answer: C

The DAA, also known as Authorizing Official, makes the final accreditation decision. The Designated Approving Authority (DAA), in the United

States Department of Defense, is the official with the authority to formally assume responsibility for operating a system at an acceptable level

of risk. The DAA is responsible for implementing system security. The DAA can grant the accreditation and can determine that the system's

risks are not at an acceptable level and the system is not ready to be operational.

Answer D is incorrect. An Information System Security Officer (ISSO) plays the role of a supporter. The responsibilities of an Information

System Security Officer (ISSO) are as follows:

Manages the security of the information system that is slated for Certification & Accreditation (C&A).

Insures the information systems configuration with the agency's information security policy.

Supports the information system owner/information owner for the completion of security-related responsibilities.

Takes part in the formal configuration management process.

Prepares Certification & Accreditation (C&A) packages.

Answer A is incorrect. An Information System Security Engineer (ISSE) plays the role of an advisor. The responsibilities of an

Information System Security Engineer are as follows:

Provides view on the continuous monitoring of the information system.

Provides advice on the impacts of system changes.

Takes part in the configuration management process.

Takes part in the development activities that are required to implement system changes.

Follows approved system changes.

Answer B is incorrect. A Chief Risk Officer (CRO) is also known as Chief Risk Management Officer (CRMO). The Chief Risk Officer or Chief

Risk Management Officer of a corporation is the executive accountable for enabling the efficient and effective governance of significant risks,

and related opportunities, to a business and its various segments. Risks are commonly categorized as strategic, reputational, operational,

financial, or compliance-related. CRO's are accountable to the Executive Committee and The Board for enabling the business to balance risk

and reward. In more complex organizations, they are generally responsible for coordinating the organization's Enterprise Risk Management

(ERM) approach.


by Salome at Aug 02, 2022, 10:59 PM

Limited Time Offer

25%

Off

Get Premium CSSLP Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

0/2000 characters
Submit Cancel
Margery
4 months ago
I find it hard to believe the CRO has that power.
upvoted 0 times
...
Effie
4 months ago
Wait, are you sure it's not the DAA?
upvoted 0 times
...
Graciela
4 months ago
Actually, it's the ISSO who decides in the end.
upvoted 0 times
...
Larue
4 months ago
Totally agree, CRO is the one!
upvoted 0 times
...
Candra
4 months ago
I think it's the CRO that makes the final call.
upvoted 0 times
...
Beatriz
5 months ago
I thought the ISSE was involved in the process, but I don't remember if they actually make the final decision.
upvoted 0 times
...
Noah
5 months ago
I feel like it could be the ISSO, but I can't recall the details about their role in the accreditation process.
upvoted 0 times
...
Dominque
5 months ago
I remember practicing a question like this, and I think it was the CRO who had the final say.
upvoted 0 times
...
Lavera
5 months ago
I think the final accreditation decision is usually made by the DAA, but I'm not entirely sure.
upvoted 0 times
...
Lorriane
5 months ago
Okay, I've got this. Scope 2 covers indirect emissions from the electricity, steam, heating, and cooling that a company purchases and uses. So B is the correct answer here.
upvoted 0 times
...
Jesusa
5 months ago
Okay, let's see. I know we can define the UI configuration, attributes, and change request types for an entity type. I think those are the three correct answers here.
upvoted 0 times
...
Edison
5 months ago
This one seems pretty straightforward - the Open Rate would tell me how many times the email was actually opened and read, so that's the statistic I'd go with.
upvoted 0 times
...

Save Cancel