ISC2 ISSEP Exam - Topic 3 Question 18 Discussion

The IS program manager is the primary authorization advocate. He is responsible for the Information

Systems (IS) throughout the life cycle of

system development. He also ensures that the security requirements are integrated in a way that

will result in an acceptable level of risk. He

also informs all C&A participants about life cycle actions, security requirements, and documented

user needs. The program manager is also

responsible for system acquisition, life cycle schedules, funding, system operation, system

performance, and maintenance.

Answer option C is incorrect. The Certification Agent is also referred to as the certifier. He provides

the technical expertise to conduct the

certification throughout the system life cycle. The certifier determines the existing level of residual

risk. He also makes an accreditation

recommendation to the DAA. He determines whether a system is ready for certification and

conducts the certification process.

Answer option A is incorrect. A user representative is one who focuses on system availability, access,

integrity, functionality, performance, and

confidentiality in a Certification and Accreditation (C&A) process. He is responsible for the

identification of operational requirements and for the

secure operation of a certified and accredited IS. He represents the user community and assists in

the C&A process. He also defines the

system's operations and functional requirements.

Answer option B is incorrect. The Designated Approving Authority (DAA), in the United States

Department of Defense, is the official with the

authority to formally assume responsibility for operating a system at an acceptable level of risk. The

DAA is responsible for implementing

system security. The DAA can grant the accreditation and can determine that the system's risks are

not at an acceptable level and the system

is not ready to be operational.