Which of the following professionals is responsible for starting the Certification & Accreditation (C&A) process?
A.
Information system owner
B.
Chief Risk Officer (CRO)
C.
Chief Information Officer (CIO)
D.
Authorizing Official
Explanation:
The Certification and Accreditation (C&A) process starts when an information system owner acknowledges that a system, group of systems, application, or site needs Accreditation. An information system owner might be an IT operations director, a security officer, or an IT operations manager. When the requirement for C&A is acknowledged, it is required to supervise the C&A process.
Answer option B is incorrect. A Chief Risk Officer (CRO) is also known as Chief Risk Management Officer (CRMO). The Chief Risk Officer or Chief Risk Management Officer of a corporation is the executive accountable for enabling the efficient and effective governance of significant risks, and related opportunities, to a business and its various segments. Risks are commonly categorized as strategic, reputational, operational, financial, or compliance-related. CRO’s are accountable to the Executive Committee and The Board for enabling the business to balance risk and reward. In more complex organizations, they are generally responsible for coordinating the organization’s Enterprise Risk Management (ERM) approach.
Answer option C is incorrect. The Chief Information Officer (CIO), or Information Technology (IT) director, is a job title commonly given to the most senior executive in an enterprise responsible for the information technology and computer systems that support enterprise goals. The CIO plays the role of a leader and reports to the chief executive officer, chief operations officer, or chief financial officer. In military organizations, they report to the commanding officer.
Answer option D is incorrect. An Authorizing Official plays the role of an approver. The responsibilities of an Authorizing Official are as follows:
Ascertains the security posture of the organization’s information system. Reviews security status reports and critical security documents. Determines the requirement of reauthorization and reauthorizes information systems when required.
What is the objective of Certification & Accreditation? Hide
The primary objective of Certification & Accreditation (C&A) is to force the authorizing officials to interpret the risks an information system poses. An authorizing official can ensure about the information system’s risk and can analyze how much attention is given to the information system to extenuate risk. The risk evaluation and documentation of results should be integrated throughout a system or application’s system development life-cycle. According to the NIST, the system development life cycle comprises five phases:
1.System initiation
2.Development and acquisition
3.Implementation
4.Operation and maintenance
5.Disposal