Certified Secure Software Lifecycle Professional (CSSLP) — Question 22

Which of the following persons in an organization is responsible for rejecting or accepting the residual risk for a system?

Answer options

• A. Information Systems Security Officer (ISSO)
• B. Designated Approving Authority (DAA)
• C. System Owner
• D. Chief Information Security Officer (CISO)

Correct answer: C

Explanation

The System Owner is the individual who ultimately decides whether to accept or reject the residual risk of a system, as they have the most comprehensive understanding of its operation. The ISSO and CISO may provide guidance and recommendations, while the DAA is typically involved in the approval process but does not directly manage the system's risks.