Which of the following persons in an organization is responsible for rejecting or accepting the residual risk for a system? 

Answer options:

A. Information Systems Security Officer (ISSO)
B. Designated Approving Authority (DAA)
C. System Owner
D. Chief Information Security Officer (CISO)

referred as approving/accrediting authority (DAA) or the Principal Approving Authority (PAA). Answer: C is incorrect. The system owner has the responsibility of

The authorizing official is the senior manager responsible for approving the working of the information system. He is responsible for the risks of operating the information system within a known environment through the security accreditation phase. In many organizations, the authorizing official is also informing the key officials within the organization of the requirements for a security C&A of the information system. He makes the resources available, and responsibilities of an Information System Security Officer (ISSO) are as follows: Manages the security of the information system that is slated for Certification & Accreditation (C&A). Insures the information systems configuration with the agency`s information security policy. Supports the information system owner/ information owner for the completion of security-related responsibilities. Takes part in the formal configuration management process. Prepares Certification & information security program functions.