Which of the following persons in an organization is responsible for rejecting or accepting the
residual risk for a system?

A.
Information Systems Security Officer (ISSO)

B.
Designated Approving Authority (DAA)

C.
System Owner

D.
Chief Information Security Officer (CISO)

Explanation:
The authorizing official is the senior manager responsible for approving the working
of the information system. He is responsible for the risks of operating the information system within
a known environment through the security accreditation phase. In many organizations, the
authorizing official is also referred as approving/accrediting authority (DAA) or the Principal
informing the key officials within the organization of the requirements for a security C&A of the
information system. He makes the resources available, and provides the relevant documents to
the role of a supporter. The responsibilities of an Information System Security Officer (ISSO) are
as follows: Manages the security of the information system that is slated for Certification &
Accreditation (C&A). Insures the information systems configuration with the agency’s information
security policy. Supports the information system owner/information owner for the completion of
security-related responsibilities. Takes part in the formal configuration management process.
responsibility of carrying out the CIO’s FISMA responsibilities. He manages the information
security program functions.