The Information System Security Officer (ISSO) and Information System Security Engineer (ISSE) play the role of a supporter and advisor, respectively.
Which of the following statements are true about ISSO and ISSE? Each correct answer represents a complete solution.
Choose all that apply.
Click on the arrows to vote for the correct answer
A. B. C. D. E.ACE.
The ISSO (Information System Security Officer) and ISSE (Information System Security Engineer) are both essential roles in the security assessment and authorization process of an information system.
The ISSO is responsible for managing the security of the information system, including conducting risk assessments, implementing security controls, and ensuring compliance with security policies and regulations. The ISSO also serves as a liaison between the system owners, users, and the security team. They are responsible for communicating security requirements and concerns to system owners and ensuring that security plans and policies are implemented and followed.
On the other hand, the ISSE is responsible for providing technical expertise and guidance to the system owners and developers on how to design, develop, and implement a secure information system. The ISSE analyzes the impacts of system changes and advises on how to implement security controls to mitigate the risks associated with those changes. They also provide guidance on system testing, evaluation, and accreditation.
Based on the given options, the following statements are true:
A. An ISSE provides advice on the impacts of system changes: This statement is true. ISSEs provide technical expertise and guidance to system owners and developers on how to design, develop, and implement secure information systems.
C. An ISSO manages the security of the information system that is slated for Certification & Accreditation (C&A): This statement is true. The ISSO is responsible for managing the security of the information system, which includes ensuring that the system is compliant with security policies and regulations and is ready for Certification & Accreditation.
E. An ISSE provides advice on the continuous monitoring of the information system: This statement is true. ISSEs provide guidance on system testing, evaluation, and accreditation, which includes advising on the continuous monitoring of the information system.
Therefore, options A, C, and E are all correct.
Option B is incorrect because the ISSE does not manage the security of the information system that is slated for Certification & Accreditation (C&A). This is the responsibility of the ISSO.
Option D is also incorrect because the ISSO does not take part in the development activities that are required to implement system changes. This is the responsibility of the system owners and developers, with the ISSE providing guidance and technical expertise.