ISC2 Exam ISSEP Topic 3 Question 29 Discussion

The Information System Owner is responsible for monitoring the information system environment

for factors that can negatively impact the

security of the system and its accreditation.

Answer option C is incorrect. A Chief Risk Officer (CRO) is also known as Chief Risk Management

Officer (CRMO). The Chief Risk Officer or Chief

Risk Management Officer of a corporation is the executive accountable for enabling the efficient and

effective governance of significant risks,

and related opportunities, to a business and its various segments. Risks are commonly categorized as

strategic, reputational, operational,

financial, or compliance-related. CRO's are accountable to the Executive Committee and The Board

for enabling the business to balance risk

and reward. In more complex organizations, they are generally responsible for coordinating the

organization's Enterprise Risk Management

(ERM) approach.

Answer option A is incorrect. The Chief Information Officer (CIO), or Information Technology (IT)

director, is a job title commonly given to the

most senior executive in an enterprise responsible for the information technology and computer

systems that support enterprise goals. The

CIO plays the role of a leader and reports to the chief executive officer, chief operations officer, or

chief financial officer. In military

organizations, they report to the commanding officer.

Answer option B is incorrect. A Chief Information Security Officer (CISO) is the senior-level executive

within an organization responsible for

establishing and maintaining the enterprise vision, strategy, and program to ensure information

assets are adequately protected. The CISO

directs staff in identifying, developing, implementing, and maintaining processes across the

organization to reduce Information Technology (IT)

risks, respond to incidents, establish appropriate standards and controls, and direct the

establishment and implementation of policies and

procedures. The CISO is also usually responsible for information-related compliance.

The responsibilities of a CISO are as follows:

Information security and information assurance

Information regulatory compliance (e.g., US PCI DSS, FISMA, GLBA, HIPAA; UK Data Protection Act

1998; Canada PIPEDA)

Information risk management

Information technology controls for financial and other systems

Information privacy

Computer Emergency Response Team (CERT)/ Computer Security Incident Response Team (CSIRT)

Identity and access management

Disaster recovery and business continuity management