56 ◾ Official (ISC)
2
® Guide to the ISSMP® CBK®
© 2011 by Taylor & Francis Group, LLC
is successful, the safety of employees and products, and that all actions are
ethical and compliant with the appropriate laws and regulations.
2. Approving Authority: e Approving Authority conducts the business-
security risk assessment of the system and formally approves the operational
use of the system. is individual must be a senior employee of the organi-
zation, formally assigned the responsibility and authority for reviewing and
approving information systems with all of their associated risks for opera-
tions. To have the appropriate authority, the Approving Authority must have
adequate inuence over both the business operations and resources to make
balanced cost-benet, mission analysis–risk determination on the acceptabil-
ity of the residual system’s security risks.
3. Verication Entity: is is a person or group that takes actions to verify that
what is documented in the approved system security plan is what is being
done in the operations of the system. is is done by
N Conducting reviews of documents, such as compliance regulation and
directives, security plans, operations manuals, audit logs, and journals
N Interviewing personnel
N Testing (system mappings, vulnerability scans, penetration and social
engineering tests, etc.)
N On-site inspections
roughout, they report to the Approving Authority and system owner, iden-
tifying vulnerabilities and noncompliance issues in the system and potential
options for correcting the same. is document is typically called the security
assessment report.
4. System Owner: Of all the individuals in an organization responsible for
security, the system owner is responsible for over 85% of the actions. is
person is responsible for everything from developing, implementing, manag-
ing, manning, training, educating, resourcing, operating, maintaining, mon-
itoring, exercising, assessing, and reporting, to correcting the information
system’s security on a daily basis. is individual is responsible for developing
and maintaining all of the key security documents, including the system’s
security, contingency, incident response, patch management, conguration
management, POA&M, and budget plans. Additionally, the system owner
must report the security status, issues, and risk to senior management.
5. User Representative: e users are one of the main keys to the success of any
security program. e user representative ensures that concerns including
mission, cultural, frontline-operational, environmental, and user acceptabil-
ity are included in any system security solution. Additionally, they become
the conduit for communications between management and the user com-
munity to facilitate security promotion to the users and provide alternative
solutions back to management.