The decision to authorize (or not) an information system to operate within an organization is the result of an on-going project that needs to be dealt effectively to be successful and prevent your business from being exposed to unwanted threats. As NIST highlights, authorization to operate (ATO) is a “management decision to explicitly accept the risks” from operating an information system.
An authorizing officer needs not only have executive buy-in to fulfill their project, but they need to possess the foundational knowledge required to avoid project scope creep. An (ISC)² Certified Authorization Professional (CAP) is the practitioner who can exercise sound security risk management in pursuit of information system authorization to support an organization’s operations in accordance with legal and regulatory requirements. A CAP possesses the expertise to compile the authorization package, determine the amount of risk associated with operating the system, develop responses to address the remaining risk, and finally decide whether to authorize or not the information system. What is more, the (ISC)² CAP certification meets the requirements of Directive 8570.1 for IAM Level I and IAM Level II positions.
Support the originator by clicking the read the rest link below.
