CGRC Question #691: Real Exam Question with Answer & Explanation

The correct answer is C: Incremental assessment. When employing agile and iterative development methodologies, an incremental assessment is performed prior to the completion of the Security Assessment Report (SAR) to continuously evaluate security posture as the system evolves.

Assessment/Audit of Security and Privacy Controls

Question

Prior to completion of the security assessment report (SAR), what type of analysis is performed when agile, iterative development is used? Response:

Options

ARegression analysis
BInterim assessment
CIncremental assessment
DExecutive assessment

Explanation

When employing agile and iterative development methodologies, an incremental assessment is performed prior to the completion of the Security Assessment Report (SAR) to continuously evaluate security posture as the system evolves.

Common mistakes.

A. Regression analysis is a statistical process for estimating the relationships among variables and is not a specific type of security assessment used in agile development.
B. An interim assessment might occur, but 'incremental assessment' specifically describes the continuous nature of assessments within an iterative development model.
D. An executive assessment is usually a high-level review for leadership and not the technical analysis performed during iterative development.

Concept tested. Agile Security Assessment in RMF

Reference. https://csrc.nist.gov/publications/detail/sp/800-37/rev2/final

Topics

#Agile security#Incremental assessment#Security Assessment Report (SAR)#RMF Assessment

Community Discussion

No community discussion yet for this question.

Full CGRC Practice Browse All CGRC Questions