CISSP · Question #1025
A healthcare insurance organization chose a vendor to develop a software application. Upon review of the draft contract, the information security professional notices that software security is not add
The correct answer is C. Update the contract so that the vendor is obligated to provide security capabilities.. When software security is missing from a vendor contract, the contract itself-not the SLA-is the proper legal instrument to mandate security obligations, as it governs the overall terms of the vendor relationship.
Question
Options
- AUpdate the service level agreement (SLA) to provide the organization the right to audit the
- BUpdate the service level agreement (SLA) to require the vendor to provide security capabilities.
- CUpdate the contract so that the vendor is obligated to provide security capabilities.
- DUpdate the contract to require the vendor to perform security code reviews.
How the community answered
(47 responses)- A15% (7)
- B9% (4)
- C72% (34)
- D4% (2)
Why each option
When software security is missing from a vendor contract, the contract itself-not the SLA-is the proper legal instrument to mandate security obligations, as it governs the overall terms of the vendor relationship.
The SLA governs service performance metrics and availability targets, not the development-level security capabilities of the software itself, so auditing rights in the SLA would not obligate the vendor to build secure software.
The SLA is a supplementary document focused on operational service levels rather than development obligations; requiring security capabilities in the SLA is less enforceable and less appropriate than placing that requirement in the primary contract.
The contract is the binding legal agreement that defines the vendor's obligations for software development, making it the most authoritative and enforceable place to require security capabilities. Updating the contract ensures that security requirements are legally obligatory from the outset of the engagement, not just operationally expected. This approach addresses the root issue-absent security language in the primary agreement-by embedding security obligations directly where they carry the most legal weight.
Requiring only security code reviews in the contract is too narrow-it addresses one specific activity rather than broadly obligating the vendor to provide comprehensive security capabilities throughout the software development lifecycle.
Concept tested: Vendor contract management and software security requirements
Source: https://www.nist.gov/system/files/documents/2021/10/28/NIST%20SP%20800-161%20Rev%201%20ipd.pdf
Topics
Community Discussion
No community discussion yet for this question.