CISSP · Question #1420
CISSP Question #1420: Real Exam Question with Answer & Explanation
The correct answer is D: Software assurance policy. Security assessments during software acquisition are governed by software assurance policies, which define requirements for evaluating the security and trustworthiness of third-party or acquired software.
Question
Which of the following addresses requirements of security assessments during software acquisition?
Options
- ASoftware configuration management (SCM)
- BData loss prevention (DLP) policy
- CContinuous monitoring
- DSoftware assurance policy
Explanation
Security assessments during software acquisition are governed by software assurance policies, which define requirements for evaluating the security and trustworthiness of third-party or acquired software.
Common mistakes.
- A. Software configuration management (SCM) focuses on controlling and tracking changes to software after it has been acquired or developed, not on evaluating security risks during the acquisition process itself.
- B. A data loss prevention (DLP) policy is designed to prevent unauthorized exfiltration or exposure of sensitive data and does not address the security vetting of software being acquired from vendors.
- C. Continuous monitoring is an operational security practice used to maintain ongoing visibility into a deployed system's security posture, and does not govern the security assessment requirements prior to or during software acquisition.
Concept tested. Software assurance policy requirements during software acquisition
Reference. https://csrc.nist.gov/publications/detail/sp/800-161/rev-1/final
Topics
Community Discussion
No community discussion yet for this question.