CISSP · Question #242
During the Security Assessment and Authorization process, what is the PRIMARY purpose for conducting a hardware and software inventory?
The correct answer is D. Define the boundaries of the information system.. In the Security Assessment and Authorization (SA&A) process, a hardware and software inventory is primarily used to establish and define the authorization boundary of the information system.
Question
Options
- ACalculate the value of assets being accredited.
- BCreate a list to include in the Security Assessment and Authorization package.
- CIdentify obsolete hardware and software.
- DDefine the boundaries of the information system.
How the community answered
(46 responses)- A4% (2)
- B2% (1)
- C2% (1)
- D91% (42)
Why each option
In the Security Assessment and Authorization (SA&A) process, a hardware and software inventory is primarily used to establish and define the authorization boundary of the information system.
Calculating asset value is a financial or risk-valuation activity, not the primary purpose of inventory during SA&A, which focuses on security control applicability rather than monetary worth.
While an inventory may ultimately be included as documentation in the SA&A package, creating a list for inclusion is a byproduct, not the primary purpose of conducting the inventory.
Identifying obsolete hardware and software is a lifecycle management or vulnerability management concern, which is separate from the core SA&A goal of establishing what components are within the authorization boundary.
Defining the authorization boundary is foundational to the SA&A process because it determines exactly what components - hardware, software, and interfaces - fall within scope of the security controls being assessed. Without a clear inventory, the system boundary cannot be accurately drawn, making it impossible to determine what must be protected and evaluated. NIST SP 800-37 explicitly requires that the system boundary be defined through this inventory as part of the categorization and authorization steps.
Concept tested: SA&A system boundary definition via hardware/software inventory
Source: https://csrc.nist.gov/publications/detail/sp/800-37/rev-2/final
Topics
Community Discussion
No community discussion yet for this question.