nerdexam
(ISC)2

CISSP · Question #352

Which of the following steps should be performed FIRST when purchasing Commercial Off-The- Shelf (COTS) software?

The correct answer is D. establish policies and procedures on system and services acquisition. The first step when purchasing Commercial Off-The-Shelf (COTS) software is to establish policies and procedures on system and services acquisition. This involves defining the objectives, scope, and criteria for acquiring the software, as well as the roles and responsibilities of

Submitted by haru.x· Mar 5, 2026Security and Risk Management

Question

Which of the following steps should be performed FIRST when purchasing Commercial Off-The- Shelf (COTS) software?

Options

  • Aundergo a security assessment as part of authorization process
  • Bestablish a risk management strategy
  • Charden the hosting server, and perform hosting and application vulnerability scans
  • Destablish policies and procedures on system and services acquisition

How the community answered

(38 responses)
  • A
    5% (2)
  • B
    3% (1)
  • C
    11% (4)
  • D
    82% (31)

Explanation

The first step when purchasing Commercial Off-The-Shelf (COTS) software is to establish policies and procedures on system and services acquisition. This involves defining the objectives, scope, and criteria for acquiring the software, as well as the roles and responsibilities of the stakeholders involved in the acquisition process. The policies and procedures should also address the legal, contractual, and regulatory aspects of the acquisition, such as the terms and conditions, the service level agreements, and the compliance requirements. Undergoing a security assessment, establishing a risk management strategy, and hardening the hosting server are not the first steps when purchasing COTS software, but they may be part of the subsequent steps, such as the evaluation, selection, and implementation of the software.

Topics

#COTS acquisition#Security policy#Procurement#Risk management

Community Discussion

No community discussion yet for this question.

Full CISSP Practice