CISSP Question #356: Real Exam Question with Answer & Explanation

Question

An organization plan on purchasing a custom software product developed by a small vendor to support its business model. Which unique consideration should be made part of the contractual agreement potential long-term risks associated with creating this dependency?

Options

• AA source code escrow clause
• BRight to request an independent review of the software source code
• CDue diligence form requesting statements of compliance with security requirements
• DAccess to the technical documentation

Explanation

When purchasing custom software from a small vendor, a source code escrow clause protects the organization if the vendor goes out of business or discontinues support, mitigating long-term dependency risks.

Common mistakes.

• B. The right to request an independent source code review addresses security assurance and audit rights, but does not protect the organization from losing access to the software if the vendor goes out of business.
• C. A due diligence form requesting compliance statements addresses security posture assessment at a point in time, but provides no contractual protection against the vendor disappearing or becoming unable to support the product.
• D. Access to technical documentation supports knowledge transfer and understanding of the product, but documentation alone does not give the organization the ability to maintain or modify the software if the vendor ceases operations.

Concept tested. Source code escrow for vendor dependency risk mitigation

Reference. https://www.cisa.gov/sites/default/files/publications/defending_against_software_supply_chain_attacks_508_1.pdf

No community discussion yet for this question.