CISSP · Question #376
Company A is evaluating new software to replace an in-house developed application. During the acquisition process. Company A specified the security retirement, as well as the functional requirements.
The correct answer is B. Conduct a security review of the OS. Company A should conduct a security review of the OS that Company B's flagship product runs on, since it is unfamiliar to them and may introduce new risks or vulnerabilities. The security review should evaluate the OS's security features, patches, updates, configuration, and comp
Question
Company A is evaluating new software to replace an in-house developed application. During the acquisition process. Company A specified the security retirement, as well as the functional requirements. Company B responded to the acquisition request with their flagship product that runs on an Operating System (OS) that Company A has never used nor evaluated. The flagship product meets all security -and functional requirements as defined by Company A. Based upon Company B's response, what step should Company A take?
Options
- AMove ahead with the acpjisition process, and purchase the flagship software
- BConduct a security review of the OS
- CPerform functionality testing
- DEnter into contract negotiations ensuring Service Level Agreements (SLA) are established to
How the community answered
(28 responses)- A18% (5)
- B68% (19)
- C4% (1)
- D11% (3)
Explanation
Company A should conduct a security review of the OS that Company B's flagship product runs on, since it is unfamiliar to them and may introduce new risks or vulnerabilities. The security review should evaluate the OS's security features, patches, updates, configuration, and compatibility with Company A's environment. Moving ahead with the acquisition process without reviewing the OS, performing functionality testing, or entering into contract negotiations are premature steps that may compromise Company A's security posture.
Topics
Community Discussion
No community discussion yet for this question.