CISSP Question #968: Real Exam Question with Answer & Explanation

Question

A retail company is looking to start a development project that will utilize open source components in its code for the first time. The development team has already acquired several open source components and utilized them in proof of concept (POC) code. The team recognizes that the legal and operational risks are outweighed by the benefits of open-source software use. What MUST the organization do next?

Options

• AMandate that all open-source components be approved by the Information Security Manager
• BScan all open-source components for security vulnerabilities.
• CEstablish an open-source compliance policy.
• DRequire commercial support for all open-source components.

Explanation

Before operationalizing open-source software use, an organization must establish a formal compliance policy to govern how open-source components are selected, approved, and managed. This foundational step precedes all other specific controls.

Common mistakes.

• A. Mandating approval by the Information Security Manager is a procedural control that should be defined within an open-source compliance policy, not a standalone first step taken before governance is established.
• B. Scanning open-source components for vulnerabilities is an important security practice, but it is a tactical activity that should be required and governed by an overarching compliance policy rather than implemented ad hoc before any policy exists.
• D. Requiring commercial support for all open-source components is one possible policy decision an organization might make, but it is an overly restrictive and costly measure that is not universally required and would itself need to be specified within a compliance policy framework.

Concept tested. Open-source software governance and compliance policy establishment

Reference. https://www.linuxfoundation.org/resources/open-source-guides/using-open-source-code/

No community discussion yet for this question.