ISC Certified Information Systems Security Professional (CISSP) CISSP Question # 142 Topic 15 Discussion
CISSP Exam Topic 15 Question 142 Discussion:
Question #: 142
Topic #: 15
An organization plans to acquire @ commercial off-the-shelf (COTS) system to replace their aging home-built reporting system. When should the organization's security team FIRST get involved in this acquisition’s life cycle?
A.
When the system is being designed, purchased, programmed, developed, or otherwise constructed
B.
When the system is verified and validated
C.
When the system is deployed into production
D.
When the need for a system is expressed and the purpose of the system Is documented
The security team should be involved in the acquisition life cycle as early as possible, preferably when the need for a system is expressed and the purpose of the system is documented. This will ensure that the security requirements are identified and incorporated into the system design, purchase, development, and testing phases. Waiting until the system is verified and validated or deployed into production may be too late to address any security issues or risks that could have been prevented or mitigated earlier. References: CISSP - Certified Information Systems Security Professional, Domain 1. Security and Risk Management, 1.3 Understand and apply security governance principles, 1.3.2 Due diligence/due care; CISSP Exam Outline, Domain 1. Security and Risk Management, 1.3 Understand and apply security governance principles, 1.3.2 Due diligence/due care
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit