Certified Information Systems Security Professional (CISSP) — Question 13

A financial services organization has employed a security consultant to review processes used by employees across various teams. The consultant interviewed a member of the application development practice and found gaps in their threat model. Which of the following correctly represents a trigger for when a threat model should be revised?

Answer options

• A. After operating system (OS) patches are applied
• B. A new developer is hired into the team.
• C. After a modification to the firewall rule policy
• D. A new data repository is added.

Correct answer: D

Explanation

The correct answer is D because adding a new data repository introduces new potential threats that must be accounted for in the threat model. The other options, while important, do not necessarily create new threats that would require a revision of the existing threat model.