Certified Information Systems Security Professional (CISSP) — Question 307

A healthcare insurance organization chose a vendor to develop a software application. Upon review of the draft contract, the information security professional notices that software security is not addressed. What is the BEST approach to address the issue?

Answer options

• A. Update the contract to require the vendor to perform security code reviews.
• B. Update the service level agreement (SLA) to provide the organization the right to audit the vendor.
• C. Update the contract so that the vendor is obligated to provide security capabilities.
• D. Update the service level agreement (SLA) to require the vendor to provide security capabilities.

Correct answer: C

Explanation

The correct answer is C because updating the contract to obligate the vendor to provide security capabilities ensures that security measures are explicitly included in the agreement. Options A and D, while beneficial, do not directly address the fundamental requirement for security capabilities in the contract. Option B focuses on auditing rights, which does not guarantee that security measures will be implemented.