Certified Information Systems Security Professional (CISSP) — Question 37

An organization plans to acquire a commercial off-the-shelf (COTS) system to replace their aging home-built reporting system. When should the organization's security team FIRST get involved in this acquisition's life cycle?

Answer options

• A. When the system is verified and validated
• B. When the need for a system is expressed and the purpose of the system is documented
• C. When the system is deployed into production
• D. When the system is being designed, purchased, programmed, developed, or otherwise constructed

Correct answer: B

Explanation

The correct answer is B because involving the security team when the need and purpose are documented allows for early identification of security requirements. Engaging them at later stages, such as during design or deployment, may lead to challenges in integrating necessary security measures effectively.