As a CISSP working for a direct bank based in Taiwan that relies entirely on internet banking, you are collaborating with the software development team of the customer relationship management (CRM) system to address security concerns. Which of the following approaches or standards will you least likely to employ?
A. Security function
B. XP (eXtreme Programming)
C. ISO 15288
D. The Sherwood Applied Business Security Architecture (SABSA)
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is A. Security function.
This question is designed to invite more thinking about the “security function” that is mentioned in the CISSP Exam Outline, 1.2 Evaluate and apply security governance principles (Alignment of security function to business strategy, goals, mission, and objectives).
Is “security function” an approach or standard? I’m afraid not. I would define the security function as the function that a security department performs. It’s not uncommon to refer to “security function” as the security department, either official or unofficial department.
The following are approaches or standards:
- XP (eXtreme Programming) is one of the Agile approaches. It’s commonly adopted in Agile software development. Pair programming as a means of real-time code review is one of the most well-known practices.
- ISO 15288 is a standard of “Systems and software engineering — System life cycle processes.” NIST SP 800-160 V1 addresses security concerns based on ISO 15288.
- The Sherwood Applied Business Security Architecture (SABSA) is a framework and methodology for enterprise security architecture.