CISSP PRACTICE QUESTIONS – 20201206

Effective CISSP Questions

Your company is developing an E-Commerce system. As a tester, you shall evaluate if the system meets system security requirements. Which of the following should you do in terms of ISO 15288?
A. Certification
B. Accreditation
C. Verification
D. Validation

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is C. Verification. 

  • Verification and Validation (V&V) are engineering processes.
  • Certification and Accreditation (C&A) are formal assurance processes as defined in FIPS 200.
  • The concept of C&A is now called A&A (Assessment & Authorization) in NIST RMF.
  • Every system should go through V&V, but not every organization requires C&A.
Certification and Accreditation (C&A)
Certification and Accreditation (C&A)

Verification and Validation

Verification and Validation are technical processes introduced in ISO 15288.

NIST SP 800-160 V1 and ISO 15288
NIST SP 800-160 V1 and ISO 15288

“The purpose of the Verification process is to provide objective evidence that a system or system element fulfils its specified requirements and characteristics.”

“The purpose of the Validation process is to provide objective evidence that the system, when in use, fulfills its business or mission objectives and stakeholder requirements, achieving its intended use in its intended operational environment.”

Source: ISO/IEC/IEEE 15288-2015

Stakeholder and System Requirements
Stakeholder and System Requirements (Source: NIST SP 800-160 V1)
Verification and Validation (V&V)
Verification and Validation (V&V)

Reference

A BLUEPRINT FOR YOUR SUCCESS IN CISSP

My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.

貴公司正在開發一個電子商務系統。 作為測試人員,您應評估系統是否滿足系統安全性要求。 根據ISO 15288,您應該執行以下哪項作業?
A. Certification
B. Accreditation
C. Verification
D. Validation

 

Leave a Reply