Your company is developing an E-Commerce system. As a tester, you shall evaluate if the system meets system security requirements. Which of the following should you do in terms of ISO 15288?
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is C. Verification.
- Verification and Validation (V&V) are engineering processes.
- Certification and Accreditation (C&A) are formal assurance processes as defined in FIPS 200.
- The concept of C&A is now called A&A (Assessment & Authorization) in NIST RMF.
- Every system should go through V&V, but not every organization requires C&A.
Verification and Validation
Verification and Validation are technical processes introduced in ISO 15288.
“The purpose of the Verification process is to provide objective evidence that a system or system element fulfils its specified requirements and characteristics.”
“The purpose of the Validation process is to provide objective evidence that the system, when in use, fulfills its business or mission objectives and stakeholder requirements, achieving its intended use in its intended operational environment.”
Source: ISO/IEC/IEEE 15288-2015
A BLUEPRINT FOR YOUR SUCCESS IN CISSP
My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.
- It is available on Amazon.
- Readers from countries or regions not supported by Amazon can get your copy from the author’s web site.
貴公司正在開發一個電子商務系統。 作為測試人員，您應評估系統是否滿足系統安全性要求。 根據ISO 15288，您應該執行以下哪項作業？