ISC2 Governance, Risk and Compliance (CGRC) Practice Question

While completing the System Security Plan (SSP) for a new enterprise billing platform, the security analyst reaches the section that asks for a description of the system's overall purpose and function from a business and operational perspective. Which of the following statements would BEST satisfy this requirement?

All critical vulnerabilities on the platform must be patched within 14 days in accordance with corporate policy.
The platform is hosted on Red Hat Enterprise Linux with an Oracle database and connects to the corporate LAN through VLAN 20.
Every external connection to the platform is protected by TLS 1.2 mutual authentication and monitored by network IDS sensors.
The platform processes customer billing records, generates monthly invoices, and provides real-time payment status to customer service representatives.

Report Issue

Answer Description

When the SSP calls for the system's purpose and function, the focus is on explaining how the information system supports the organization's mission or business operations. A concise summary that identifies the primary services provided (processing customer billing records, producing monthly invoices, and supplying real-time payment status to customer service staff) clearly links the system to core business processes. The other options concentrate on implementation details: underlying technologies (Red Hat, Oracle, VLANs), security maintenance schedules (patch timelines), or specific protective measures (TLS-secured interconnections). While important elsewhere in the SSP, none of those statements actually state why the system exists or what business capability it delivers, so they do not meet the objective of describing purpose and functionality.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.